Re: [Openvpn-devel] DCO p2p TLS ASSERT()

Tue, 13 Dec 2022 23:38:20 -0800 

Hi,

On Tue, Dec 13, 2022 at 10:37:32PM +0100, Gert Doering wrote:
> I've managed to break p2p TLS again...  not sure how I did this, but
> anyway.

I now have a better theory.  I was not able to make OpenVPN on Linux-DCO
ASSERT(), but it gets confused all the same.

So, the server side of this is
 
  - tls-server, proto udp 
  - ping 10, ping-restart 30
    (though this seems to do exactly nothing here(!))
  - server-poll-timeout 3600
  - reneg-sec 300

then:

  - connect client, ping works
  - client disconnects, no EEN
  - after 300 seconds, tls-server goes into "renegotiate! really!", which
    does not work (client is gone)
     - left alone, after "server poll timeout", tls-server SIGUSR1s itself,
       and after that, things work again
  - but if a client reconnects in this "renegotiate!" phase, the server
    gets really confused about key management - you have to reconnect multiple
    times(!!) to make it really confused.
    I have not managed to crash the linux DCO tls-server, but have managed 
    to get kernel messages like these:

Dec 14 08:34:21 ubuntu2004 kernel: [23402053.659404] ovpn_udp_encap_recv: 
received data from unknown peer (id: 9537857)
Dec 14 08:34:21 ubuntu2004 kernel: [23402053.896938] ovpn_udp_encap_recv: 
received data from unknown peer (id: 9537857)

and then

Dec 14 08:34:45 ubuntu2004 kernel: [23402077.345995] ovpn_encrypt_one: error 
while retrieving primary key slot
Dec 14 08:34:45 ubuntu2004 kernel: [23402077.356330] ovpn_encrypt_one: error 
while retrieving primary key slot

... I guess that in this state, FreeBSD returns something that makes
userland ASSERT(), but Linux isn't a happy camper either.

gert


PS: why is ping/ping-restart not working here...?   It should have
abandoned the session way before it entered the reneg-sec dance - ISTR
that Richard has an open bug on this.

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             g...@greenie.muc.de

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel






















					Reply via email to