Hi, On Tue, Dec 13, 2022 at 10:37:32PM +0100, Gert Doering wrote: > I've managed to break p2p TLS again... not sure how I did this, but > anyway.
I now have a better theory. I was not able to make OpenVPN on Linux-DCO ASSERT(), but it gets confused all the same. So, the server side of this is - tls-server, proto udp - ping 10, ping-restart 30 (though this seems to do exactly nothing here(!)) - server-poll-timeout 3600 - reneg-sec 300 then: - connect client, ping works - client disconnects, no EEN - after 300 seconds, tls-server goes into "renegotiate! really!", which does not work (client is gone) - left alone, after "server poll timeout", tls-server SIGUSR1s itself, and after that, things work again - but if a client reconnects in this "renegotiate!" phase, the server gets really confused about key management - you have to reconnect multiple times(!!) to make it really confused. I have not managed to crash the linux DCO tls-server, but have managed to get kernel messages like these: Dec 14 08:34:21 ubuntu2004 kernel: [23402053.659404] ovpn_udp_encap_recv: received data from unknown peer (id: 9537857) Dec 14 08:34:21 ubuntu2004 kernel: [23402053.896938] ovpn_udp_encap_recv: received data from unknown peer (id: 9537857) and then Dec 14 08:34:45 ubuntu2004 kernel: [23402077.345995] ovpn_encrypt_one: error while retrieving primary key slot Dec 14 08:34:45 ubuntu2004 kernel: [23402077.356330] ovpn_encrypt_one: error while retrieving primary key slot ... I guess that in this state, FreeBSD returns something that makes userland ASSERT(), but Linux isn't a happy camper either. gert PS: why is ping/ping-restart not working here...? It should have abandoned the session way before it entered the reneg-sec dance - ISTR that Richard has an open bug on this. -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel