Bug#910937: marked as done (openvpn: AED decrypt error between 2 Debian stretch server when client server was restarted)

Fri, 07 Dec 2018 12:49:17 -0800 

Your message dated Fri, 07 Dec 2018 20:45:17 +0000
with message-id <[email protected]>
and subject line Bug#910937: fixed in openvpn 2.4.0-6+deb9u3
has caused the Debian Bug report #910937,
regarding openvpn: AED decrypt error between 2 Debian stretch server when 
client server was restarted
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
910937: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=910937
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: openvpn
Version: 2.4.0-6+deb9u2
Severity: normal

Dear Maintainer,

    2 servers are connected in tun mode, both running stable version. After a 
kernel upgrade
    we reboot the master server, 1/2 hour or more after the client one when the 
master already
    rebooted and the client correctly reopened the VPN link. Here raise the 
problem.

    To solve the problem we have to restart master openvpn daemon.

    On the client side we have in logs:

Sat Oct 13 17:17:17 2018 Initialization Sequence Completed
Sat Oct 13 17:17:21 2018 Authenticate/Decrypt packet error: packet HMAC 
authentication failed
Sat Oct 13 17:17:22 2018 Authenticate/Decrypt packet error: packet HMAC 
authentication failed
Sat Oct 13 17:17:23 2018 Authenticate/Decrypt packet error: packet HMAC 
authentication failed
Sat Oct 13 17:17:24 2018 Authenticate/Decrypt packet error: packet HMAC 
authentication failed
Sat Oct 13 17:17:25 2018 Authenticate/Decrypt packet error: packet HMAC 
authentication failed
Sat Oct 13 17:17:25 2018 Authenticate/Decrypt packet error: packet HMAC 
authentication failed
Sat Oct 13 17:17:26 2018 Authenticate/Decrypt packet error: packet HMAC 
authentication failed
Sat Oct 13 17:17:31 2018 Authenticate/Decrypt packet error: packet HMAC 
authentication failed
Sat Oct 13 17:17:35 2018 Authenticate/Decrypt packet error: packet HMAC 
authentication failed
Sat Oct 13 17:17:36 2018 Authenticate/Decrypt packet error: packet HMAC 
authentication failed
Sat Oct 13 17:17:37 2018 NOTE: --mute triggered...

    On the server side:

Sat Oct 13 17:17:17 2018 kumquat/xx.xx.xx.138:1194 PUSH: Received control 
message: 'PUSH_REQUEST'
Sat Oct 13 17:17:17 2018 kumquat/xx.xx.xx.138:1194 PUSH: client wants to 
negotiate cipher (NCP), but server has already generated data channel keys, 
ignoring client request
Sat Oct 13 17:17:17 2018 kumquat/xx.xx.xx.138:1194 SENT CONTROL [kumquat]: 
'PUSH_REPLY,route 10.0.70.0 255.255.255.0,route 10.2.70.0 255.255.255.0,route 
192.168.10.0 255.255.255.0,route 192.168.12.0 255.255.255.0,topology p2p,ping 
10,ping-restart 120,ifconfig 10.99.0.54 10.99.0.49,peer-id 0' (status=1) 
Sat Oct 13 17:17:18 2018 kumquat/xx.xx.xx.138:1194 AEAD Decrypt error: cipher 
final failed
Sat Oct 13 17:17:19 2018 kumquat/xx.xx.xx.138:1194 AEAD Decrypt error: cipher 
final failed
Sat Oct 13 17:17:29 2018 kumquat/xx.xx.xx.138:1194 AEAD Decrypt error: cipher 
final failed
Sat Oct 13 17:17:29 2018 kumquat/xx.xx.xx.138:1194 AEAD Decrypt error: cipher 
final failed
Sat Oct 13 17:17:30 2018 kumquat/xx.xx.xx.138:1194 AEAD Decrypt error: cipher 
final failed
Sat Oct 13 17:17:31 2018 kumquat/xx.xx.xx.138:1194 AEAD Decrypt error: cipher 
final failed
Sat Oct 13 17:17:32 2018 kumquat/xx.xx.xx.138:1194 AEAD Decrypt error: cipher 
final failed
Sat Oct 13 17:17:33 2018 kumquat/xx.xx.xx.138:1194 AEAD Decrypt error: cipher 
final failed
Sat Oct 13 17:17:43 2018 kumquat/xx.xx.xx.138:1194 AEAD Decrypt error: cipher 
final failed
Sat Oct 13 17:17:43 2018 kumquat/xx.xx.xx.138:1194 AEAD Decrypt error: cipher 
final failed
Sat Oct 13 17:17:44 2018 kumquat/xx.xx.xx.138:1194 NOTE: --mute triggered...


-- System Information:
Debian Release: 9.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-8-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openvpn depends on:
ii  debconf [debconf-2.0]  1.5.61
ii  init-system-helpers    1.48
ii  iproute2               4.9.0-1+deb9u1
ii  libc6                  2.24-11+deb9u3
ii  liblz4-1               0.0~r131-2+b1
ii  liblzo2-2              2.08-1.2+b2
ii  libpam0g               1.1.8-3.6
ii  libpkcs11-helper1      1.21-1
ii  libssl1.0.2            1.0.2l-2+deb9u3
ii  libsystemd0            232-25+deb9u4
ii  lsb-base               9.20161125

Versions of packages openvpn recommends:
ii  easy-rsa  2.2.2-2

Versions of packages openvpn suggests:
ii  openssl     1.1.0f-3+deb9u2
pn  resolvconf  <none>

-- Configuration Files:
/etc/default/openvpn changed:
AUTOSTART="mango"
OPTARGS=""
OMIT_SENDSIGS=0

/etc/openvpn/update-resolv-conf changed:
[ -x /sbin/resolvconf ] || exit 0
case $script_type in
up)
        for optionname in ${!foreign_option_*} ; do
                option="${!optionname}"
                echo $option
                part1=$(echo "$option" | cut -d " " -f 1)
                if [ "$part1" == "dhcp-option" ] ; then
                        part2=$(echo "$option" | cut -d " " -f 2)
                        part3=$(echo "$option" | cut -d " " -f 3)
                        if [ "$part2" == "DNS" ] ; then
                                IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3"
                        fi
                        if [ "$part2" == "DOMAIN" ] ; then
                                IF_DNS_SEARCH="$IF_DNS_SEARCH $part3"
                        fi
                fi
        done
        R=""
        for SS in $IF_DNS_SEARCH ; do
                R="${R}search $SS
"
        done
        for NS in $IF_DNS_NAMESERVERS ; do
                R="${R}nameserver $NS
"
        done
        echo -n "$R" | /sbin/resolvconf -a "${dev}.inet"
        ;;
down)
        /sbin/resolvconf -d "${dev}.inet"
        ;;
esac


-- debconf information:
  openvpn/create_tun: false

--- End Message ---
--- Begin Message --- 
Source: openvpn
Source-Version: 2.4.0-6+deb9u3

We believe that the bug you reported is fixed in the latest version of
openvpn, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bernhard Schmidt <[email protected]> (supplier of updated openvpn package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 14 Oct 2018 22:55:44 +0200
Source: openvpn
Binary: openvpn
Architecture: source
Version: 2.4.0-6+deb9u3
Distribution: stretch
Urgency: medium
Maintainer: Alberto Gonzalez Iniesta <[email protected]>
Changed-By: Bernhard Schmidt <[email protected]>
Description:
 openvpn    - virtual private network daemon
Closes: 909430 910937
Changes:
 openvpn (2.4.0-6+deb9u3) stretch; urgency=medium
 .
   * Fix NCP behaviour on TLS reconnect, causing "AEAD Decrypt error: cipher
     final failed" errors (Closes: #909430, #910937)
Checksums-Sha1:
 f4a1a4e1180a2451e0e7ea15df6153cac3a907a8 2120 openvpn_2.4.0-6+deb9u3.dsc
 ddd83c6b28e239a8e90d9bdc96fed51c0f40fd86 61316 
openvpn_2.4.0-6+deb9u3.debian.tar.xz
 22f2d4527af1cec6e505a225bacc6827e7abf434 6988 
openvpn_2.4.0-6+deb9u3_amd64.buildinfo
Checksums-Sha256:
 d2cecba7848f5cbbbe32123e599c2917deb85a109282fb78f3e44f348c7ab183 2120 
openvpn_2.4.0-6+deb9u3.dsc
 59a6898aa2fa3223f129a7721c5ef4267ea57ecbcd652a54b3a6d66ff207c85a 61316 
openvpn_2.4.0-6+deb9u3.debian.tar.xz
 f5c7c9bbd05d0d4a3379e0e99cebb2516baf8d958753bc04e844d82a18c55eca 6988 
openvpn_2.4.0-6+deb9u3_amd64.buildinfo
Files:
 10904d24c8f87c19ccb5d7d2e3b8a8de 2120 net optional openvpn_2.4.0-6+deb9u3.dsc
 cd38536d7e6507e8517664ebed2053b4 61316 net optional 
openvpn_2.4.0-6+deb9u3.debian.tar.xz
 e73fab65052a2886fc211d22375bf9e8 6988 net optional 
openvpn_2.4.0-6+deb9u3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAlwFoR4RHGJlcm5pQGRl
Ymlhbi5vcmcACgkQd1B55bhQvJOc2BAAj/BnmmeXF16PRb6OSmld4dIB3Aq+kv2m
0S2XnTHrW5lv4JFQM+Up8IwMR+JmOMKEXOgV8e119PW4Mc0A4KgiKVh9Q30UBo5s
DMbpyzBFYjmmrssm88tC3kv+u/Wbk3o0YMZeTkn4paiIAneM08MV6aA6ZtkNl7ro
UX8hVtR7P0RZPk53Ic3bun/iu7SVZNlKVtIDoRAxwcAwRCMsXDeDE55kSteJn2uT
FXsmo6MP0AOFM+DhYbh4ngNMOaxtx1ugq5AZNL91kzD0pVH/3ExXBtEXhnRQhb9d
NL4/WB0uYXvWjai1vboIH8LNqHBihaFcUc1glreAUsoHcihqSg9B1jmlQIjUI9P8
iXM7xMvARYvLMCUs34eDR7bYcBKzTPqzsi3cho2zHsPqiD1jAKqywmcqOuYytWdd
hOWMyj5tlcx2AxwZtvAUeXbrYd664dFzsFvG4kKBrzonurfxjUzpM6ci4nLpa1jJ
hqtUNmem9AEcJib6nRE/XZJLYnrPuAkjkN1fvhN6IyLS1WftYDxtFXbfnfShEPeL
ZvyOahwJAJIITogW/hqIUH7wNTgFCAGKFSia8KYAfRAx3IiY/+ZjSRM12snZycZK
+P9v/vcpU53DjSWhABTtEX2MLVlY36oWR1Nk5VsVMDjF0mT4SA+03wCjouZXaHat
6LBS+RvW8IQ=
=hUf3
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to