Re: [Openvpn-devel] regressions in openvpn 2.4.1

Mon, 08 May 2017 08:59:52 -0700 

On 08/05/17 17:26, Farkas Levente wrote:
> hi,
> after we upgrade our servers and client to 2.4.1 we detect many
> regressions.
>

Please, can we have these issues handled *ONE* place?

You already opened this trac ticket:
<https://community.openvpn.net/openvpn/ticket/886>

And that's where we've started to respond.


-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc

> - first was that with this the server no longer works and the server
> restart fail after upgrade. imho it's not a safe behavior. but it was
> easy to fix at least.
> script-security 2 system
>
> - then the new systemd unit files (ie openvpn-server and openvpn-client)
> not working. ie if i move all th config file from /etc/openvpn to
> /etc/openvpn/server then the server fail to start. and still not found
> any other solution then move back the config files. i open a bugzilla:
> https://bugzilla.redhat.com/show_bug.cgi?id=1446795
> 
> - but the most annoying on is that if the server runs and a client
> already connected but reboot the client then in most case it's not able
> to reconnect. on the server log we see this error message:
> 
> Sun May  7 23:46:57 2017 .. PUSH: client wants to negotiate cipher
> (NCP), but server has already generated data channel keys, ignoring
> client request
> Sun May  7 23:46:57 2017 ... AEAD Decrypt error: cipher final failed
> Sun May  7 23:47:02 2017 ... AEAD Decrypt error: cipher final failed
> 
> but if i restart the server then everything working perfectly and a the
> clients can reconnect.
> relevant part of the server config:
> 
> proto udp
> dev-type tun
> dev vpn-udp
> 
> remote-cert-tls client
> cipher                AES-256-CBC
> auth          SHA256
> tls-cipher
> TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA
> 
> topology subnet
> client-to-client
> comp-lzo no
> persist-tun
> persist-key
> persist-local-ip
> keepalive 10 120
> push "comp-lzo no"
> push "persist-tun"
> push "persist-key"
> 
> nobody has the same problems?
> thanks
>

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to