>> After I figured out where we went wrong, I filed: >> 26336744 Solaris specific cleanup code breaks gcm_aes for, e.g., openvpn >> which has now been fixed in oracle solaris-userland on git hub >> https://github.com/oracle/solaris-userland/tree/master/components/openssl > >Cool, thanks a lot! > >> It cannot say exactly when it will be in Solaris 11.3 SRU (patch) release. >> Current workaround is disabling AES-GCM for openvpn but that should not be >> needed in the future. > >Is there a way to reliably detect this issue from a test program (or by >looking at system versions, like "uname")? It might be worth adding a >configure test so users won't run into it ("AES-GCM disabled due to >bug 26336744 in Solaris OpenSSL").
Well, t_lpback would fail but that is late as then you would have configured and compiled openvpn. This bug exists in Solaris 11.2 FCS. Older versions, as you have seen, do not have GCM support so you would not find the bug. The best way to find the install Solaris version in Solaris 11 and later is "pkg list entire"; this will print: NAME (PUBLISHER) VERSION IFO entire 0.5.11-0.175.3.22.0.3.0 i-- The actual string is pretty much an "historical accident" but the important bits are: 0.5.11-0.175.*3*.*22*.0.3.0 The first three is the minor version (11.*3*) and the *22* is the installed SRU. For now, I think for Solaris 11+ we should disable gcm which I currently do by hand by changing #define HAVE_AEAD_CIPHER_MODES 1 to #undef HAVE_AEAD_CIPHER_MODES Casper ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel