>> After I figured out where we went wrong, I filed:
>> 26336744 Solaris specific cleanup code breaks gcm_aes for, e.g., openvpn
>> which has now been fixed in oracle solaris-userland on git hub
>> https://github.com/oracle/solaris-userland/tree/master/components/openssl
>
>Cool, thanks a lot!
>
>> It cannot say exactly when it will be in Solaris 11.3 SRU (patch) release.
>> Current workaround is disabling AES-GCM for openvpn but that should not be
>> needed in the future.
>
>Is there a way to reliably detect this issue from a test program (or by
>looking at system versions, like "uname")? It might be worth adding a
>configure test so users won't run into it ("AES-GCM disabled due to
>bug 26336744 in Solaris OpenSSL").
Well, t_lpback would fail but that is late as then you would have
configured and compiled openvpn.
This bug exists in Solaris 11.2 FCS. Older versions, as you have seen, do
not have GCM support so you would not find the bug.
The best way to find the install Solaris version in Solaris 11 and later
is "pkg list entire"; this will print:
NAME (PUBLISHER) VERSION IFO
entire 0.5.11-0.175.3.22.0.3.0 i--
The actual string is pretty much an "historical accident" but the
important bits are: 0.5.11-0.175.*3*.*22*.0.3.0
The first three is the minor version (11.*3*) and the *22* is the
installed SRU.
For now, I think for Solaris 11+ we should disable gcm which I currently
do by hand by changing
#define HAVE_AEAD_CIPHER_MODES 1
to
#undef HAVE_AEAD_CIPHER_MODES
Casper
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
