On 22-Apr-14 08:08, George Ross wrote:
This looks superficially like the problem that I reported in https://community.openvpn.net/openvpn/ticket/385#comment:5If you are able to rebuild from source, comment 5 has a 4 line patch that works for me.That doesn't apply for me. If I re-work it, there's a different error logged: "TLS_ERROR: BIO read tls_read_plaintext error: error:140C5042:SSL routines:SSL_UNDEFINED_FUNCTION:called a function you should not call: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure".Are you running a pre-built (RPM, etc) version of the server - if so, which one?We build our own RPMs for openvpn. We have done since about 2003.What Linux distribution are you running?SL6.4.What version of OpenSSL are you running?openssl-1.0.1e-16.el6_5.7.x86_64 (i.e. the latest patched version). -- George D M Ross MSc PhD CEng MBCS CITP, University of Edinburgh, School of Informatics, 10 Crichton Street, Edinburgh, Scotland, EH8 9AB Mail: g...@inf.ed.ac.uk Voice: 0131 650 5147 Fax: 0131 650 6899 PGP: 1024D/AD758CC5 B91E D430 1E0D 5883 EF6A 426C B676 5C2B AD75 8CC5 The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.
I would have expected either no change, or a positive one. This new error is odd - it indicates a call to a stubbed-out library entry point; usually this is a mismatched version of the sharable library.
FWIW, I'm running OpenSSL openssl_1.0.1e-2+rvt+deb7u6 (Debian, ARM), so we should be close on that front.
There is no guarantee that we are seeing the same issue, of course. Sorry if this was a false trail; the server seems to be the cause, but the logging is inadequate.
My change was against the OpenVPN git master, though I had the same issue with 2.3.3. There have been development changes to git-master since, which I haven't tracked.
To make sure that you re-worked the same place, I checked the 2.3.3 sources, and the code is the same. The changes go in tls_ctx_server_new() and tls_ctx_client_new(). If that's what you did, something else is different between the releases, & I'll leave you in the hands of the developers as I require some things not in 2.3.3 & have moved on.
Here are the full, patched functions:
void
tls_ctx_server_new(struct tls_root_ctx *ctx)
{
ASSERT(NULL != ctx);
ctx->ctx = SSL_CTX_new (TLSv1_server_method ());
if (ctx->ctx == NULL)
msg (M_SSLERR, "SSL_CTX_new TLSv1_server_method");
}
void
tls_ctx_client_new(struct tls_root_ctx *ctx)
{
ASSERT(NULL != ctx);
ctx->ctx = SSL_CTX_new (TLSv1_client_method ());
if (ctx->ctx == NULL)
msg (M_SSLERR, "SSL_CTX_new TLSv1_client_method");
}
Good luck.
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Start Your Social Network Today - Download eXo Platform Build your Enterprise Intranet with eXo Platform Software Java Based Open Source Intranet - Social, Extensible, Cloud Ready Get Started Now And Turn Your Intranet Into A Collaboration Platform http://p.sf.net/sfu/ExoPlatform
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
