Hi, On Mon, May 25, 2020 at 07:00:49PM +0200, Aleksandar Ivanisevic wrote: > every time I restart the server (2.4.7 from debian 10.4) i see weird floating > requests, e.g. > > May 22 19:27:52 qbs01 openvpn[16384]: Float requested for peer 1 to > 1.2.3.4:5002 > > followed immediately by > > May 22 19:27:52 server openvpn[16384]: TLS Error: local/remote TLS keys are > out of sync: [AF_INET]5.6.7.8:9249 (via [AF_INET]192.168.2.3%vdsl) [6]
Everything before 2.4.9 would erroneously accept a packet with a given
peer-id as "floating" for the client that previously had that peer-id
(peer-ids are dynamic, so it depends on who connects in which order).
This cannot be used to steal traffic, as it only happens if there are no
valid session keys yet (this is what made it *skip* the "does the float
packet pass HMAC?" check...), but afterwards, key handshake fails - so
what it does is "break the session for the client with that peer-id",
which is annoying enough.
2.4.9 (and git master) have a patch for it. I'd hope that distributions
will backport the patch (f7b318f811bb43c0, CVE-2020-11810) as it is
trivial enough and fixes a serious annoyance.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
