Re: [Openvpn-devel] OpenVPN 2.6.7 released
14.11.2023 11:05, Gert Doering пишет:
Hi,
On Sun, Nov 12, 2023 at 06:08:48PM +, Greg Cox wrote:
Spun this config up, then ran:
iptables -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dports 443,80
-j REDIRECT --to-ports 1194
Within 5 minutes the random web scanners found and segfaulted me.
... your port scanners are definitely better than mine - took more like 5
hours here to crash, but it confirms the current assumptions, ks->state
being S_UNDEF and ks->send_reliable being NULL.
Now, Arne's patch (if (ks->state == S_UNDEF) { continue; }) *should* have
fully fixed this, so I'm a bit surprised that we get "it still crashes"
reports... will re-test with this setup and see what happens.
gert
I'd like to confirm that after patch and more then 24hours run I have no
issues.
Thank you!
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] OpenVPN 2.6.7 released
Hi,
On Sun, Nov 12, 2023 at 06:08:48PM +, Greg Cox wrote:
> Spun this config up, then ran:
>
> iptables -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dports 443,80
> -j REDIRECT --to-ports 1194
>
> Within 5 minutes the random web scanners found and segfaulted me.
... your port scanners are definitely better than mine - took more like 5
hours here to crash, but it confirms the current assumptions, ks->state
being S_UNDEF and ks->send_reliable being NULL.
Now, Arne's patch (if (ks->state == S_UNDEF) { continue; }) *should* have
fully fixed this, so I'm a bit surprised that we get "it still crashes"
reports... will re-test with this setup and see what happens.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] OpenVPN 2.6.7 released
Hi, On Sun, Nov 12, 2023 at 07:22:45PM +0100, Gert Doering wrote: > (If you feel like debugging a bit more - could you compile an instance > without optimization, run from gdb, and when it segfaults print all > local variables of interest? i, j, ks, *ks, ks->send_reliable? We > got one variable print from Dmitry - thanks! - but the optimizer broke > printing "ks" things) Dmitry was able to do this, and has confirmed that ks->send_reliable is NULL here, because of "half-initialized state" - which can be determined by checking ks->state first (S_UNDEF = 0 --> send_reliable not yet initialized). Thanks for your help, Dmitry and Greg. Fixed version coming soon... gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] OpenVPN 2.6.7 released
Segfaulting STR: Rocky9 host, used 2.6.7 from the copr repo. port 1194 proto tcp-server dev tun1 ca /etc/openvpn/server/keys/ca.crt cert /etc/openvpn/server/keys/server.crt key /etc/openvpn/server/keys/server.key dh none tls-groups secp521r1:secp384r1 topology subnet server 10.50.236.0 255.255.255.0 keepalive 10 120 tls-auth /etc/openvpn/server/keys/ta.key 0 data-ciphers AES-256-GCM auth SHA512 tls-version-min 1.2 user openvpn group openvpn persist-key persist-tun log-append /var/log/openvpn/openvpn.log verb 4 auth-gen-token 0 3600 Spun this config up, then ran: iptables -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dports 443,80 -j REDIRECT --to-ports 1194 Within 5 minutes the random web scanners found and segfaulted me. Hope this helps. On Fri, Nov 10, 2023 at 7:48 PM Gert Doering wrote: > Hi, > > On Fri, Nov 10, 2023 at 10:51:34AM +0100, Gert Doering wrote: > > I'll see if I can reproduce this case here and we'll fix it ASAP. > > We couldn't reproduce it yet, but we have a crash dump in GH issue #449, > which hints at the commit cd4d819c99266 getting this double-extra-check > wrong. > > So if you build from git, can you do a checkout of release/2.6, and > then do "git revert cd4d819c99266", and build from that? This would > give you a 2.6.7 "with both CVE fixes, but without the extra safeguard > check" - which isn't *really* needed, but its intention was "should > another mistake of sort addressed in the CVE fixes happen again, it > would get caught" - so double belt and suspenders... > > gert > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never > doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh > Mistress > > Gert Doering - Munich, Germany > g...@greenie.muc.de > ___ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel > ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] OpenVPN 2.6.7 released
Hi, On Sun, Nov 12, 2023 at 06:08:48PM +, Greg Cox wrote: > Spun this config up, then ran: > > iptables -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dports 443,80 > -j REDIRECT --to-ports 1194 > > Within 5 minutes the random web scanners found and segfaulted me. This sounds promising. Hopefully we can make it crash too with that :-) (Focus so far was on UDP because that was the first report we got, but if TCP gets the job done, even better). Not totally trivial, though... "basic" openssl s_client or just plain "GET / HTTP/1.0" will just make OpenVPN close the link, not crash... *keeps trying* (If you feel like debugging a bit more - could you compile an instance without optimization, run from gdb, and when it segfaults print all local variables of interest? i, j, ks, *ks, ks->send_reliable? We got one variable print from Dmitry - thanks! - but the optimizer broke printing "ks" things) gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] OpenVPN 2.6.7 released
Hi, On Fri, Nov 10, 2023 at 10:51:34AM +0100, Gert Doering wrote: > I'll see if I can reproduce this case here and we'll fix it ASAP. We couldn't reproduce it yet, but we have a crash dump in GH issue #449, which hints at the commit cd4d819c99266 getting this double-extra-check wrong. So if you build from git, can you do a checkout of release/2.6, and then do "git revert cd4d819c99266", and build from that? This would give you a 2.6.7 "with both CVE fixes, but without the extra safeguard check" - which isn't *really* needed, but its intention was "should another mistake of sort addressed in the CVE fixes happen again, it would get caught" - so double belt and suspenders... gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] OpenVPN 2.6.7 released
Hi, On Fri, Nov 10, 2023 at 12:25:22PM +0400, Dmitry Melekhov wrote: > btw, what I missed, openvpn dies: > > openvpn[11346]: segfault at 0 ip 55e33503f5f3 sp 7fff33642390 error > 4 in openvpn[55e334fc8000+8f000] > > but only multipoint udp . This is bad (but very different from "it stops forwarding", so it should be much easier to reproduce). Can you produce a log file with "verb 4" so it shows what is happening before that? I'll see if I can reproduce this case here and we'll fix it ASAP. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] OpenVPN 2.6.7 released
btw, what I missed, openvpn dies: openvpn[11346]: segfault at 0 ip 55e33503f5f3 sp 7fff33642390 error 4 in openvpn[55e334fc8000+8f000] but only multipoint udp . 10.11.2023 11:35, Dmitry Melekhov пишет: 10.11.2023 11:23, Gert Doering пишет: Hi, On Fri, Nov 10, 2023 at 11:19:58AM +0400, Dmitry Melekhov wrote: OK, now I know what is broken. I have so called multihomed server, and multihomed udp does not work in 2.6.7. On server with only one external interface everything works OK. Are you using --multihome in your config? If not, please add this - UDP on a server with multiple IP addresses of the same family (v4 or v6) can not work reliably without --multihome. yes, sure. as I said 2.6.6 works OK , and all previous versions since multihomed support for udp was introduced. If it does not work with --multihome, please send logs. I see nothing strange in logs, server just lost connection, client too, then they reconnects. (There is one multihome-related code change in 2.6.6 -> 2.6.7, but that should only ever trigger if you use DCO) I don't use dco, but multihomed udp does not work. gert ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] OpenVPN 2.6.7 released
10.11.2023 11:23, Gert Doering пишет: Hi, On Fri, Nov 10, 2023 at 11:19:58AM +0400, Dmitry Melekhov wrote: OK, now I know what is broken. I have so called multihomed server, and multihomed udp does not work in 2.6.7. On server with only one external interface everything works OK. Are you using --multihome in your config? If not, please add this - UDP on a server with multiple IP addresses of the same family (v4 or v6) can not work reliably without --multihome. yes, sure. as I said 2.6.6 works OK , and all previous versions since multihomed support for udp was introduced. If it does not work with --multihome, please send logs. I see nothing strange in logs, server just lost connection, client too, then they reconnects. (There is one multihome-related code change in 2.6.6 -> 2.6.7, but that should only ever trigger if you use DCO) I don't use dco, but multihomed udp does not work. gert ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] OpenVPN 2.6.7 released
Hi, On Fri, Nov 10, 2023 at 11:19:58AM +0400, Dmitry Melekhov wrote: > OK, now I know what is broken. > > I have so called multihomed server, and multihomed udp does not work in > 2.6.7. > > On server with only one external interface everything works OK. Are you using --multihome in your config? If not, please add this - UDP on a server with multiple IP addresses of the same family (v4 or v6) can not work reliably without --multihome. If it does not work with --multihome, please send logs. (There is one multihome-related code change in 2.6.6 -> 2.6.7, but that should only ever trigger if you use DCO) gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] OpenVPN 2.6.7 released
Hi, On Fri, Nov 10, 2023 at 10:21:35AM +0400, Dmitry Melekhov wrote: > 10.11.2023 00:56, Yuriy Darnobyt ??: > > The OpenVPN community project team is proud to release OpenVPN 2.6.7. > > something is broken in 2.6.7. it stops passing traffic after several seconds > after connection when acts as server, Anything in the logs, when running with --verb 4? Is this UDP or TCP? Are you using --fragment? I ran the full server side test setup here, and all tests pass - now, these are only running ~15 seconds per client connect, so might have overlooked something... just to be sure, I've run a 15-minute ipv4/ipv6 ping test to a UDP server now, and that succeeded just fine. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] OpenVPN 2.6.7 released
10.11.2023 10:21, Dmitry Melekhov пишет: 10.11.2023 00:56, Yuriy Darnobyt пишет: The OpenVPN community project team is proud to release OpenVPN 2.6.7. something is broken in 2.6.7. it stops passing traffic after several seconds after connection when acts as server, so I reverted it back to 2.6.6. compiled from sources on ubuntu 22.04 with --disable-dco don't know where is problem, at least now. OK, now I know what is broken. I have so called multihomed server, and multihomed udp does not work in 2.6.7. On server with only one external interface everything works OK. Could you, please, fix this? ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] OpenVPN 2.6.7 released
10.11.2023 00:56, Yuriy Darnobyt пишет: The OpenVPN community project team is proud to release OpenVPN 2.6.7. something is broken in 2.6.7. it stops passing traffic after several seconds after connection when acts as server, so I reverted it back to 2.6.6. compiled from sources on ubuntu 22.04 with --disable-dco don't know where is problem, at least now. ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
