Package: openvpn
Version: 2.6.0~git20221116-1devuan1
Severity: normal
Dear Maintainer,
I use opnevpn for many years with the same client configuration. But
currently I have a problem, that I never had and that looks like a bug
in openvpn.
I bought a new laptop and issued the credentials. Unfortunately, I got
the messages:
Dec 5 08:31:59 chil ovpn-chil[6603]: DEPRECATED OPTION: --cipher set to
'BF-CBC' but missing in --data-ciphers
(AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher
for cipher negotiations.
Dec 5 08:31:59 chil ovpn-chil[6603]: Note: Kernel support for ovpn-dco
missing, disabling data channel offload.
Dec 5 08:31:59 chil ovpn-chil[6603]: OpenVPN 2.6_git
x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11]
[MH/PKTINFO] [AEAD] [DCO]
Dec 5 08:31:59 chil ovpn-chil[6603]: library versions: OpenSSL 3.0.7 1
Nov 2022, LZO 2.10
Dec 5 08:31:59 chil ovpn-chil[6605]: Outgoing Control Channel
Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 5 08:31:59 chil ovpn-chil[6605]: Incoming Control Channel
Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 5 08:31:59 chil ovpn-chil[6605]: TCP/UDP: Preserving recently used
remote address: [AF_INET]5.9.7.51:1194
Dec 5 08:31:59 chil ovpn-chil[6605]: Socket Buffers: R=[212992->212992]
S=[212992->212992]
Dec 5 08:31:59 chil ovpn-chil[6605]: UDPv4 link local: (not bound)
Dec 5 08:31:59 chil ovpn-chil[6605]: UDPv4 link remote:
[AF_INET]5.9.7.51:1194
Dec 5 08:31:59 chil ovpn-chil[6605]: TLS: Initial packet from
[AF_INET]5.9.7.51:1194, sid=285f6b71 ae378088
Dec 5 08:31:59 chil ovpn-chil[6605]: VERIFY OK: depth=1, CN=OpenVPN-CA
Dec 5 08:31:59 chil ovpn-chil[6605]: VERIFY KU OK
Dec 5 08:31:59 chil ovpn-chil[6605]: Validating certificate extended
key usage
Dec 5 08:31:59 chil ovpn-chil[6605]: ++ Certificate has EKU (str) TLS
Web Server Authentication, expects TLS Web Server Authentication
Dec 5 08:31:59 chil ovpn-chil[6605]: VERIFY EKU OK
Dec 5 08:31:59 chil ovpn-chil[6605]: VERIFY OK: depth=0, CN=tschil
Dec 5 08:32:59 chil ovpn-chil[6605]: TLS Error: TLS key negotiation
failed to occur within 60 seconds (check your network connectivity)
Dec 5 08:32:59 chil ovpn-chil[6605]: TLS Error: TLS handshake failed
As you can see, the connection is working as the certificates are
exchaned but after the EKU verifikation, I get a timeout.
I have no apparmor or selinux running.
The strangest thing is, when I start openvpn with --verb 9, it work.
So, my guess is, that there is a timing problem as the new laptop is
pretty new ARM CPU.
-- System Information:
Distributor ID: Devuan
Description: Devuan GNU/Linux 5 (daedalus/ceres)
Release: 5
Codename: daedalus ceres
Architecture: x86_64
Kernel: Linux 6.0.0-5-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled
Versions of packages openvpn depends on:
ii debconf [debconf-2.0] 1.5.80
ii libc6 2.36-6
ii libcap-ng0 0.8.3-1+b2
ii liblz4-1 1.9.4-1
ii liblzo2-2 2.10-2
ii libnl-3-200 3.7.0-0.2+b1
ii libnl-genl-3-200 3.7.0-0.2+b1
ii libpam0g 1.5.2-5
ii libpkcs11-helper1 1.29.0-1
ii libssl3 3.0.7-1
ii lsb-base 11.5
ii sysvinit-utils [lsb-base] 3.05-6devuan1
Versions of packages openvpn recommends:
pn easy-rsa <none>
Versions of packages openvpn suggests:
ii openssl 3.0.7-1
pn openvpn-dco-dkms <none>
pn resolvconf <none>
-- debconf information:
openvpn/create_tun: false
Gruß
Klaus
--
Klaus Ethgen http://www.ethgen.ch/
pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <Klaus@???>
Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C
::
[devuan-dev] bug#726: openvpn: Fail…
