:: [devuan-dev] bug#726: openvpn: Fail…
Página Inicial
Delete this message
Reply to this message
Autor: Klaus Ethgen
Data:  
Para: Devuan Bug Tracking System
Assunto: [devuan-dev] bug#726: openvpn: Fail to connect with verbosity less than 9
Package: openvpn
Version: 2.6.0~git20221116-1devuan1
Severity: normal

Dear Maintainer,

I use opnevpn for many years with the same client configuration. But
currently I have a problem, that I never had and that looks like a bug
in openvpn.

I bought a new laptop and issued the credentials. Unfortunately, I got
the messages:

Dec 5 08:31:59 chil ovpn-chil[6603]: DEPRECATED OPTION: --cipher set to
'BF-CBC' but missing in --data-ciphers
(AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher
for cipher negotiations.
Dec 5 08:31:59 chil ovpn-chil[6603]: Note: Kernel support for ovpn-dco
missing, disabling data channel offload.
Dec 5 08:31:59 chil ovpn-chil[6603]: OpenVPN 2.6_git
x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11]
[MH/PKTINFO] [AEAD] [DCO]
Dec 5 08:31:59 chil ovpn-chil[6603]: library versions: OpenSSL 3.0.7 1
Nov 2022, LZO 2.10
Dec 5 08:31:59 chil ovpn-chil[6605]: Outgoing Control Channel
Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 5 08:31:59 chil ovpn-chil[6605]: Incoming Control Channel
Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 5 08:31:59 chil ovpn-chil[6605]: TCP/UDP: Preserving recently used
remote address: [AF_INET]5.9.7.51:1194
Dec 5 08:31:59 chil ovpn-chil[6605]: Socket Buffers: R=[212992->212992]
S=[212992->212992]
Dec 5 08:31:59 chil ovpn-chil[6605]: UDPv4 link local: (not bound)
Dec 5 08:31:59 chil ovpn-chil[6605]: UDPv4 link remote:
[AF_INET]5.9.7.51:1194
Dec 5 08:31:59 chil ovpn-chil[6605]: TLS: Initial packet from
[AF_INET]5.9.7.51:1194, sid=285f6b71 ae378088
Dec 5 08:31:59 chil ovpn-chil[6605]: VERIFY OK: depth=1, CN=OpenVPN-CA
Dec 5 08:31:59 chil ovpn-chil[6605]: VERIFY KU OK
Dec 5 08:31:59 chil ovpn-chil[6605]: Validating certificate extended
key usage
Dec 5 08:31:59 chil ovpn-chil[6605]: ++ Certificate has EKU (str) TLS
Web Server Authentication, expects TLS Web Server Authentication
Dec 5 08:31:59 chil ovpn-chil[6605]: VERIFY EKU OK
Dec 5 08:31:59 chil ovpn-chil[6605]: VERIFY OK: depth=0, CN=tschil
Dec 5 08:32:59 chil ovpn-chil[6605]: TLS Error: TLS key negotiation
failed to occur within 60 seconds (check your network connectivity)
Dec 5 08:32:59 chil ovpn-chil[6605]: TLS Error: TLS handshake failed

As you can see, the connection is working as the certificates are
exchaned but after the EKU verifikation, I get a timeout.

I have no apparmor or selinux running.

The strangest thing is, when I start openvpn with --verb 9, it work.

So, my guess is, that there is a timing problem as the new laptop is
pretty new ARM CPU.

-- System Information:
Distributor ID:    Devuan
Description:    Devuan GNU/Linux 5 (daedalus/ceres)
Release:    5
Codename:    daedalus ceres
Architecture: x86_64


Kernel: Linux 6.0.0-5-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled

Versions of packages openvpn depends on:
ii  debconf [debconf-2.0]      1.5.80
ii  libc6                      2.36-6
ii  libcap-ng0                 0.8.3-1+b2
ii  liblz4-1                   1.9.4-1
ii  liblzo2-2                  2.10-2
ii  libnl-3-200                3.7.0-0.2+b1
ii  libnl-genl-3-200           3.7.0-0.2+b1
ii  libpam0g                   1.5.2-5
ii  libpkcs11-helper1          1.29.0-1
ii  libssl3                    3.0.7-1
ii  lsb-base                   11.5
ii  sysvinit-utils [lsb-base]  3.05-6devuan1


Versions of packages openvpn recommends:
pn easy-rsa <none>

Versions of packages openvpn suggests:
ii  openssl           3.0.7-1
pn  openvpn-dco-dkms  <none>
pn  resolvconf        <none>


-- debconf information:
   openvpn/create_tun: false
Gruß
    Klaus
-- 
Klaus Ethgen                                       http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16            Klaus Ethgen <Klaus@???>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C