Victor Wagner wrote:
On 2009.05.27 at 10:48:30 -0700, Frank Yellin wrote:
I posted the following onto the OpenVPN forum, but it was suggested
that I would be better off mailing directly to this list.
=========================
I seem to have found a bug in 2.1_rc16 that is also apparent in earlier
versions. Although OpenVPN claims to support -CFB and -OFB cipher
modes, using them seems to cause OpenVPN to crash consistently.
For example, when I run the simple TLS example on the 2.1 documentation
page, it works fine. But if I add "--cipher bf-cfb" to both the client
and server command lines, one or the other will crash. The error
message is always "Assertion failed at crypto.c:162". The crasher is
always the first one to try and send an encrypted message.
I've reported this problem more than a year ago, but nothing changed.
I really don't understand why openvpn prefers CBC modes. There is
nothing wrong with CFB and OFB neither from securith nor from
performance point of view.
But it is not only problem with non-CBC ciphers. If you try to use
preshared keys, you'll find out that they are explicitely disabled
unless --test-crypto option is given, even if your compile with
-DALLOW_NON_CBC_CIPHERS.
Also, I've encountered some problems with UDP transport and stream
ciphers which I haven't find time to debug yet.
The OFB and CFB cipher modes in OpenVPN have not been well-tested and
should be considered experimental at this point.
They are not compiled by default mostly to prevent someone from
accidentally using them.
James