Re: [Openvpn-devel] Client reconnect issues

[Pieter Hulshoff]

Antonio & Jan Just,

Looking at the logs, there are some notable differences. I assumed for the
moment that the TLS calls are logged before the received message, since the
message first needs to be decoded (and the client reports a 13 byte
plaintext with 42 byte ciphertext).

--------------------------------------------------------------------------------------------------------------------------------------------------------
This is the log of the initial connection:
Fri Jan 26 09:35:30 2018 us=253552 client1/10.11.11.10:1194 write
tls_write_ciphertext 42 bytes
Fri Jan 26 09:35:30 2018 us=253581 client1/10.11.11.10:1194 mbed TLS msg
(/srv/slave_openvpn/.jenkins/workspace/OpenVPN-NL-2.4-build/arch/64-bit/distro/ubuntu_xenial/servertype/build/openvpn-nl/mbedtls/library/ssl_tls.c:6743):
=> read
Fri Jan 26 09:35:30 2018 us=253609 client1/10.11.11.10:1194 mbed TLS msg
(/srv/slave_openvpn/.jenkins/workspace/OpenVPN-NL-2.4-build/arch/64-bit/distro/ubuntu_xenial/servertype/build/openvpn-nl/mbedtls/library/ssl_tls.c:3721):
=> read record
Fri Jan 26 09:35:30 2018 us=253636 client1/10.11.11.10:1194 mbed TLS msg
(/srv/slave_openvpn/.jenkins/workspace/OpenVPN-NL-2.4-build/arch/64-bit/distro/ubuntu_xenial/servertype/build/openvpn-nl/mbedtls/library/ssl_tls.c:2208):
=> fetch input
Fri Jan 26 09:35:30 2018 us=253664 client1/10.11.11.10:1194 mbed TLS msg
(/srv/slave_openvpn/.jenkins/workspace/OpenVPN-NL-2.4-build/arch/64-bit/distro/ubuntu_xenial/servertype/build/openvpn-nl/mbedtls/library/ssl_tls.c:2366):
in_left: 0, nb_want: 5
Fri Jan 26 09:35:30 2018 us=253692 client1/10.11.11.10:1194 mbed TLS msg
(/srv/slave_openvpn/.jenkins/workspace/OpenVPN-NL-2.4-build/arch/64-bit/distro/ubuntu_xenial/servertype/build/openvpn-nl/mbedtls/library/ssl_tls.c:2390):
in_left: 0, nb_want: 5
Fri Jan 26 09:35:30 2018 us=253721 client1/10.11.11.10:1194 mbed TLS msg
(/srv/slave_openvpn/.jenkins/workspace/OpenVPN-NL-2.4-build/arch/64-bit/distro/ubuntu_xenial/servertype/build/openvpn-nl/mbedtls/library/ssl_tls.c:2391):
ssl->f_recv(_timeout)() returned 5 (-0xfffffffb)
Fri Jan 26 09:35:30 2018 us=253748 client1/10.11.11.10:1194 mbed TLS msg
(/srv/slave_openvpn/.jenkins/workspace/OpenVPN-NL-2.4-build/arch/64-bit/distro/ubuntu_xenial/servertype/build/openvpn-nl/mbedtls/library/ssl_tls.c:2403):
<= fetch input
Fri Jan 26 09:35:30 2018 us=253777 client1/10.11.11.10:1194 mbed TLS msg
(/srv/slave_openvpn/.jenkins/workspace/OpenVPN-NL-2.4-build/arch/64-bit/distro/ubuntu_xenial/servertype/build/openvpn-nl/mbedtls/library/ssl_tls.c:2208):
=> fetch input
Fri Jan 26 09:35:30 2018 us=253804 client1/10.11.11.10:1194 mbed TLS msg
(/srv/slave_openvpn/.jenkins/workspace/OpenVPN-NL-2.4-build/arch/64-bit/distro/ubuntu_xenial/servertype/build/openvpn-nl/mbedtls/library/ssl_tls.c:2366):
in_left: 5, nb_want: 42
Fri Jan 26 09:35:30 2018 us=253832 client1/10.11.11.10:1194 mbed TLS msg
(/srv/slave_openvpn/.jenkins/workspace/OpenVPN-NL-2.4-build/arch/64-bit/distro/ubuntu_xenial/servertype/build/openvpn-nl/mbedtls/library/ssl_tls.c:2390):
in_left: 5, nb_want: 42
Fri Jan 26 09:35:30 2018 us=253860 client1/10.11.11.10:1194 mbed TLS msg
(/srv/slave_openvpn/.jenkins/workspace/OpenVPN-NL-2.4-build/arch/64-bit/distro/ubuntu_xenial/servertype/build/openvpn-nl/mbedtls/library/ssl_tls.c:2391):
ssl->f_recv(_timeout)() returned 37 (-0xffffffdb)
Fri Jan 26 09:35:30 2018 us=253887 client1/10.11.11.10:1194 mbed TLS msg
(/srv/slave_openvpn/.jenkins/workspace/OpenVPN-NL-2.4-build/arch/64-bit/distro/ubuntu_xenial/servertype/build/openvpn-nl/mbedtls/library/ssl_tls.c:2403):
<= fetch input
Fri Jan 26 09:35:30 2018 us=253914 client1/10.11.11.10:1194 mbed TLS msg
(/srv/slave_openvpn/.jenkins/workspace/OpenVPN-NL-2.4-build/arch/64-bit/distro/ubuntu_xenial/servertype/build/openvpn-nl/mbedtls/library/ssl_tls.c:1576):
=> decrypt buf
Fri Jan 26 09:35:30 2018 us=253956 client1/10.11.11.10:1194 mbed TLS msg
(/srv/slave_openvpn/.jenkins/workspace/OpenVPN-NL-2.4-build/arch/64-bit/distro/ubuntu_xenial/servertype/build/openvpn-nl/mbedtls/library/ssl_tls.c:2051):
<= decrypt buf
Fri Jan 26 09:35:30 2018 us=253984 client1/10.11.11.10:1194 mbed TLS msg
(/srv/slave_openvpn/.jenkins/workspace/OpenVPN-NL-2.4-build/arch/64-bit/distro/ubuntu_xenial/servertype/build/openvpn-nl/mbedtls/library/ssl_tls.c:3754):
<= read record
Fri Jan 26 09:35:30 2018 us=254012 client1/10.11.11.10:1194 mbed TLS msg
(/srv/slave_openvpn/.jenkins/workspace/OpenVPN-NL-2.4-build/arch/64-bit/distro/ubuntu_xenial/servertype/build/openvpn-nl/mbedtls/library/ssl_tls.c:7042):
<= read
Fri Jan 26 09:35:30 2018 us=254038 client1/10.11.11.10:1194 read
tls_read_plaintext 13 bytes
Fri Jan 26 09:35:30 2018 us=254068 client1/10.11.11.10:1194 ACK
reliable_send_timeout 604800 [6]
Fri Jan 26 09:35:30 2018 us=254100 client1/10.11.11.10:1194 PUSH: Received
control message: 'PUSH_REQUEST'
--------------------------------------------------------------------------------------------------------------------------------------------------------

--------------------------------------------------------------------------------------------------------------------------------------------------------
This is the log of the request after the reconnect:
Fri Jan 26 09:35:42 2018 us=558215 client1/10.11.11.10:1194 write
tls_write_ciphertext 42 bytes
Fri Jan 26 09:35:42 2018 us=558244 client1/10.11.11.10:1194 mbed TLS msg
(/srv/slave_openvpn/.jenkins/workspace/OpenVPN-NL-2.4-build/arch/64-bit/distro/ubuntu_xenial/servertype/build/openvpn-nl/mbedtls/library/ssl_tls.c:6743):
=> read
Fri Jan 26 09:35:42 2018 us=558271 client1/10.11.11.10:1194 mbed TLS msg
(/srv/slave_openvpn/.jenkins/workspace/OpenVPN-NL-2.4-build/arch/64-bit/distro/ubuntu_xenial/servertype/build/openvpn-nl/mbedtls/library/ssl_tls.c:3721):
=> read record
Fri Jan 26 09:35:42 2018 us=558299 client1/10.11.11.10:1194 mbed TLS msg
(/srv/slave_openvpn/.jenkins/workspace/OpenVPN-NL-2.4-build/arch/64-bit/distro/ubuntu_xenial/servertype/build/openvpn-nl/mbedtls/library/ssl_tls.c:2208):
=> fetch input
Fri Jan 26 09:35:42 2018 us=558327 client1/10.11.11.10:1194 mbed TLS msg
(/srv/slave_openvpn/.jenkins/workspace/OpenVPN-NL-2.4-build/arch/64-bit/distro/ubuntu_xenial/servertype/build/openvpn-nl/mbedtls/library/ssl_tls.c:2366):
in_left: 0, nb_want: 5
Fri Jan 26 09:35:42 2018 us=558355 client1/10.11.11.10:1194 mbed TLS msg
(/srv/slave_openvpn/.jenkins/workspace/OpenVPN-NL-2.4-build/arch/64-bit/distro/ubuntu_xenial/servertype/build/openvpn-nl/mbedtls/library/ssl_tls.c:2390):
in_left: 0, nb_want: 5
Fri Jan 26 09:35:42 2018 us=558384 client1/10.11.11.10:1194 ACK
reliable_can_send active=0 current=0 : [6]
Fri Jan 26 09:35:42 2018 us=558412 client1/10.11.11.10:1194 mbed TLS msg
(/srv/slave_openvpn/.jenkins/workspace/OpenVPN-NL-2.4-build/arch/64-bit/distro/ubuntu_xenial/servertype/build/openvpn-nl/mbedtls/library/ssl_tls.c:6743):
=> read
Fri Jan 26 09:35:42 2018 us=558439 client1/10.11.11.10:1194 mbed TLS msg
(/srv/slave_openvpn/.jenkins/workspace/OpenVPN-NL-2.4-build/arch/64-bit/distro/ubuntu_xenial/servertype/build/openvpn-nl/mbedtls/library/ssl_tls.c:3721):
=> read record
Fri Jan 26 09:35:42 2018 us=558466 client1/10.11.11.10:1194 mbed TLS msg
(/srv/slave_openvpn/.jenkins/workspace/OpenVPN-NL-2.4-build/arch/64-bit/distro/ubuntu_xenial/servertype/build/openvpn-nl/mbedtls/library/ssl_tls.c:2208):
=> fetch input
Fri Jan 26 09:35:42 2018 us=558493 client1/10.11.11.10:1194 mbed TLS msg
(/srv/slave_openvpn/.jenkins/workspace/OpenVPN-NL-2.4-build/arch/64-bit/distro/ubuntu_xenial/servertype/build/openvpn-nl/mbedtls/library/ssl_tls.c:2366):
in_left: 0, nb_want: 5
Fri Jan 26 09:35:42 2018 us=558521 client1/10.11.11.10:1194 mbed TLS msg
(/srv/slave_openvpn/.jenkins/workspace/OpenVPN-NL-2.4-build/arch/64-bit/distro/ubuntu_xenial/servertype/build/openvpn-nl/mbedtls/library/ssl_tls.c:2390):
in_left: 0, nb_want: 5
Fri Jan 26 09:35:42 2018 us=558550 client1/10.11.11.10:1194 ACK write ID 5
(ack->len=1, n=1)
Fri Jan 26 09:35:42 2018 us=558582 client1/10.11.11.10:1194 ACK
reliable_send_timeout 604800 [6]
Fri Jan 26 09:35:42 2018 us=558614 PO_CTL rwflags=0x0002 ev=5
arg=0x563eb8ff1858
Fri Jan 26 09:35:42 2018 us=558641 PO_CTL rwflags=0x0000 ev=4
arg=0x563eb8fe80a8
Fri Jan 26 09:35:42 2018 us=558671 I/O WAIT Tr|Tw|Sr|SW [1/165054]
Fri Jan 26 09:35:42 2018 us=558703 PO_WAIT[0,0] fd=5 rev=0x00000004
rwflags=0x0002 arg=0x563eb8ff1858
Fri Jan 26 09:35:42 2018 us=558729 I/O WAIT status=0x0002
Fri Jan 26 09:35:42 2018 us=558764 client1/10.11.11.10:1194 UDPv4 WRITE
[62] to [AF_INET]10.11.11.10:1194: P_ACK_V1 kid=0 pid=[ #8 ] [ 5 ]
Fri Jan 26 09:35:42 2018 us=558829 client1/10.11.11.10:1194 ACK
reliable_can_send active=0 current=0 : [6]
Fri Jan 26 09:35:42 2018 us=558859 client1/10.11.11.10:1194 mbed TLS msg
(/srv/slave_openvpn/.jenkins/workspace/OpenVPN-NL-2.4-build/arch/64-bit/distro/ubuntu_xenial/servertype/build/openvpn-nl/mbedtls/library/ssl_tls.c:6743):
=> read
Fri Jan 26 09:35:42 2018 us=558886 client1/10.11.11.10:1194 mbed TLS msg
(/srv/slave_openvpn/.jenkins/workspace/OpenVPN-NL-2.4-build/arch/64-bit/distro/ubuntu_xenial/servertype/build/openvpn-nl/mbedtls/library/ssl_tls.c:3721):
=> read record
Fri Jan 26 09:35:42 2018 us=558914 client1/10.11.11.10:1194 mbed TLS msg
(/srv/slave_openvpn/.jenkins/workspace/OpenVPN-NL-2.4-build/arch/64-bit/distro/ubuntu_xenial/servertype/build/openvpn-nl/mbedtls/library/ssl_tls.c:2208):
=> fetch input
Fri Jan 26 09:35:42 2018 us=558941 client1/10.11.11.10:1194 mbed TLS msg
(/srv/slave_openvpn/.jenkins/workspace/OpenVPN-NL-2.4-build/arch/64-bit/distro/ubuntu_xenial/servertype/build/openvpn-nl/mbedtls/library/ssl_tls.c:2366):
in_left: 0, nb_want: 5
Fri Jan 26 09:35:42 2018 us=558970 client1/10.11.11.10:1194 mbed TLS msg
(/srv/slave_openvpn/.jenkins/workspace/OpenVPN-NL-2.4-build/arch/64-bit/distro/ubuntu_xenial/servertype/build/openvpn-nl/mbedtls/library/ssl_tls.c:2390):
in_left: 0, nb_want: 5
Fri Jan 26 09:35:42 2018 us=558999 client1/10.11.11.10:1194 ACK
reliable_send_timeout 604800 [6]
Fri Jan 26 09:35:42 2018 us=559029 PO_CTL rwflags=0x0001 ev=5
arg=0x563eb8ff1858
Fri Jan 26 09:35:42 2018 us=559056 PO_CTL rwflags=0x0001 ev=4
arg=0x563eb8fe80a8
Fri Jan 26 09:35:42 2018 us=559086 I/O WAIT TR|Tw|SR|Sw [1/165054]
Fri Jan 26 09:35:43 2018 us=725320 I/O WAIT status=0x0020
Fri Jan 26 09:35:43 2018 us=725415 MULTI: REAP range 0 -> 16
--------------------------------------------------------------------------------------------------------------------------------------------------------

As you can see, the message is never actually decrypted after the
reconnect, and as such the server will never receive it.

Kind regards,

Pieter Hulshoff


_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel