Attention is currently required from: davidben, flichtenheld. plaisthos has posted comments on this change by davidben. ( http://gerrit.openvpn.net/c/openvpn/+/1289?usp=email )
Change subject: ssl_openssl: Fix some CRL mixups ...................................................................... Patch Set 2: Code-Review-2 (1 comment) Patchset: PS2: There seem to be a problem when the CRL file gets invalid: I setup OpenVPN with a normal setup (gdb) run Starting program: /home/arne/openvpn-cmake-debug/openvpn --server 10.33.0.0 255.255.255.0 --server-ipv6 fd00:f00f:babe::1/64 --topology subnet --cert /home/arne/ut-ca/server.pem --key /home/arne/ut-ca/server.key --dev tun --verb 4 --data-ciphers AES-256-GCM:AES-128-GCM:AES-192-GCM --tun-mtu 1400 --keepalive 10 25 --push explicit-exit-notify\ 3 --verb 4 --crl-verify /home/arne/ut-ca/ca.crl --ca /home/arne/ut-ca/ca.pem [...] Then connected a client and that went fine. Then I replaced the CRL file with an invalid one: rm ca.crl && touch ca.crl Connecting the client again first works fine (connection gets rejected) 2025-12-09 14:43:11 us=78031 Connection Attempt MULTI: multi_create_instance called 2025-12-09 14:43:11 us=78143 udp4:192.168.188.75:58649 Re-using SSL/TLS context 2025-12-09 14:43:11 us=78267 udp4:192.168.188.75:58649 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ] 2025-12-09 14:43:11 us=78293 udp4:192.168.188.75:58649 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1400 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ] 2025-12-09 14:43:11 us=82903 udp4:192.168.188.75:58649 VERIFY WARNING: depth=0, unable to get certificate CRL: C=KG, ST=NA, O=OpenVPN-TEST, CN=Test-Client, [email protected] 2025-12-09 14:43:11 us=83007 udp4:192.168.188.75:58649 VERIFY WARNING: depth=1, unable to get certificate CRL: C=KG, ST=NA, L=BISHKEK, O=OpenVPN-TEST, [email protected] 2025-12-09 14:43:11 us=83165 udp4:192.168.188.75:58649 VERIFY ERROR: CRL not loaded 2025-12-09 14:43:11 us=83238 udp4:192.168.188.75:58649 Sent fatal SSL alert: unknown CA 2025-12-09 14:43:11 us=83289 udp4:192.168.188.75:58649 OpenSSL: error:0A000086:SSL routines::certificate verify failed: 2025-12-09 14:43:11 us=83330 udp4:192.168.188.75:58649 TLS_ERROR: BIO read tls_read_plaintext error 2025-12-09 14:43:11 us=83358 udp4:192.168.188.75:58649 TLS Error: TLS object -> incoming plaintext read error 2025-12-09 14:43:11 us=83405 udp4:192.168.188.75:58649 TLS Error: TLS handshake failed 2025-12-09 14:43:11 us=83550 Warning buffer of freed TLS session is still in use (session->key[0].send_reliable->array[0]) 2025-12-09 14:43:11 us=83686 udp4:192.168.188.75:58649 SIGUSR1[soft,tls-error] received, client-instance restarting 2025-12-09 14:43:11 us=83759 Packet (P_CONTROL_V1) with invalid or missing SID from [AF_INET]192.168.188.75:58649 or wrong packet id 2025-12-09 14:43:13 us=380641 Packet (P_CONTROL_V1) with invalid or missing SID from [AF_INET]192.168.188.75:58649 or wrong packet id 2025-12-09 14:43:13 us=380799 Packet (P_CONTROL_V1) with invalid or missing SID from [AF_INET]192.168.188.75:58649 or wrong packet id But then reconnecting again leads to a segfault: 2025-12-09 14:43:14 us=950844 Connection Attempt MULTI: multi_create_instance called 2025-12-09 14:43:14 us=950963 udp4:192.168.188.75:59576 Re-using SSL/TLS context 2025-12-09 14:43:14 us=951112 udp4:192.168.188.75:59576 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ] 2025-12-09 14:43:14 us=951162 udp4:192.168.188.75:59576 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1400 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ] 2025-12-09 14:43:14 us=955828 udp4:192.168.188.75:59576 VERIFY WARNING: depth=0, unable to get certificate CRL: C=KG, ST=NA, O=OpenVPN-TEST, CN=Test-Client, [email protected] 2025-12-09 14:43:14 us=955883 udp4:192.168.188.75:59576 VERIFY WARNING: depth=1, unable to get certificate CRL: C=KG, ST=NA, L=BISHKEK, O=OpenVPN-TEST, [email protected] 2025-12-09 14:43:14 us=955942 udp4:192.168.188.75:59576 VERIFY ERROR: CRL not loaded 2025-12-09 14:43:14 us=955961 udp4:192.168.188.75:59576 Sent fatal SSL alert: unknown CA 2025-12-09 14:43:14 us=955981 udp4:192.168.188.75:59576 OpenSSL: error:0A000086:SSL routines::certificate verify failed: 2025-12-09 14:43:14 us=955988 udp4:192.168.188.75:59576 TLS_ERROR: BIO read tls_read_plaintext error 2025-12-09 14:43:14 us=955996 udp4:192.168.188.75:59576 TLS Error: TLS object -> incoming plaintext read error 2025-12-09 14:43:14 us=956005 udp4:192.168.188.75:59576 TLS Error: TLS handshake failed 2025-12-09 14:43:14 us=956018 Warning buffer of freed TLS session is still in use (session->key[0].send_reliable->array[0]) 2025-12-09 14:43:14 us=956061 udp4:192.168.188.75:59576 SIGUSR1[soft,tls-error] received, client-instance restarting 2025-12-09 14:43:14 us=956089 Packet (P_CONTROL_V1) with invalid or missing SID from [AF_INET]192.168.188.75:59576 or wrong packet id \ 2025-12-09 14:43:28 us=286692 Connection Attempt MULTI: multi_create_instance called 2025-12-09 14:43:28 us=286782 udp4:192.168.188.75:60010 Re-using SSL/TLS context 2025-12-09 14:43:28 us=287024 udp4:192.168.188.75:60010 OpenSSL: error:0308010C:digital envelope routines::unsupported:Global default library context, Algorithm (none : 0), Properties (<null>) 2025-12-09 14:43:28 us=287031 udp4:192.168.188.75:60010 OpenSSL: error:0480006C:PEM routines::no start line: 2025-12-09 14:43:28 us=287034 udp4:192.168.188.75:60010 CRL: cannot read CRL from file /home/arne/ut-ca/ca.crl 2025-12-09 14:43:28 us=287036 udp4:192.168.188.75:60010 CRL: loaded 1 CRLs from file /home/arne/ut-ca/ca.crl 2025-12-09 14:43:28 us=287058 udp4:192.168.188.75:60010 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ] 2025-12-09 14:43:28 us=287061 udp4:192.168.188.75:60010 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1400 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ] 2025-12-09 14:43:28 us=292177 udp4:192.168.188.75:60010 VERIFY OK: depth=1, C=KG, ST=NA, L=BISHKEK, O=OpenVPN-TEST, [email protected] 2025-12-09 14:43:28 us=292774 udp4:192.168.188.75:60010 VERIFY OK: depth=0, C=KG, ST=NA, O=OpenVPN-TEST, CN=Test-Client, [email protected] 2025-12-09 14:43:28 us=293487 udp4:192.168.188.75:60010 peer info: IV_VER=2.7_rc3 2025-12-09 14:43:28 us=293559 udp4:192.168.188.75:60010 peer info: IV_PLAT=mac 2025-12-09 14:43:28 us=293612 udp4:192.168.188.75:60010 peer info: IV_TCPNL=1 2025-12-09 14:43:28 us=293639 udp4:192.168.188.75:60010 peer info: IV_MTU=1600 2025-12-09 14:43:28 us=293652 udp4:192.168.188.75:60010 peer info: IV_NCP=2 2025-12-09 14:43:28 us=293664 udp4:192.168.188.75:60010 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305 2025-12-09 14:43:28 us=293704 udp4:192.168.188.75:60010 peer info: IV_PROTO=8094 2025-12-09 14:43:28 us=293775 udp4:192.168.188.75:60010 peer info: ID=e7afaf 2025-12-09 14:43:28 us=293793 udp4:192.168.188.75:60010 peer info: IV_LZO_STUB=1 2025-12-09 14:43:28 us=293799 udp4:192.168.188.75:60010 peer info: IV_COMP_STUB=1 2025-12-09 14:43:28 us=293804 udp4:192.168.188.75:60010 peer info: IV_COMP_STUBv2=1 2025-12-09 14:43:28 us=293983 udp4:192.168.188.75:60010 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1 2025-12-09 14:43:28 us=294092 udp4:192.168.188.75:60010 TLS: tls_multi_process: initial untrusted session promoted to trusted 2025-12-09 14:43:28 us=294701 udp4:192.168.188.75:60010 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: ecdsa-with-SHA256, peer temporary key: 768 bits X25519MLKEM768, peer signing digest/type: rsa_pss_rsae_sha256 RSASSA-PSS, key agreement: X25519MLKEM768 2025-12-09 14:43:28 us=294754 udp4:192.168.188.75:60010 [Test-Client] Peer Connection Initiated with [AF_INET]192.168.188.75:60010 2025-12-09 14:43:28 us=294784 Test-Client/udp4:192.168.188.75:60010 MULTI_sva: pool returned IPv4=10.33.0.2, IPv6=fd00:f00f:babe::1001 2025-12-09 14:43:28 us=295142 Test-Client/udp4:192.168.188.75:60010 Data Channel MTU parms [ mss_fix:1360 max_frag:0 tun_mtu:1400 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ] 2025-12-09 14:43:28 us=295205 Test-Client/udp4:192.168.188.75:60010 Outgoing dynamic tls-crypt: Cipher 'AES-256-CTR' initialized with 256 bit key 2025-12-09 14:43:28 us=295223 Test-Client/udp4:192.168.188.75:60010 Outgoing dynamic tls-crypt: Using 256 bit message hash 'SHA256' for HMAC authentication 2025-12-09 14:43:28 us=295230 Test-Client/udp4:192.168.188.75:60010 Incoming dynamic tls-crypt: Cipher 'AES-256-CTR' initialized with 256 bit key 2025-12-09 14:43:28 us=295238 Test-Client/udp4:192.168.188.75:60010 Incoming dynamic tls-crypt: Using 256 bit message hash 'SHA256' for HMAC authentication 2025-12-09 14:43:28 us=295297 Test-Client/udp4:192.168.188.75:60010 MULTI: Learn: 10.33.0.2 -> Test-Client/udp4:192.168.188.75:60010 2025-12-09 14:43:28 us=295333 Test-Client/udp4:192.168.188.75:60010 MULTI: primary virtual IP for Test-Client/udp4:192.168.188.75:60010: 10.33.0.2 2025-12-09 14:43:28 us=295352 Test-Client/udp4:192.168.188.75:60010 MULTI: Learn: fd00:f00f:babe::1001 -> Test-Client/udp4:192.168.188.75:60010 2025-12-09 14:43:28 us=295359 Test-Client/udp4:192.168.188.75:60010 MULTI: primary virtual IPv6 for Test-Client/udp4:192.168.188.75:60010: fd00:f00f:babe::1001 2025-12-09 14:43:28 us=295389 Test-Client/udp4:192.168.188.75:60010 SENT CONTROL [Test-Client]: 'PUSH_REPLY,explicit-exit-notify 3,tun-ipv6,route-gateway 10.33.0.1,topology subnet,ping 10,ping-restart 25,ifconfig-ipv6 fd00:f00f:babe::1001/64 fd00:f00f:babe::2,ifconfig 10.33.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1400' (status=1) 2025-12-09 14:43:29 us=319915 Test-Client/udp4:192.168.188.75:60010 Data Channel: cipher 'AES-256-GCM', rx-peer-id: 0, tx-peer-id: 0 2025-12-09 14:43:29 us=320027 Test-Client/udp4:192.168.188.75:60010 Timers: ping 10, ping-restart 50 2025-12-09 14:43:29 us=320051 Test-Client/udp4:192.168.188.75:60010 Protocol options: protocol-flags cc-exit tls-ekm dyn-tls-crypt 2025-12-09 14:43:37 us=293135 Test-Client/udp4:192.168.188.75:60010 CC-EEN exit message received by peer 2025-12-09 14:43:37 us=293196 Test-Client/udp4:192.168.188.75:60010 Delayed exit in 5 seconds 2025-12-09 14:43:42 us=321905 Test-Client/udp4:192.168.188.75:60010 SIGTERM[soft,delayed-exit] received, client-instance exiting 2025-12-09 14:43:42 us=322142 ovpn_handle_peer: received data for a non-existing peer 0 2025-12-09 14:43:58 us=52079 Connection Attempt MULTI: multi_create_instance called 2025-12-09 14:43:58 us=52177 udp4:192.168.188.75:58033 Re-using SSL/TLS context 2025-12-09 14:43:58 us=52342 udp4:192.168.188.75:58033 OpenSSL: error:0308010C:digital envelope routines::unsupported:Global default library context, Algorithm (none : 0), Properties (<null>) 2025-12-09 14:43:58 us=52349 udp4:192.168.188.75:58033 OpenSSL: error:0480006C:PEM routines::no start line: 2025-12-09 14:43:58 us=52352 udp4:192.168.188.75:58033 CRL: cannot read CRL from file /home/arne/ut-ca/ca.crl 2025-12-09 14:43:58 us=52354 udp4:192.168.188.75:58033 CRL: loaded 0 CRLs from file /home/arne/ut-ca/ca.crl 2025-12-09 14:43:58 us=52375 udp4:192.168.188.75:58033 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ] 2025-12-09 14:43:58 us=52378 udp4:192.168.188.75:58033 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1400 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ] 2025-12-09 14:43:58 us=57062 udp4:192.168.188.75:58033 VERIFY WARNING: depth=0, unable to get certificate CRL: C=KG, ST=NA, O=OpenVPN-TEST, CN=Test-Client, [email protected] 2025-12-09 14:43:58 us=57086 udp4:192.168.188.75:58033 VERIFY WARNING: depth=1, unable to get certificate CRL: C=KG, ST=NA, L=BISHKEK, O=OpenVPN-TEST, [email protected] 2025-12-09 14:43:58 us=57129 udp4:192.168.188.75:58033 VERIFY ERROR: CRL not loaded 2025-12-09 14:43:58 us=57142 udp4:192.168.188.75:58033 Sent fatal SSL alert: unknown CA 2025-12-09 14:43:58 us=57155 udp4:192.168.188.75:58033 OpenSSL: error:0A000086:SSL routines::certificate verify failed: 2025-12-09 14:43:58 us=57157 udp4:192.168.188.75:58033 TLS_ERROR: BIO read tls_read_plaintext error 2025-12-09 14:43:58 us=57160 udp4:192.168.188.75:58033 TLS Error: TLS object -> incoming plaintext read error 2025-12-09 14:43:58 us=57164 udp4:192.168.188.75:58033 TLS Error: TLS handshake failed 2025-12-09 14:43:58 us=57175 Warning buffer of freed TLS session is still in use (session->key[0].send_reliable->array[0]) 2025-12-09 14:43:58 us=57217 udp4:192.168.188.75:58033 SIGUSR1[soft,tls-error] received, client-instance restarting 2025-12-09 14:43:58 us=57246 Packet (P_CONTROL_V1) with invalid or missing SID from [AF_INET]192.168.188.75:58033 or wrong packet id 2025-12-09 14:43:59 us=165790 Packet (P_CONTROL_V1) with invalid or missing SID from [AF_INET]192.168.188.75:58033 or wrong packet id 2025-12-09 14:43:59 us=165885 Packet (P_CONTROL_V1) with invalid or missing SID from [AF_INET]192.168.188.75:58033 or wrong packet id 2025-12-09 14:44:05 us=928745 Connection Attempt MULTI: multi_create_instance called 2025-12-09 14:44:05 us=928929 udp4:192.168.188.75:54942 Re-using SSL/TLS context Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7ba7cc5 in OPENSSL_sk_pop_free () from /lib/x86_64-linux-gnu/libcrypto.so.3 (gdb) bt #0 0x00007ffff7ba7cc5 in OPENSSL_sk_pop_free () from /lib/x86_64-linux-gnu/libcrypto.so.3 #1 0x000055555561339a in backend_tls_ctx_reload_crl (ssl_ctx=0x55555576f260, crl_file=0x7fffffffe5f2 "/home/arne/ut-ca/ca.crl", crl_inline=false) at /home/arne/openvpn-git/src/openvpn/ssl_openssl.c:1348 #2 0x0000555555608148 in tls_ctx_reload_crl (ssl_ctx=0x55555576f260, crl_file=0x7fffffffe5f2 "/home/arne/ut-ca/ca.crl", crl_file_inline=false) at /home/arne/openvpn-git/src/openvpn/ssl.c:503 #3 0x0000555555608e63 in key_state_init (session=0x55555576f970, ks=0x5555557700e0) at /home/arne/openvpn-git/src/openvpn/ssl.c:879 #4 0x000055555560924c in tls_session_init (multi=0x55555576f260, session=0x55555576f970) at /home/arne/openvpn-git/src/openvpn/ssl.c:1023 #5 0x0000555555609748 in tls_multi_init_finalize (multi=0x55555576f260, tls_mtu=1250) at /home/arne/openvpn-git/src/openvpn/ssl.c:1177 #6 0x0000555555592659 in do_init_frame_tls (c=0x55555577f2c0) at /home/arne/openvpn-git/src/openvpn/init.c:3462 #7 0x0000555555594b45 in init_instance (c=0x55555577f2c0, env=0x5555556fdb30, flags=10) at /home/arne/openvpn-git/src/openvpn/init.c:4613 #8 0x0000555555595625 in inherit_context_child (dest=0x55555577f2c0, src=0x7fffffffb5d8, sock=0x5555556fd8e0) at /home/arne/openvpn-git/src/openvpn/init.c:4914 #9 0x00005555555aba4b in multi_create_instance (m=0x7fffffffb510, real=0x7fffffffafb0, sock=0x5555556fd8e0) at /home/arne/openvpn-git/src/openvpn/multi.c:737 #10 0x00005555555a8bec in multi_get_create_instance_udp (m=0x7fffffffb510, floated=0x7fffffffb3b0, sock=0x5555556fd8e0) at /home/arne/openvpn-git/src/openvpn/mudp.c:269 #11 0x00005555555b198e in multi_process_incoming_link (m=0x7fffffffb510, instance=0x0, mpp_flags=5, sock=0x5555556fd8e0) at /home/arne/openvpn-git/src/openvpn/multi.c:3357 #12 0x00005555555a8fd1 in multi_process_io_udp (m=0x7fffffffb510, sock=0x5555556fd8e0) at /home/arne/openvpn-git/src/openvpn/mudp.c:357 #13 0x00005555555b54b5 in multi_io_process_io (m=0x7fffffffb510) at /home/arne/openvpn-git/src/openvpn/multi_io.c:468 #14 0x00005555555b3629 in tunnel_server_loop (multi=0x7fffffffb510) at /home/arne/openvpn-git/src/openvpn/multi.c:4197 #15 0x00005555555b37da in tunnel_server (top=0x7fffffffcb50) at /home/arne/openvpn-git/src/openvpn/multi.c:4249 #16 0x00005555555b8110 in openvpn_main (argc=31, argv=0x7fffffffe168) at /home/arne/openvpn-git/src/openvpn/openvpn.c:309 #17 0x00005555555b8256 in main (argc=31, argv=0x7fffffffe168) at /home/arne/openvpn-git/src/openvpn/openvpn.c:384 (gdb) -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1289?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I31ac2a763209114267c35c4a9182a12d8d82f6fe Gerrit-Change-Number: 1289 Gerrit-PatchSet: 2 Gerrit-Owner: davidben <[email protected]> Gerrit-Reviewer: flichtenheld <[email protected]> Gerrit-Reviewer: plaisthos <[email protected]> Gerrit-CC: openvpn-devel <[email protected]> Gerrit-Attention: flichtenheld <[email protected]> Gerrit-Attention: davidben <[email protected]> Gerrit-Comment-Date: Tue, 09 Dec 2025 14:47:47 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
