On 24/07/19 12:29, Jan Just Keijser wrote:
On 23/07/19 19:11, Stephen Reese wrote:
Let me dive into this deeper, but this did not use to happen -
I've used CentOS 6+7 icw OpenVPN for years , including
client-connect scripts and have never seen coredumps like that.
Are you using selinux? auditing? what is your policy on those?
I had SELinux disabled (permissive) and did not enable any special
auditing. The image used is from https://github.com/plus3it/spel and
running in AWS.
just tried this on a "plain" CentOS 7 box and I am not seeing any seg
faults upon client-connect; this is with the EPEL version of OpenVPN
2.4.7.
The openssl library on RHEL/CentOS 7 is indeed FIPS compliant, but
FIPS mode still needs to be explicitly enabled inside an application,
usually using FIPS_mode_set().
You can check whether your version of OpenVPN has been patched to do
this by running:
# objdump -tT /usr/sbin/openvpn | grep FIPS
( no output, meaning no FIPS calls )
In contrast to:
# objdump -tT /usr/bin/openssl | grep FIPS
0000000000000000 DF *UND* 0000000000000000 libcrypto.so.10
FIPS_mode
0000000000000000 DF *UND* 0000000000000000 libcrypto.so.10
FIPS_mode_set
I've looked at the github page but it's too much of a bother to
actually get/build such an image (for my VMware player). If you can
provide me with a prebuilt image, including root access I can have a
quick peek.
as a follow-up: I've tried to get my CentOS box to boot in 'fips mode'
(by following this recipe
https://www.dogtagpki.org/wiki/Enabling_FIPS_Mode_on_RHEL_7) yet my
server stubbornly refuses to have fips mode enabled at the system level
# sysctl crypto.fips_enabled
crypto.fips_enabled = 0
so perhaps that explains the difference between what I am seeing and
what you are seeing.... if "system-level fips" does cause all
applications to automatically go into "fips mode" then that would
explain the segfaults you are seeing. The only solution is to disable
FIPS mode in that case.
HTH,
JJK
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users