Re: [Openvpn-users] Segmentation fault upon client connect

Wed, 24 Jul 2019 04:22:41 -0700 

On 24/07/19 12:29, Jan Just Keijser wrote:


On 23/07/19 19:11, Stephen Reese wrote:


    Let me dive into this deeper, but this did not use to happen -
    I've used CentOS 6+7  icw OpenVPN for years , including
    client-connect scripts and have never seen coredumps like that.
    Are you using selinux? auditing? what is your policy on those?



I had SELinux disabled (permissive) and did not enable any special 
auditing. The image used is from https://github.com/plus3it/spel and 
running in AWS.




just tried this on a "plain" CentOS 7 box and I am not seeing any seg 
faults upon client-connect; this is with the EPEL version of OpenVPN 
2.4.7.



The openssl library on RHEL/CentOS 7 is indeed FIPS compliant, but 
FIPS mode still needs to be explicitly enabled inside an application, 
usually using FIPS_mode_set().
You can check whether your version of OpenVPN has been patched to do 
this by running:


# objdump -tT /usr/sbin/openvpn | grep FIPS

( no output, meaning no FIPS calls )

In contrast to:

# objdump -tT /usr/bin/openssl | grep FIPS

0000000000000000      DF *UND*    0000000000000000 libcrypto.so.10 
FIPS_mode
0000000000000000      DF *UND*    0000000000000000 libcrypto.so.10 
FIPS_mode_set




I've looked at the github page but it's too much of a bother to 
actually get/build such an image (for my VMware player). If you can 
provide me with a prebuilt image, including root access I can have a 
quick peek.



as a follow-up:  I've tried to get my CentOS box to boot in 'fips mode' 
(by following this recipe 
https://www.dogtagpki.org/wiki/Enabling_FIPS_Mode_on_RHEL_7)  yet my 
server stubbornly refuses to have fips mode enabled at the system level

   # sysctl crypto.fips_enabled
  crypto.fips_enabled = 0


so perhaps that explains the difference between what I am seeing and 
what you are seeing.... if "system-level fips" does cause all 
applications to automatically go into "fips mode" then that would 
explain the segfaults you are seeing. The only solution is to disable 
FIPS mode in that case.


HTH,

JJK


_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users






















					Reply via email to