* Jonny Oschätzky via Openvpn-users <openvpn-users@lists.sourceforge.net>: > On Tuesday, 13 June 2023 10:16:36 CEST Ralf Hildebrandt via Openvpn-users > wrote: > > > routines:get_name:no start line Jun 13 03:06:23 openvpn-igel-int > > tcp[452155]: CRL: cannot read CRL from file /etc/openvpn/ca/crl.pem > > OpenVPN is typically run as a restricted user. I think this user needs to be > able to access the crl file, because the crl is checked frequently and not > only > in the initialization process.
Yes we already checked this. No chroot or permission issues. Unfortunately the log was not complete but it only adds extra confusion, here you go: ... one extra line to show context ... Jun 17 06:01:26 openvpn-igel-int systemd[1]: Finished Daily apt upgrade and clean activities. Jun 17 06:22:10 openvpn-igel-int tcp[725460]: OpenSSL: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init Jun 17 06:22:10 openvpn-igel-int tcp[725460]: OpenSSL: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init Jun 17 06:22:10 openvpn-igel-int tcp[725460]: OpenSSL: error:0909006C:PEM routines:get_name:no start line Jun 17 06:22:10 openvpn-igel-int tcp[725460]: CRL: cannot read CRL from file /etc/openvpn/ca/crl.pem Jun 17 06:22:10 openvpn-igel-int tcp[725460]: CRL: loaded 1 CRLs from file /etc/openvpn/ca/crl.pem Jun 17 06:22:10 openvpn-igel-int tcp[725460]: TCP connection established with [AF_INET6]::ffff:192.241.225.14:58502 Jun 17 06:22:10 openvpn-igel-int tcp[725460]: Socket flags: TCP_NODELAY=1 succeeded Jun 17 06:22:10 openvpn-igel-int tcp[725460]: 192.241.225.14:58502 WARNING: Bad encapsulated packet length from peer (19783), which must be > 0 and <= 1768 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...] Jun 17 06:22:10 openvpn-igel-int tcp[725460]: 192.241.225.14:58502 Connection reset, restarting [0] Jun 17 06:22:10 openvpn-igel-int tcp[725460]: 192.241.225.14:58502 SIGUSR1[soft,connection-reset] received, client-instance restarting Jun 17 08:12:00 openvpn-igel-int systemd[1]: Starting Daily apt download activities... ... one extra line to show context ... So what's happening here is (wildly guessing): * somebody is doing a TCP portscan (I guess) * the tcp based openvpn (conveniently named "tcp" here) is initializing the SSL context * once it's started, it's already over (?) * CRL cannot be loaded, but maybe it can (timing?) * openvpn complains about a bad packet (due to that just being a port scan) A "real", working connection looks like this: ============================================= ... one extra line to show context ... Jun 16 08:27:00 openvpn-igel-int systemd[1]: Finished Ubuntu Advantage Timer for running repeated jobs. Jun 16 09:40:55 openvpn-igel-int tcp[452155]: OpenSSL: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init Jun 16 09:40:55 openvpn-igel-int tcp[452155]: OpenSSL: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init Jun 16 09:40:55 openvpn-igel-int tcp[452155]: OpenSSL: error:0909006C:PEM routines:get_name:no start line Jun 16 09:40:55 openvpn-igel-int tcp[452155]: CRL: cannot read CRL from file /etc/openvpn/ca/crl.pem Jun 16 09:40:55 openvpn-igel-int tcp[452155]: CRL: loaded 1 CRLs from file /etc/openvpn/ca/crl.pem Jun 16 09:40:55 openvpn-igel-int tcp[452155]: TCP connection established with [AF_INET6]::ffff:89.247.160.41:16938 Jun 16 09:40:55 openvpn-igel-int tcp[452155]: Socket flags: TCP_NODELAY=1 succeeded Jun 16 09:40:56 openvpn-igel-int tcp[452155]: 89.247.160.41:16938 TLS: Initial packet from [AF_INET6]::ffff:89.247.160.41:16938, sid=4bf33698 ca589ff5 Jun 16 09:40:56 openvpn-igel-int tcp[452155]: 89.247.160.41:16938 VERIFY OK: depth=1, DC=de, DC=charite, CN=Charite Zertifizierungsstelle ... -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
