Re: [Ocf-linux-users] ocf-linux / openvpn
Brought to you by:
david-m
From: Mark <ic...@gm...> - 2008-05-10 16:04:18
|
Hi Good news... I was able to get it working. Removing support for cryptodev-digests did the trick. It seems that that cryptodev-digests support is somehow broken... Regards Mark On 5/9/08, David McCullough <Dav...@se...> wrote: > > Jivin Nikola Ciprich lays it down ... > > > Hello Mark! > > I'm observing the same problem on our GEODE based system. I've tracked it to be certificates problem. > > If I enable OCF, openssl gets unable to even create certificate, so there is something wrong there with it, ie it's not really openvpn specific. > > > What command are you running here ? > > > > Does somebody know where the problem could be? > > Could we do something to help fixing the issue? > > > I don't know what could be happening here unfortunately, I haven't had > a chance to look at it but as luck would have it one of the guys here is > playing with OpenVPN at the moment. I'll see if he has time to test it > out. > > If possible, can you get two ocf-enabled openvpn boxes to talk ? > > I know we generate certs on ocf ennabled devices all the time so I am > wondering if this is something to do with the kernel crypto or perhaps > even the geode driver. > > Can you try using cryptosoft without the geode HW support enabled ? > That might show up something, > > Thanks, > Davidm > > > > > > > On Wed, May 07, 2008 at 07:10:09PM +0200, ic...@gm... wrote: > > > Hi > > > > > > Is somebody running openvpn with a openssl+ocf successfully? > > > As soon as I enable openssl's ocf support (through loading of the cryptodev > > > and cryptosoft kernel modules), openvpn is no longer able to setup the > > > vpn properly: > > > > > > May 7 18:59:19 fw openvpn[967]: VERIFY ERROR: depth=1, > > > error=certificate signature failure: /C=XX/ST=XX/L=XX/O=XX > > > May 7 18:59:19 fw openvpn[967]: TLS_ERROR: BIO read > > > tls_read_plaintext error: error:14090086:SSL > > > routines:SSL3_GET_SERVER_CERTI > > > May 7 18:59:19 fw openvpn[967]: TLS Error: TLS object -> incoming > > > plaintext read error > > > May 7 18:59:19 fw openvpn[967]: TLS Error: TLS handshake failed > > > May 7 18:59:19 fw openvpn[967]: TCP/UDP: Closing socket > > > May 7 18:59:19 fw openvpn[967]: SIGUSR1[soft,tls-error] received, > > > process restarting > > > May 7 18:59:19 fw openvpn[967]: Restart pause, 2 second(s) > > > > > > However, removing the kernel modules makes openvpn working again > > > (without changing a file, so certfiicates are really valid!) > > > > > > Reason for using ocf is, using the hw crypto accelerator of the geode cpu. > > > > > > To make sure, it's not related to the geode driver I used different ciphers > > > (geode only supports aes-128-cbc). Always with the same result... failed! > > > > > > Interestingly "openssl speed -engine dynamic -evp aes-128-cbc " and > > > cryptotest work fine. > > > > > > Versions I've used: > > > - openvpn 2.1_rc7 > > > - openssl 0.9.8g > > > - ocf-linux 20080427 (20071215 + patch for 2.6.24+ posted on this list) > > > - linux 2.6.24.6 (+ geode patches from sebastian siewior, posted on > > > linux-crypto) > > > > > > Any ideas or suggestions how to debug this issue? > > > > > > Regards > > > Mark > > > > > > ------------------------------------------------------------------------- > > > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > > > Don't miss this year's exciting event. There's still time to save $100. > > > Use priority code J8TL2D2. > > > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > > > _______________________________________________ > > > Ocf-linux-users mailing list > > > Ocf...@li... > > > https://lists.sourceforge.net/lists/listinfo/ocf-linux-users > > > > > > > -- > > ------------------------------------- > > Nikola CIPRICH > > LinuxBox.cz, s.r.o. > > 28. rijna 168, 709 01 Ostrava > > > > tel.: +420 596 603 142 > > fax: +420 596 621 273 > > mobil: +420 777 093 799 > > www.linuxbox.cz > > > > mobil servis: +420 737 238 656 > > email servis: se...@li... > > ------------------------------------- > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > > Don't miss this year's exciting event. There's still time to save $100. > > Use priority code J8TL2D2. > > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > > _______________________________________________ > > Ocf-linux-users mailing list > > Ocf...@li... > > https://lists.sourceforge.net/lists/listinfo/ocf-linux-users > > > > -- > > David McCullough, dav...@se..., Ph:+61 734352815 > Secure Computing - SnapGear http://www.uCdot.org http://www.snapgear.com > |