Re: [Ocf-linux-users] ocf-linux / openvpn
Brought to you by:
david-m
Menu
▾
▴
Re: [Ocf-linux-users] ocf-linux / openvpn
|
From: David M. <Dav...@se...> - 2008-05-11 23:04:37
|
Jivin Mark lays it down ... > Hi > > Good news... I was able to get it working. Removing support > for cryptodev-digests did the trick. It seems that that cryptodev-digests > support is somehow broken... Great, thanks for that. That makes it a lot easier. It may be an endian thing as the systems we use here are big-endian, otherwise I probably broken it when I added te configure option. The truth is, on all but the slowest of systems you are better off disabling that option anyway. There is too much overhead getting the data into and out of the kernel, Cheers, Davidm > On 5/9/08, David McCullough <Dav...@se...> wrote: > > > > Jivin Nikola Ciprich lays it down ... > > > > > Hello Mark! > > > I'm observing the same problem on our GEODE based system. I've tracked it to be certificates problem. > > > If I enable OCF, openssl gets unable to even create certificate, so there is something wrong there with it, ie it's not really openvpn specific. > > > > > > What command are you running here ? > > > > > > > Does somebody know where the problem could be? > > > Could we do something to help fixing the issue? > > > > > > I don't know what could be happening here unfortunately, I haven't had > > a chance to look at it but as luck would have it one of the guys here is > > playing with OpenVPN at the moment. I'll see if he has time to test it > > out. > > > > If possible, can you get two ocf-enabled openvpn boxes to talk ? > > > > I know we generate certs on ocf ennabled devices all the time so I am > > wondering if this is something to do with the kernel crypto or perhaps > > even the geode driver. > > > > Can you try using cryptosoft without the geode HW support enabled ? > > That might show up something, > > > > Thanks, > > Davidm > > > > > > > > > > > > On Wed, May 07, 2008 at 07:10:09PM +0200, ic...@gm... wrote: > > > > Hi > > > > > > > > Is somebody running openvpn with a openssl+ocf successfully? > > > > As soon as I enable openssl's ocf support (through loading of the cryptodev > > > > and cryptosoft kernel modules), openvpn is no longer able to setup the > > > > vpn properly: > > > > > > > > May 7 18:59:19 fw openvpn[967]: VERIFY ERROR: depth=1, > > > > error=certificate signature failure: /C=XX/ST=XX/L=XX/O=XX > > > > May 7 18:59:19 fw openvpn[967]: TLS_ERROR: BIO read > > > > tls_read_plaintext error: error:14090086:SSL > > > > routines:SSL3_GET_SERVER_CERTI > > > > May 7 18:59:19 fw openvpn[967]: TLS Error: TLS object -> incoming > > > > plaintext read error > > > > May 7 18:59:19 fw openvpn[967]: TLS Error: TLS handshake failed > > > > May 7 18:59:19 fw openvpn[967]: TCP/UDP: Closing socket > > > > May 7 18:59:19 fw openvpn[967]: SIGUSR1[soft,tls-error] received, > > > > process restarting > > > > May 7 18:59:19 fw openvpn[967]: Restart pause, 2 second(s) > > > > > > > > However, removing the kernel modules makes openvpn working again > > > > (without changing a file, so certfiicates are really valid!) > > > > > > > > Reason for using ocf is, using the hw crypto accelerator of the geode cpu. > > > > > > > > To make sure, it's not related to the geode driver I used different ciphers > > > > (geode only supports aes-128-cbc). Always with the same result... failed! > > > > > > > > Interestingly "openssl speed -engine dynamic -evp aes-128-cbc " and > > > > cryptotest work fine. > > > > > > > > Versions I've used: > > > > - openvpn 2.1_rc7 > > > > - openssl 0.9.8g > > > > - ocf-linux 20080427 (20071215 + patch for 2.6.24+ posted on this list) > > > > - linux 2.6.24.6 (+ geode patches from sebastian siewior, posted on > > > > linux-crypto) > > > > > > > > Any ideas or suggestions how to debug this issue? > > > > > > > > Regards > > > > Mark > > > > > > > > ------------------------------------------------------------------------- > > > > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > > > > Don't miss this year's exciting event. There's still time to save $100. > > > > Use priority code J8TL2D2. > > > > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > > > > _______________________________________________ > > > > Ocf-linux-users mailing list > > > > Ocf...@li... > > > > https://lists.sourceforge.net/lists/listinfo/ocf-linux-users > > > > > > > > > > -- > > > ------------------------------------- > > > Nikola CIPRICH > > > LinuxBox.cz, s.r.o. > > > 28. rijna 168, 709 01 Ostrava > > > > > > tel.: +420 596 603 142 > > > fax: +420 596 621 273 > > > mobil: +420 777 093 799 > > > www.linuxbox.cz > > > > > > mobil servis: +420 737 238 656 > > > email servis: se...@li... > > > ------------------------------------- > > > > > > ------------------------------------------------------------------------- > > > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > > > Don't miss this year's exciting event. There's still time to save $100. > > > Use priority code J8TL2D2. > > > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > > > _______________________________________________ > > > Ocf-linux-users mailing list > > > Ocf...@li... > > > https://lists.sourceforge.net/lists/listinfo/ocf-linux-users > > > > > > > -- > > > > David McCullough, dav...@se..., Ph:+61 734352815 > > Secure Computing - SnapGear http://www.uCdot.org http://www.snapgear.com > > > -- David McCullough, dav...@se..., Ph:+61 734352815 Secure Computing - SnapGear http://www.uCdot.org http://www.snapgear.com |