Menu
▾
▴
Re: [Openvpn-users] Segmentation fault upon client connect
|
From: Jan J. K. <ja...@ni...> - 2019-07-24 11:20:58
|
On 24/07/19 12:29, Jan Just Keijser wrote: > > On 23/07/19 19:11, Stephen Reese wrote: >> >> Let me dive into this deeper, but this did not use to happen - >> I've used CentOS 6+7 icw OpenVPN for years , including >> client-connect scripts and have never seen coredumps like that. >> Are you using selinux? auditing? what is your policy on those? >> >> >> I had SELinux disabled (permissive) and did not enable any special >> auditing. The image used is from https://github.com/plus3it/spel and >> running in AWS. > > > just tried this on a "plain" CentOS 7 box and I am not seeing any seg > faults upon client-connect; this is with the EPEL version of OpenVPN > 2.4.7. > > The openssl library on RHEL/CentOS 7 is indeed FIPS compliant, but > FIPS mode still needs to be explicitly enabled inside an application, > usually using FIPS_mode_set(). > You can check whether your version of OpenVPN has been patched to do > this by running: > > # objdump -tT /usr/sbin/openvpn | grep FIPS > > ( no output, meaning no FIPS calls ) > > In contrast to: > > # objdump -tT /usr/bin/openssl | grep FIPS > 0000000000000000 DF *UND* 0000000000000000 libcrypto.so.10 > FIPS_mode > 0000000000000000 DF *UND* 0000000000000000 libcrypto.so.10 > FIPS_mode_set > > > I've looked at the github page but it's too much of a bother to > actually get/build such an image (for my VMware player). If you can > provide me with a prebuilt image, including root access I can have a > quick peek. > as a follow-up: I've tried to get my CentOS box to boot in 'fips mode' (by following this recipe https://www.dogtagpki.org/wiki/Enabling_FIPS_Mode_on_RHEL_7) yet my server stubbornly refuses to have fips mode enabled at the system level # sysctl crypto.fips_enabled crypto.fips_enabled = 0 so perhaps that explains the difference between what I am seeing and what you are seeing.... if "system-level fips" does cause all applications to automatically go into "fips mode" then that would explain the segfaults you are seeing. The only solution is to disable FIPS mode in that case. HTH, JJK |
