FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu User

 
 
LinkBack Thread Tools
 
Old 05-14-2008, 07:05 PM
Markus Schönhaber
 
Default OpenVPN aborts after OpenSSL update

Hi,

in case anyone else stumbles into this:
after updating all open* packages I had OpenVPN clients shutting down on
re-establishing the connection after the daily forced interruption of
the underlying DSL connection and OpenVPN servers shutting down after
the first client tried to connect. In both cases the logs said that the
corresponding client (resp. server) key was vulnerable. Needless to say
that all keys were newly generated and a manual run of openssl-vulnkey
reported them as not blacklisted.
strace'ing revealed that openssl-vulnkey wasn't able to read the key
files at all because it was called at a time when OpenVPN had already
dropped root privileges, but the key files are only root-readable.
I don't have the slightest idea why the check of the keys isn't just
made once on startup.
The obvious workaround is to run OpenVPN as root (I wouldn't recommend
that) or to chown the key files to the user OpenVPN runs as.

<rant>
The brilliant idea of a Debian developer to fix what isn't broken has
caused me a *lot* of work.
And the brilliant idea of checking keys when unable to actually do it
has gifted me with phone calls at hours when no admin should be disturbed.
I'm really fed up.
</rant>

Regards
mks

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 05-14-2008, 11:03 PM
Markus Schönhaber
 
Default OpenVPN aborts after OpenSSL update

Markus Schönhaber wrote:

> strace'ing revealed that openssl-vulnkey wasn't able to read the key
> files at all because it was called at a time when OpenVPN had already
> dropped root privileges, but the key files are only root-readable.
> I don't have the slightest idea why the check of the keys isn't just
> made once on startup.

Fixed:
http://www.ubuntu.com/usn/usn-612-6

Regards
mks

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 05-15-2008, 12:07 AM
NoOp
 
Default OpenVPN aborts after OpenSSL update

On 05/14/2008 04:03 PM, Markus Schönhaber wrote:
> Markus Schönhaber wrote:
>
>> strace'ing revealed that openssl-vulnkey wasn't able to read the key
>> files at all because it was called at a time when OpenVPN had already
>> dropped root privileges, but the key files are only root-readable.
>> I don't have the slightest idea why the check of the keys isn't just
>> made once on startup.
>
> Fixed:
> http://www.ubuntu.com/usn/usn-612-6

Now if I could only get ssh fixed on my Gutsy machine...

https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/230174


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 

Thread Tools




All times are GMT. The time now is 09:44 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org