http://bugzilla.suse.com/show_bug.cgi?id=914166 Marius Tomaschewski <mt@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com Summary|Openvpn dies when routing |Openvpn dies when routing |changes (possible wicked |changes (fips patch bug) |problem?) | Flags| |needinfo?(meissner@suse.com | |) --- Comment #4 from Marius Tomaschewski <mt@suse.com> --- (In reply to Cornelius Mahlo from comment #3)
The problem is caused by openvpn-fips140-2.3.2.patch – unfortunately it is incomplete. Checksum calculation is changed from MD5 to SHA1, but now we try to compare SHA_DIGEST_LENGTH (20) bytes on two MD5_DIGEST_LENGTH (16) bytes fields. I would doubt it has ever worked (or by padding/ memory accident).
For maintenance team - Please change/ patch file “src/openvpn/crypto.h”:
- uint8_t digest [MD5_DIGEST_LENGTH];
- uint8_t digest [SHA_DIGEST_LENGTH];
Yes, this seems to be IMO obviously wrong. Thanks! Marcus?
As a first workaround, you could keep root privileges for openvpn after initialization (comment out/ remove “user nobody” and “group nobody” from client configuration). Please note that openvpn now keeps running, but the tunnel device will continue to close/ reopen. Processes which depend on a persistent tunnel will still fail.
There is also a openvpn-down-root-plugin package which provides a plugin intended for this purpose -- unfortunatelly, it seems broken too now :-/ -- You are receiving this mail because: You are on the CC list for the bug.