Problem with default Cipher on OS X

Weekly dev snapshots are available for testing.
We talk about them here. Testing features in the dev snapshot helps the features make it to stable.
Forum rules
Please report your experience with testing branch. Include what you were using and how
If there is a problem, the more info the better!
Post Reply
macfreek
OpenVpn Newbie
Posts: 2
Joined: Sat Feb 11, 2012 1:30 pm

Problem with default Cipher on OS X

Post by macfreek » Sat Feb 11, 2012 5:20 pm

Hi,

Since I'm curious about IPv6 support, I tried to compile the latest version of OpenVPN. openvpn-201204 on FreeBSD compiles and seems to work fine.

openvpn-git-master (3a90edbd194140eef51c245edfcf9afc0ecb2d13) on Mac OS X fails:

Code: Select all

% sudo make check
...
SKIP: t_client.sh
Sat Feb 11 13:50:55 2012 OpenVPN 2.x-master x86_64-apple-darwin11.2.0 [SSL (OpenSSL)] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110522-1 (2.2.0)] built on Feb 11 2012
Sat Feb 11 13:50:55 2012 OpenVPN 2.x-master x86_64-apple-darwin11.2.0 [SSL (OpenSSL)] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110522-1 (2.2.0)] built on Feb 11 2012
Sat Feb 11 13:50:55 2012 Cipher 'BF-CBC' uses a mode not supported by OpenVPN in your current configuration.  CBC mode is always supported, while CFB and OFB modes are supported only when using SSL/TLS authentication and key exchange mode, and when OpenVPN has been built with ALLOW_NON_CBC_CIPHERS.
Sat Feb 11 13:50:55 2012 Exiting due to fatal error
FAIL: t_lpback.sh
...
This seems odd; BF-CBC is the default cipher, right?

My first idea was to check if openssl was correctly found, but I do not see anything out of the ordinary. Does anyone have advise I can investigate this?

Code: Select all

% ./configure --with-lzo-headers=/opt/local/include --with-lzo-lib=/opt/local/lib
...
configure: checking for pkcs11-helper Library and Header files...
checking pkcs11-helper-1.0/pkcs11h-core.h usability... no
checking pkcs11-helper-1.0/pkcs11h-core.h presence... no
checking for pkcs11-helper-1.0/pkcs11h-core.h... no
pkcs11-helper headers not found.
configure: checking for OpenSSL Crypto Library and Header files...
checking openssl/evp.h usability... yes
checking openssl/evp.h presence... yes
checking for openssl/evp.h... yes
checking for EVP_CIPHER_CTX_init in -lcrypto... yes
checking for EVP_CIPHER_CTX_init in -leay32... no
checking that OpenSSL Library is at least version 0.9.6... yes
checking for EVP_CIPHER_CTX_set_key_length... yes
checking openssl/engine.h usability... yes
checking openssl/engine.h presence... yes
checking for openssl/engine.h... yes
checking for ENGINE_load_builtin_engines... yes
checking for ENGINE_register_all_complete... yes
checking for ENGINE_cleanup... yes
...

% /usr/local/sbin/openvpn --version  
OpenVPN 2.x-master x86_64-apple-darwin11.2.0 [SSL (OpenSSL)] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110522-1 (2.2.0)] built on Feb 11 2012
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>

  $ ./configure --with-lzo-headers=/opt/local/include --with-lzo-lib=/opt/local/lib

Compile time defines:  ENABLE_CLIENT_SERVER ENABLE_DEBUG ENABLE_EUREPHIA ENABLE_FRAGMENT ENABLE_HTTP_PROXY ENABLE_MANAGEMENT ENABLE_MULTIHOME ENABLE_PORT_SHARE ENABLE_SOCKS USE_CRYPTO USE_LIBDL USE_LZO USE_OPENSSL USE_SSL

% otool -l /usr/local/sbin/openvpn
...
Load command 11
          cmd LC_LOAD_DYLIB
      cmdsize 64
         name /opt/local/lib/libssl.1.0.0.dylib (offset 24)
   time stamp 2 Thu Jan  1 01:00:02 1970
      current version 1.0.0
compatibility version 1.0.0
Load command 12
          cmd LC_LOAD_DYLIB
      cmdsize 64
         name /opt/local/lib/libcrypto.1.0.0.dylib (offset 24)
   time stamp 2 Thu Jan  1 01:00:02 1970
      current version 1.0.0
compatibility version 1.0.0
Load command 13
          cmd LC_LOAD_DYLIB
      cmdsize 56
         name /opt/local/lib/liblzo2.2.dylib (offset 24)
   time stamp 2 Thu Jan  1 01:00:02 1970
      current version 3.0.0
compatibility version 3.0.0
Load command 14
          cmd LC_LOAD_DYLIB
      cmdsize 56
         name /usr/lib/libSystem.B.dylib (offset 24)
   time stamp 2 Thu Jan  1 01:00:02 1970
      current version 159.1.0
compatibility version 1.0.0
...

% /opt/local/bin/openssl ciphers
CDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5

% /opt/local/bin/openssl version
OpenSSL 1.0.0f 4 Jan 2012

% uname -rsv
Darwin 11.2.0 Darwin Kernel Version 11.2.0: Tue Aug  9 20:54:00 PDT 2011; root:xnu-1699.24.8~1/RELEASE_X86_64

macfreek
OpenVpn Newbie
Posts: 2
Joined: Sat Feb 11, 2012 1:30 pm

Re: Problem with default Cipher on OS X

Post by macfreek » Sun Feb 12, 2012 10:14 am

Some more info:

The BF-CBC cipher seem normally compiled in:

Code: Select all

% /usr/local/sbin/openvpn --show-ciphers
...
BF-CBC 128 bit default key (variable)
...
I just tried to see if this error was always there. It seems to be introduced with the refactoring by Adriaan de Jong last year.

Revision e8c950f12dfd6187f084fb06b6fe6e57c030bdad works fine
Revision 670f9dd91aed7ac435b79c0e28e49fa7c256642c fails with the above error.

Revision 670f9dd91aed7ac435b79c0e28e49fa7c256642c has the following log
message: "Refactored cipher key types".

Post Reply