Project

General

Profile

Actions

Regression #11785

closed

OpenSSL "Operation not supported" error with cryptodev in certain cases

Added by Jim Pingle over 3 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Very High
Assignee:
Category:
FreeBSD
Target version:
Start date:
04/06/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Force Exclusion
Affected Version:
2.5.1
Affected Architecture:

Description

It's not clear what specifically is triggering this, but with AES-NI+cryptodev loaded, I have a VM which is failing to start OpenVPN. If I disable AES-NI+cryptodev, it works.

Looks like it's an issue in OpenSSL 1.1.1k that's being worked on upstream: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=254643

Apr 6 10:08:23     openvpn     60652     Cipher negotiation is disabled since neither P2MP client nor server mode is enabled
Apr 6 10:08:23     openvpn     60652     OpenVPN 2.5.1 amd64-portbld-freebsd12.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Apr 5 2021
Apr 6 10:08:23     openvpn     60652     library versions: OpenSSL 1.1.1k-freebsd 25 Mar 2021, LZO 2.10
Apr 6 10:08:23     openvpn     60725     NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 6 10:08:23     openvpn     60725     OpenSSL: error:0201502D:system library:ioctl:Operation not supported
Apr 6 10:08:23     openvpn     60725     EVP cipher init #2
Apr 6 10:08:23     openvpn     60725     Exiting due to fatal error

Related issues

Has duplicate Bug #11774: unbound control shows SSL errorDuplicate04/02/2021

Actions
Actions #1

Updated by Jim Pingle over 3 years ago

  • Target version set to 2.5.1
Actions #2

Updated by Jim Pingle over 3 years ago

It appears to be tied to cryptodev and not AES-NI. I can have aesni.ko loaded and it works OK, but fails when loading cryptodev.ko.

Actions #3

Updated by Greg Shaffer over 3 years ago

This effects more than just OpenVPN. With cryptographic device set to both AES-NI and Crypto Dev I was seeing errors in my resolver.log and I was not getting any data in Status > DNS Resolver.

resolver.log errors:
Apr 5 17:23:25 egis unbound41328: [41328:0] notice: failed connection from 127.0.0.1 port 53493
Apr 5 17:23:25 egis unbound41328: [41328:0] error: remote control failed ssl crypto error:0201502D:system library:ioctl:Operation not supported
Apr 5 17:23:25 egis unbound41328: [41328:0] error: and additionally crypto error:1427D044:SSL routines:construct_stateless_ticket:internal error
Apr 5 17:23:25 egis unbound41328: [41328:0] error: and additionally crypto error:0201502D:system library:ioctl:Operation not supported

Output from "/usr/local/sbin/unbound-control -c /var/unbound/unbound.conf dump_infra"
error: could not SSL_read
34375933952:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:/build/ce-crossbuild-251/sources/FreeBSD-src/crypto/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 80

Setting cryptographic hardware to just AES-Ni resolved these issue.

Actions #4

Updated by Jim Pingle over 3 years ago

I couldn't reproduce that one before but it's entirely possible I didn't test it on this particular setting. It doesn't surprise me that it's affecting other things, pretty much anything using OpenSSL could potentially trigger it.

Actions #5

Updated by Jim Pingle over 3 years ago

  • Has duplicate Bug #11774: unbound control shows SSL error added
Actions #6

Updated by Renato Botelho over 3 years ago

  • Status changed from New to Feedback
  • Assignee set to Luiz Souza

Luiz reverted changes that introduced this issue on both devel and RC branches

Actions #7

Updated by Jim Pingle over 3 years ago

Latest snapshot is working fine here. Same VM before which could reproduce the OpenVPN and Unbound errors with cryptodev loaded is OK now. No more errors, OpenVPN is running and connected, unbound-control returns expected results.

Will leave open for a few more hours to get additional feedback.

Actions #8

Updated by Greg Shaffer over 3 years ago

2.5.1.r.20210406.1302 resolved the issues I was seeing as report above (#3). Thanks!

Actions #9

Updated by Renato Botelho over 3 years ago

  • Status changed from Feedback to Resolved

Fixed according feedbacks

Actions #10

Updated by Jim Pingle over 3 years ago

  • Release Notes changed from Default to Force Exclusion

Exclude from release notes since it regressed after the previous release.

Actions

Also available in: Atom PDF