Regression #11785
closed
OpenSSL "Operation not supported" error with cryptodev in certain cases
Added by Jim Pingle over 3 years ago.
Updated over 3 years ago.
Release Notes:
Force Exclusion
Description
It's not clear what specifically is triggering this, but with AES-NI+cryptodev loaded, I have a VM which is failing to start OpenVPN. If I disable AES-NI+cryptodev, it works.
Looks like it's an issue in OpenSSL 1.1.1k that's being worked on upstream: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=254643
Apr 6 10:08:23 openvpn 60652 Cipher negotiation is disabled since neither P2MP client nor server mode is enabled
Apr 6 10:08:23 openvpn 60652 OpenVPN 2.5.1 amd64-portbld-freebsd12.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Apr 5 2021
Apr 6 10:08:23 openvpn 60652 library versions: OpenSSL 1.1.1k-freebsd 25 Mar 2021, LZO 2.10
Apr 6 10:08:23 openvpn 60725 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 6 10:08:23 openvpn 60725 OpenSSL: error:0201502D:system library:ioctl:Operation not supported
Apr 6 10:08:23 openvpn 60725 EVP cipher init #2
Apr 6 10:08:23 openvpn 60725 Exiting due to fatal error
- Target version set to 2.5.1
It appears to be tied to cryptodev and not AES-NI. I can have aesni.ko loaded and it works OK, but fails when loading cryptodev.ko.
This effects more than just OpenVPN. With cryptographic device set to both AES-NI and Crypto Dev I was seeing errors in my resolver.log and I was not getting any data in Status > DNS Resolver.
resolver.log errors:
Apr 5 17:23:25 egis unbound41328: [41328:0] notice: failed connection from 127.0.0.1 port 53493
Apr 5 17:23:25 egis unbound41328: [41328:0] error: remote control failed ssl crypto error:0201502D:system library:ioctl:Operation not supported
Apr 5 17:23:25 egis unbound41328: [41328:0] error: and additionally crypto error:1427D044:SSL routines:construct_stateless_ticket:internal error
Apr 5 17:23:25 egis unbound41328: [41328:0] error: and additionally crypto error:0201502D:system library:ioctl:Operation not supported
Output from "/usr/local/sbin/unbound-control -c /var/unbound/unbound.conf dump_infra"
error: could not SSL_read
34375933952:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:/build/ce-crossbuild-251/sources/FreeBSD-src/crypto/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 80
Setting cryptographic hardware to just AES-Ni resolved these issue.
I couldn't reproduce that one before but it's entirely possible I didn't test it on this particular setting. It doesn't surprise me that it's affecting other things, pretty much anything using OpenSSL could potentially trigger it.
- Has duplicate Bug #11774: unbound control shows SSL error added
- Status changed from New to Feedback
- Assignee set to Luiz Souza
Luiz reverted changes that introduced this issue on both devel and RC branches
Latest snapshot is working fine here. Same VM before which could reproduce the OpenVPN and Unbound errors with cryptodev loaded is OK now. No more errors, OpenVPN is running and connected, unbound-control returns expected results.
Will leave open for a few more hours to get additional feedback.
2.5.1.r.20210406.1302 resolved the issues I was seeing as report above (#3). Thanks!
- Status changed from Feedback to Resolved
Fixed according feedbacks
- Release Notes changed from Default to Force Exclusion
Exclude from release notes since it regressed after the previous release.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by