Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#997981: ocserv crashes on client connection
580 views
Skip to first unread message
Michael Scheffler
Oct 28, 2021, 3:50:03 AM10/28/21
to
Package: ocserv
Version: 0.12.2-3
Severity: important
Dear Maintainer,
after the latest system updates, ocserv keeps crashing on client connection. Everything worked fine before:
---*snipp*---
Oct 28 09:27:19 smartha ocserv[30927]: main:192.168.xxx.xxx:55148 user disconnected (reason: unspecified, rx: 0, tx: 0)
Oct 28 09:27:19 smartha kernel: traps: ocserv-worker[30975] general protection ip:7f3e978b613b sp:7ffc56528148 error:0 in libc-2.28.so[7f3e97836000+148000]
Oct 28 09:27:19 smartha ocserv[30927]: main:192.168.xxx.xxx:55150 user disconnected (reason: unspecified, rx: 0, tx: 0)
Oct 28 09:27:19 smartha kernel: traps: ocserv-worker[30977] general protection ip:7f3e978b613b sp:7ffc56528148 error:0 in libc-2.28.so[7f3e97836000+148000]
---*snipp*---
The server is using password authentication. I manually compiled the latest version (1.1.3) and everything works fine again. Same with 1.1.2 from bullseye.
-- System Information:
Debian Release: 10.11
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-17-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages ocserv depends on:
ii dbus 1.12.20-0+deb10u1
ii libc6 2.28-10
ii libev4 1:4.25-1
ii libgeoip1 1.6.12-1
ii libgnutls30 3.6.7-4+deb10u7
ii libgssapi-krb5-2 1.17-3+deb10u3
ii libhttp-parser2.8 2.8.1-1+deb10u1
ii liblz4-1 1.8.3-1+deb10u1
ii libnettle6 3.4.1-1+deb10u1
ii libnl-3-200 3.4.0-1
ii libnl-route-3-200 3.4.0-1
ii liboath0 2.6.1-1.3
ii libpam0g 1.3.1-5
ii libpcl1 1.12-1
ii libprotobuf-c1 1.3.1-1+b1
ii libradcli4 1.2.6-4
ii libreadline7 7.0-5
ii libseccomp2 2.3.3-4
ii libsystemd0 241-7~deb10u8
ii libtalloc2 2.1.14-2
ii libtasn1-6 4.13-3
ii libwrap0 7.6.q-28
ii lsb-base 10.2019051400
ii ssl-cert 1.0.39
Versions of packages ocserv recommends:
ii ca-certificates 20200601~deb10u2
ii gnutls-bin 3.6.7-4+deb10u7
ocserv suggests no packages.
-- Configuration Files:
/etc/ocserv/ocserv.conf changed [not included]
-- no debconf information
Version: 0.12.2-3
Severity: important
Dear Maintainer,
after the latest system updates, ocserv keeps crashing on client connection. Everything worked fine before:
---*snipp*---
Oct 28 09:27:19 smartha ocserv[30927]: main:192.168.xxx.xxx:55148 user disconnected (reason: unspecified, rx: 0, tx: 0)
Oct 28 09:27:19 smartha kernel: traps: ocserv-worker[30975] general protection ip:7f3e978b613b sp:7ffc56528148 error:0 in libc-2.28.so[7f3e97836000+148000]
Oct 28 09:27:19 smartha ocserv[30927]: main:192.168.xxx.xxx:55150 user disconnected (reason: unspecified, rx: 0, tx: 0)
Oct 28 09:27:19 smartha kernel: traps: ocserv-worker[30977] general protection ip:7f3e978b613b sp:7ffc56528148 error:0 in libc-2.28.so[7f3e97836000+148000]
---*snipp*---
The server is using password authentication. I manually compiled the latest version (1.1.3) and everything works fine again. Same with 1.1.2 from bullseye.
-- System Information:
Debian Release: 10.11
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-17-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages ocserv depends on:
ii dbus 1.12.20-0+deb10u1
ii libc6 2.28-10
ii libev4 1:4.25-1
ii libgeoip1 1.6.12-1
ii libgnutls30 3.6.7-4+deb10u7
ii libgssapi-krb5-2 1.17-3+deb10u3
ii libhttp-parser2.8 2.8.1-1+deb10u1
ii liblz4-1 1.8.3-1+deb10u1
ii libnettle6 3.4.1-1+deb10u1
ii libnl-3-200 3.4.0-1
ii libnl-route-3-200 3.4.0-1
ii liboath0 2.6.1-1.3
ii libpam0g 1.3.1-5
ii libpcl1 1.12-1
ii libprotobuf-c1 1.3.1-1+b1
ii libradcli4 1.2.6-4
ii libreadline7 7.0-5
ii libseccomp2 2.3.3-4
ii libsystemd0 241-7~deb10u8
ii libtalloc2 2.1.14-2
ii libtasn1-6 4.13-3
ii libwrap0 7.6.q-28
ii lsb-base 10.2019051400
ii ssl-cert 1.0.39
Versions of packages ocserv recommends:
ii ca-certificates 20200601~deb10u2
ii gnutls-bin 3.6.7-4+deb10u7
ocserv suggests no packages.
-- Configuration Files:
/etc/ocserv/ocserv.conf changed [not included]
-- no debconf information
Thomas Glanzmann
Dec 7, 2021, 5:20:03 AM12/7/21
to
Hello,
I have the same issue. I'm on Debian 10 amd64 with 0.12.2-3. I also
tried 1.1.2-2~bpo10+1. This issue is related with something Letsencrypt
changed. The last Letsencrypt Certificate was from 8th October. Tonight
I renewed my Letsencrypt Certificate autoamtically. After that before
the login promot, ocserv was crashing. From the client it looked like
that:
(nuc) [~] openconnect vpn.company.com
POST https://vpn.company.com/
Connected to 1.2.3.4:443
SSL negotiation with vpn.company.com
Connected to HTTPS on vpn.company.com with ciphersuite (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
Error reading HTTP response: Invalid argument
GET https://vpn.company.com/
Connected to 1.2.3.4:443
SSL negotiation with vpn.company.com
Connected to HTTPS on vpn.company.com with ciphersuite (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
Error reading HTTP response: Invalid argument
Failed to obtain WebVPN cookie
From the server site it looked like that:
Dec 7 04:00:58 debian ocserv[6166]: main: main.c:983: Child 6178 died with sigsegv
... 180 ... similiar entries skipped.
I was able to restore operation by compiling ocserv from source:
sudo apt-get build-dep -y ocserv
wget https://www.infradead.org/ocserv/download/ocserv-1.1.5.tar.xz
tar xfJ ocserv-1.1.5.tar.xz
cd ocserv-1.1.5
sudo mkdir -p /local/ocserv
sudo chown <myuser> /local/ocserv
./configure --prefix=/local/ocserv
make
make instsall
sudo /etc/init.d/ocserv stop
sudo /local/ocserv/sbin/ocserv -c /etc/ocserv/ocserv.conf
However I'll upgrade to Debian 11 tonight. Debian 11 doesn't have this problem,
because I have several other ocserv on Debian 11, which don't have the issue.
Cheers,
Thomas
I have the same issue. I'm on Debian 10 amd64 with 0.12.2-3. I also
tried 1.1.2-2~bpo10+1. This issue is related with something Letsencrypt
changed. The last Letsencrypt Certificate was from 8th October. Tonight
I renewed my Letsencrypt Certificate autoamtically. After that before
the login promot, ocserv was crashing. From the client it looked like
that:
(nuc) [~] openconnect vpn.company.com
POST https://vpn.company.com/
Connected to 1.2.3.4:443
SSL negotiation with vpn.company.com
Connected to HTTPS on vpn.company.com with ciphersuite (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
Error reading HTTP response: Invalid argument
GET https://vpn.company.com/
Connected to 1.2.3.4:443
SSL negotiation with vpn.company.com
Connected to HTTPS on vpn.company.com with ciphersuite (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
Error reading HTTP response: Invalid argument
Failed to obtain WebVPN cookie
From the server site it looked like that:
Dec 7 04:00:58 debian ocserv[6166]: main: main.c:983: Child 6178 died with sigsegv
... 180 ... similiar entries skipped.
I was able to restore operation by compiling ocserv from source:
sudo apt-get build-dep -y ocserv
wget https://www.infradead.org/ocserv/download/ocserv-1.1.5.tar.xz
tar xfJ ocserv-1.1.5.tar.xz
cd ocserv-1.1.5
sudo mkdir -p /local/ocserv
sudo chown <myuser> /local/ocserv
./configure --prefix=/local/ocserv
make
make instsall
sudo /etc/init.d/ocserv stop
sudo /local/ocserv/sbin/ocserv -c /etc/ocserv/ocserv.conf
However I'll upgrade to Debian 11 tonight. Debian 11 doesn't have this problem,
because I have several other ocserv on Debian 11, which don't have the issue.
Cheers,
Thomas
0 new messages