Bug#1108963: v2.6.3 has a curious bug: AEAD and descrypt errors at key
From
grin@21:1/5 to
All on Tue Jul 8 19:00:02 2025
Package: openvpn
Version: 2.6.3-1+deb12u3
Severity: normal
Tags: upstream, fixed-upstream, bookworm
Control: notfound -1 2.5.1-3+deb11u1
Control: fixed -1 2.6.14-1
Somewhere between 2.5.1 and 2.6.3 there manifested a bug where a client
can lose the connection around session key expiration, which is not
detected by the server, which in turn cause a 60 seconds connection
gap until resynchonisation. It seems to be only dependent on the server version.
The effect is that the client may log a large amnount of
AEAD Decrypt error: cipher final failed
errors, or in case of kernel module:
ovpn_decrypt_one: error during decryption for peer 0, key-id 0: -74 ovpn_aead_decrypt: decrypt failed: -74
errors when the server have expired the key, and it stays dead
until server timeout (usually 60 seconds) expires and triggers a
resync. From then on everything works fine until the next expiration.
This seems to be fixed in v2.6.14 server, which is not in stable, nor
in the backports. It probably should be.
Thanks!
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)