[Bug 218095] security/mbedtls

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Fri Mar 24 19:33:22 UTC 2017 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=218095

            Bug ID: 218095
           Summary: security/mbedtls
           Product: Ports & Packages
           Version: Latest
          Hardware: arm
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: tijl at FreeBSD.org
          Reporter: gmc at metro.cx
                CC: freebsd-arm at FreeBSD.org
          Assignee: tijl at FreeBSD.org
                CC: freebsd-arm at FreeBSD.org
             Flags: maintainer-feedback?(tijl at FreeBSD.org)

Created attachment 181161
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=181161&action=edit
client openvpn config

When upgrading my arm router that is running openvpn-mbedtls, the upgrade of
mbedtls to 2.4.2_1 breaks the ability to send traffic over the openvpn tunnel
(a tap ethernet bridge).

Apart from the upgrade I did not change the configuration of the openvpn client
nor that of the server, keys were the same (validity several years from now).
Both server and client are ntp synced.

The logs on both the server and client side indicate no issue, and would show
the same as successful connections before the mbedtls upgrade. tcpdump on the
server even showed what looked like keep-alive pings and responses from the
client (every 10 seconds I would see a udp packet from port 1194 on the server
to the client and about one second later another udp packet in the opposite
direction).

At some point I noticed that the client openvpn was using 80 to 90% cpu
continuously, while normally it uses very little (up to 5% normally, 20% at
most when there is lots of traffic). 

I then changed the server to use openvpn with openssl. That did not change
anything. Then I changed the client to openvpn with openssl and instantly
(without changing anything else) everything was back to normal. Traffic would
flow immediately after the openvpn connection was initiated.

The server is an amd64 machine in a datacenter, the client an armv5 device at
home behind an adsl connection. Packages for the armv5 device I compile with
poudriere on the amd64 machine.

Attached a number of files: the client and server openvpn config files and the
poudriere build log.

Not sure where to report this, and if anyone is even interested in this issue.
I'm now running openvpn with openssl. I'd rather use mbedtls, but the current
situation is an acceptable work-around.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-ports-bugs mailing list