Created attachment 149397 [details] Backport fix for openvpn with aesni.ko loaded The issue is referenced here: https://community.openvpn.net/openvpn/ticket/480#ticket and here: https://redmine.pfsense.org/issues/3966 Whenever aesni.ko module is loaded, openvpn doesn't work. Patch was sent to upstream but it would be good to have it available on ports.
Auto-assigned to maintainer mandree@FreeBSD.org
I just forwarded this to the openvpn-devel mailing list because there does not seem to be relevant traffic on that topic, nor relevant Git commits on master nor release/2.3; however, the sourceforge.net site is currently and "temporarily" in static maintenance mode, so I expect delays. https://twitter.com/sfnet_ops
please watch https://community.openvpn.net/openvpn/ticket/480 for the interim progress
There is a patch against the upstream OpenVPN code, because yours seems to have caused some concern and issues. Renato, could you give that patch a spin and see if it works for you, too, without breaking too many other things? It's listed between comments #7 and #8 on https://community.openvpn.net/openvpn/ticket/480#comment:7
(In reply to Matthias Andree from comment #4) Ermal is going to test it ASAP.
A commit references this bug: Author: mandree Date: Mon Mar 30 18:37:25 UTC 2015 New revision: 382705 URL: https://svnweb.freebsd.org/changeset/ports/382705 Log: Add an experimental patch for bug #195004. Needs to be enabled through a port option. PR: 195004 Changes: head/security/openvpn/Makefile head/security/openvpn/files/150322-Reload-OpenSSL-engines-after-forking.patch
Patch doesn't work, I updated openvpn ticket.
Obrigado! We'll see what we get from the OpenVPN developers.
Hi, OpenVPN developer (without decent FreeBSD experience) here. I wanted to mention that I think it is a bug that OpenSSL on FreeBSD by default prefers AES-NI through cryptodev over user-land AES-NI. Going through cryptodev is slower and arguably less secure than using AES-NI directly (using cryptodev increases the attack surface). Now, I'm not familiar with the platform, nor with the bug reporting procedures, so could any of you perhaps evaluate whether you agree with me, and in that case create a ticket to fix that behaviour? (I realize the openvpn issue is broader than AES-NI through cryptodev, so I will keep looking for a proper fix for the openvpn issue. I'll use the openvpn bugtracker to keep track of that.)
There is a new v2 of the patch on the OpenVPN tracker, https://community.openvpn.net/openvpn/raw-attachment/ticket/480/150406-Reload-OpenSSL-engines-after-forking-v2.patch please try and report back.
A commit references this bug: Author: mandree Date: Mon May 4 23:08:06 UTC 2015 New revision: 385432 URL: https://svnweb.freebsd.org/changeset/ports/385432 Log: + Update patch set for crypto engine fix [1]. Change option name so it is presented anew, default disabled. + Add openvpn-client wrapper script and up/down scripts to trigger resolvconf, with minor edits. [2] + Set proper PLUGIN_LIBDIR so that plugins in the default directory can be found with relative paths. + Compile shipped plugins with -fPIC. PR: 195004 [1] PR: 199529 [2] Submitted by: yuri@rawbw.com [2] Obtained from: https://community.openvpn.net/openvpn/ticket/480#comment:21 Changes: head/security/openvpn/Makefile head/security/openvpn/files/150322-Reload-OpenSSL-engines-after-forking.patch head/security/openvpn/files/EF1.patch head/security/openvpn/files/EF2.patch head/security/openvpn/files/EF3.patch head/security/openvpn/files/openvpn-client.in head/security/openvpn/files/patch-sample__sample-config-files__loopback-client head/security/openvpn/files/patch-sample__sample-config-files__loopback-server head/security/openvpn/files/patch-tests__t_cltsrv.sh head/security/openvpn/files/pkg-message.in head/security/openvpn/pkg-plist
Renato, can you please check (or have checked) that this works?
Fixed per https://community.openvpn.net/openvpn/ticket/480#comment:26