OpenVPN aborts after OpenSSL update

Markus Schönhaber ubuntu-users at
Wed May 14 19:05:24 UTC 2008


in case anyone else stumbles into this:
after updating all open* packages I had OpenVPN clients shutting down on
re-establishing the connection after the daily forced interruption of
the underlying DSL connection and OpenVPN servers shutting down after
the first client tried to connect. In both cases the logs said that the
corresponding client (resp. server) key was vulnerable. Needless to say
that all keys were newly generated and a manual run of openssl-vulnkey
reported them as not blacklisted.
strace'ing revealed that openssl-vulnkey wasn't able to read the key
files at all because it was called at a time when OpenVPN had already
dropped root privileges, but the key files are only root-readable.
I don't have the slightest idea why the check of the keys isn't just
made once on startup.
The obvious workaround is to run OpenVPN as root (I wouldn't recommend
that) or to chown the key files to the user OpenVPN runs as.

The brilliant idea of a Debian developer to fix what isn't broken has
caused me a *lot* of work.
And the brilliant idea of checking keys when unable to actually do it
has gifted me with phone calls at hours when no admin should be disturbed.
I'm really fed up.


More information about the ubuntu-users mailing list