Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 2 subscribers
  • Views 5838 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM9.4 Remote Access SSL key size 4096

Coffee

Hi, does anyone know why there is error of openssl when I choose the key size to either 3072 or 4096? There is no issue if I choose 1024/2048. Thank you.

ps -ef |grep openssl

root     17493     1  0 23:45 ?        00:00:00 /usr/bin/perl -we ??    use Fcntl qw(:flock);??    use POSIX qw(setsid nice);??    my $bits = shift || 2048;??    my $outdir = shift || "/tmp";??    sub error { print shift() . "\n"; exit 1; }??    error "Unsupported DH parameter size, must be 1024|2048|3072|4096"???unless $bits =~ /^(1024|2048|3072|4096)$/;??    fork and exit;??    setsid;??    umask 0;??    chdir "/";??    my $lockfile = "/var/lock/ovpn_dhgen_$bits.lock";??    open my $lock_fh, ">$lockfile"???or error "Could not open lockfile $lockfile: $!";??    error "Generation of local $bits bit DH parameters is already in progress"???unless flock $lock_fh, LOCK_EX|LOCK_NB;??    print "Starting generation of local DH parameters ($bits bit) in background\n";??    nice 19;??    open STDIN, "</dev/null";??    open STDOUT, ">/dev/null";??    open STDERR, ">/dev/null";??    system qq(/usr/bin/openssl dhparam -out "${outdir}/dh${bits}.local.pem" $bits)?? 4096 /var/sec/chroot-openvpn/etc/openvpn

root     17494 17493 99 23:45 ?        00:00:52 /usr/bin/openssl dhparam -out /var/sec/chroot-openvpn/etc/openvpn/dh4096.local.pem 4096

root     17600 17289  0 23:46 pts/0    00:00:00 grep openssl



This thread was automatically locked due to age.
Parents
  • 0

    Hi Kevin,

    Please post logs to investigate further.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    I can only find the related log in openvpn log. Please let me know if other information is needed, thank you.

    2016:05:19-19:52:01 coffee openvpn[28720]: OpenVPN 2.3.10 i686-suse-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Apr 13 2016
    2016:05:19-19:52:01 coffee openvpn[28720]: library versions: OpenSSL 1.0.1k 8 Jan 2015, LZO 2.09
    2016:05:19-19:52:01 coffee openvpn[28721]: MANAGEMENT: client_uid=0
    2016:05:19-19:52:01 coffee openvpn[28721]: MANAGEMENT: client_gid=0
    2016:05:19-19:52:01 coffee openvpn[28721]: MANAGEMENT: unix domain socket listening on /var/run/openvpn_mgmt
    2016:05:19-19:52:01 coffee openvpn[28721]: WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
    2016:05:19-19:52:01 coffee openvpn[28721]: WARNING: --ifconfig-pool-persist will not work with --duplicate-cn
    2016:05:19-19:52:01 coffee openvpn[28721]: PLUGIN_INIT: POST /usr/lib/openvpn/plugins/openvpn-plugin-utm.so '[/usr/lib/openvpn/plugins/openvpn-plugin-utm.so]' intercepted=PLUGIN_UP|PLUGIN_DOWN|PLUGIN_AUTH_USER_PASS_VERIFY|PLUGIN_CLIENT_CONNECT|PLUGIN_CLIENT_DISCONNECT
    2016:05:19-19:52:01 coffee openvpn[7268]: MANAGEMENT: Client connected from /var/run/openvpn_mgmt_REF_SslCliTony
    2016:05:19-19:52:01 coffee openvpn[7268]: MANAGEMENT: CMD 'state'
    2016:05:19-19:52:01 coffee openvpn[28721]: Diffie-Hellman initialized with 4096 bit key
    2016:05:19-19:52:01 coffee openvpn[28721]: WARNING: experimental option --capath /etc/openvpn/ca.d
    2016:05:19-19:52:01 coffee openvpn[28721]: Socket Buffers: R=[212992->212992] S=[212992->212992]
    2016:05:19-19:52:01 coffee openvpn[28721]: TUN/TAP device tun0 opened
    2016:05:19-19:52:01 coffee openvpn[28721]: TUN/TAP TX queue length set to 100
    2016:05:19-19:52:01 coffee openvpn[28721]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
    2016:05:19-19:52:01 coffee openvpn[28721]: /bin/ip link set dev tun0 up mtu 1500
    2016:05:19-19:52:01 coffee openvpn[28721]: /bin/ip addr add dev tun0 192.168.110.1/24 broadcast 192.168.110.255
    2016:05:19-19:52:01 coffee openvpn[28721]: PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-utm.so/PLUGIN_UP status=0
    2016:05:19-19:52:01 coffee openvpn[28721]: UDPv4 link local (bound): [undef]
    2016:05:19-19:52:01 coffee openvpn[28721]: UDPv4 link remote: [undef]
    2016:05:19-19:52:01 coffee openvpn[28721]: MULTI: multi_init called, r=256 v=256
    2016:05:19-19:52:01 coffee openvpn[28721]: IFCONFIG POOL: base=192.168.110.2 size=252, ipv6=0
    2016:05:19-19:52:01 coffee openvpn[28721]: IFCONFIG POOL LIST
    2016:05:19-19:52:01 coffee openvpn[28721]: Initialization Sequence Completed
    2016:05:19-19:52:01 coffee openvpn[28721]: MANAGEMENT: Client connected from /var/run/openvpn_mgmt
    2016:05:19-19:52:01 coffee openvpn[28721]: MANAGEMENT: CMD 'status -1'
    2016:05:19-19:52:11 coffee openvpn[7268]: MANAGEMENT: Client disconnected
    2016:05:19-19:52:11 coffee openvpn[28721]: MANAGEMENT: Client disconnected

  • 0 in reply to Coffee

    Hi Kevin,

    Please provide us some time to investigate this issue.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Reply Children
No Data
Unfiltered HTML