New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
3DES broken? #451
Comments
@Fabian-Gruenbichler Thank for report. OpenSSL "bug" is quite easy to fix. Openssl expects "des3", not "3des". NSS looks more serious, especially because it was working in 2.x (and knet crypto code should be same) and also because it works for some packets (probably < 256 bytes) but not for larger one. @fabbione You may consider take a look to this (NSS) problem. 3des is kind of "do not care" but we should be sure that it is not something more serious. For 3des/des3. We can solve this in corosync quite easily, but it may make sense to handle this in knet. Easiest solution may be to change 3des to des3 in crypto_nss (so in corosync we could pass des3 if "3des" is selected to knet no matter what library is used), but this breaks "compatibility" |
@jfriesse i am looking at the nss problem, for the 3des vs des3, I can mask it in crypto_openssl so that corosync only has to pass 3des, but in general knet does NOT mingle with those parameters in an attempt to standardize the crypto APIs and only act as pass-through. |
@fabbione crypto_nss DOES mingle those parameters (and that's why I've suggested to change crypto_nss). |
reported in corosync/corosync#451 Signed-off-by: Fabio M. Di Nitto <fdinitto@redhat.com>
@jfriesse as discussed on IRC, the algorithm name is 3des and not des3, therefor we will just fix openssl.c to understand 3des (already done). still looking into why nss 3des doesn´t work, but i suspect some memory corruption because for example the PMTUd process works fine, but the TX thread gets stuck. |
I found the issue with nss and 3des and the bug is in libnss. I do have an easy workaround in knet, but at this point I wonder if it´s worth supporting 3des at all given that is an old and broken encryption method. @jfriesse @chrissie-c : any strong opinion on the subject? |
FYI this is the workaround kronosnet/kronosnet@4f3828f |
Closing this issue in favor of PR #452 . Also biggest possible problem turned out to be NSS bug. |
While testing #450, I noticed the following broken behaviour with regards to 3DES..
Corosync 2.x on Debian Stretch: works as expected
Corosync 3.x + knet on Debian Stretch (backported)/Buster (stock) + crypto_model nss:
cluster falls a apart / quorum can't be established, as verification/decryption fails
Corosync 3.x + ... + crypto_model openssl:
(Maybe this one just needs a mapping from "3des" to however openssl calls it for EVP_get_cipherbyname?)
config is the following (modulo crypto_model, also tried different combinations of 3des + crypto_hash with no luck):
Switching to aesXXX and restarting corosync immediately fixes the issue (both for NSS and OpenSSL), so I am fairly certain this is just related to 3DES.
I have no interest in using 3DES whatsoever, I just stumbled upon this behaviour discrepancy and didn't want to leave it unreported ;) Not sure whether the actual breakage is in Corosync or knet either.
The text was updated successfully, but these errors were encountered: