[Openswan dev] Pluto crashes with preshared key, responders enabled pfs using 2.4.7
Michael Richardson
mcr at sandelman.ottawa.on.ca
Mon Jan 15 16:26:01 EST 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>>>>> "Matthias" == Matthias Haas <mh at pompase.net> writes:
Matthias> The crash seems to affect the responder to a preshared key
Matthias> connection, where just the responder has pfs activated. As
Matthias> soon as the client tries ti setup phase 2 the responder
Matthias> crashes. The initiator is not hit by this crash. At the
Matthias> moment I do not have the time to check whether this also
Matthias> affects non psk connection.
>> Do you have nhelpers=0?
Matthias> Yes, I need this to avoid the other problem I currently
Matthias> cannot remember. Does this have an influence upon this
Please try again without nhelpers setting, then, so you can recall
what the problem is. We are slowly fixing all of these. 2.5.xx is much
better in that regard.
nhelpers=0 means that the single pluto process will do all
cryptographic operations. That means that it will do things "inline",
vs suspending (STF_SUSPEND) the state, and waiting for a helper process
to do the work.
Helper processes let you use multiple CPUs (a full threads
implementation would also do that, but at significantly more
complexity, and far less determinism), and also on v3.0.xx let you
interface to OCF for assymetric crypto if you have hardware.
Right now, the default is to start n-1 helper processes on a system
with "n" CPUs (or hyperthreads), with a minimum value of n=1, so you get
a helper even on a uniprocessor.
That way, you can have 3 of your Xeon threads doing DiffieHelman
during that aggressive-mode denial of service attack, while your main
pluto process can still have a CPU to service your existing connections.
- --
] Bear: "Me, I'm just the shape of a bear." | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr at xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Finger me for keys
iQEVAwUBRavxYICLcPvd0N1lAQLL3Af/Za6rYHMPSsg0knjZRFXNr7yIIsXbSF9m
oX/Wzp/sCESRPlDtsQib9AQhy5Ul3EgmvE1Om976BYmLJWKtLyTYjUGELMuGYhsr
EYV3tnBHuYgEtPa1eyvMzNES+Zy/82yy6uRKPPIkBTOWsEB2G0Pbz0PlCq5H5eYg
wo1owo4wdwkSc3d97/YBz7cTt9T+IwplSWcoiEOJmHNy2p2S2fM8EUySLy3FOH9P
vZ1cLYGTgK9cpLFpAzbl1S84mP4ptxYgeL9+/urWoZxY4lKG1wIiWTnky8oKTrw8
6mcInjRSPhdiRfAomg+QO0sKTdMWIxt6w66oZRIA3GIZn+sF68n8GA==
=YpZw
-----END PGP SIGNATURE-----
More information about the Dev
mailing list