ClearOS Bug Tracker

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0017101ClearOSapp-static-vpn-basic - Static VPN for Homepublic2017-09-13 14:302018-03-22 02:54
Assigned To 
PlatformOSOS Version
Product Version7.3.1 
Target VersionFixed in Version 
Summary0017101: The app-static-vpn interface is not robust at trapping input errors
DescriptionIt is quite easy to crash the app-static-vpn interface getting a php Ooops! error. I can do it simply by adding multiple subnets to the leftsubnet field or rightsubnet field, so something like ",". If you then hit update the interface crashes. Ideally it would detect multiple subnets and use leftsubnets instead of leftsubnet but that is another feature request. The interface should not crash.

I believe there are other instances where it crashes as well. The app needs to be checked over.

There is an instance on ticket #555759 on the second client post but I don't know what the customer did to get the crash but it is different to my multiple subnet crash.
Steps To ReproduceMake a working configuration then add a second subnet in the leftsubnet field and hit update
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
NickH (reporter)
2018-01-29 09:13

It looks like this error is caused by the interface writing an invalid config file. Then either when the conn is added (ipsec auto --add conn_name) or ipsec is restarted (I don't know which the interface does), ipsec fails with an error and this error is not trapped. Now that the interface is crashed you cannot correct the error without going to the command line.
NickH (reporter)
2018-03-20 02:09

Another error appears if you have a config with a Left IP and the PSK is set to use the Left IP. If you then change the Left IP to "Default Route" and save, as there is no longer a Left IP, the webconfig writes nothing in its place to the secrets file but leaves in what was the space separator between the Left IP and Right IP so the secrets file starts with a blank. Libreswan barfs at this saying a leading blank implies a continuation line and it can't be because it is the first line of the file. The webconfig then falls over because ipsec has fallen over.
NickH (reporter)
2018-03-21 03:04

Another error appears if you change or remove the DPD action. Sometimes you end up with extra "conn" lines in the conn file. I have seen both one and two lines added. Depending on where it is added it can again bring down the webconfig but not always.
NickH (reporter)
2018-03-22 02:54

If this does get revisited, as an enhancement request in order to get ahead in the security game, Phase 1 and Phase 2 Hash need to include sha2/sha256 (and possibly sha384 and sha512). sha2 is a minimum additional requirement.

There are many more encryption options now available and there is a nice table of them dumped into the log file when ipsec is started.

- Issue History
Date Modified Username Field Change
2017-09-13 14:30 NickH New Issue
2017-09-13 19:24 pbaldwin Status new => confirmed
2018-01-29 07:33 pbaldwin Target Version => 7.4.0 Updates
2018-01-29 09:13 NickH Note Added: 0007111
2018-02-12 09:54 pbaldwin Target Version 7.4.0 Updates =>
2018-03-20 02:09 NickH Note Added: 0007211
2018-03-21 03:04 NickH Note Added: 0007231
2018-03-22 02:54 NickH Note Added: 0007241