OpenSSL: error:0201502D:system library:ioctl:Operation

mloiterman · Apr 5, 2021, 5:11 PM

I just updated to 2.5.1.r.20210405.0300

Now my OpenVPN client won't connect and I see this error:

Apr  5 11:29:09 pfsense openvpn[66140]: Using peer cipher 'AES-256-CBC'
Apr  5 11:29:09 pfsense openvpn[66140]: OpenSSL: error:0201502D:system library:ioctl:Operation not supported
Apr  5 11:29:09 pfsense openvpn[66140]: EVP cipher init #2
Apr  5 11:29:09 pfsense openvpn[66140]: Exiting due to fatal erro

kossie · Apr 5, 2021, 9:20 PM

@mloiterman

Same issue here, I ended up having to move back to 2.5.0 to get things working normally.

jimp · Apr 6, 2021, 1:14 PM

Was there any other error after that in the logs? Or was that the end of it?

Does it still happen on today's snapshot?

jimp · Apr 6, 2021, 2:42 PM

I found a VM here where I can reproduce that. It appears to be tied to having AES-NI+cryptodev enabled. If you disable that, it should run. It works with AES-NI alone loaded, but not cryptodev.

https://redmine.pfsense.org/issues/11785

mloiterman · Apr 6, 2021, 2:38 PM

@jimp

That was the full error.

I haven't tried today's snap shot, but it definitely started in 2.5.1.r.20210405.0300, but I didn't see the error in 2.5.1.r.20210326.0300

I have tried disabling hardware crypto, but that did not resolve it.

I have NOT yet tried disabling hardware crypto and AES yet, but I will try later today.

jimp · Apr 7, 2021, 1:22 PM

This is OK for me now on the latest snapshot. Update and give it a try and confirm if it's also working for you.

mloiterman · Apr 7, 2021, 1:22 PM

@jimp

Yup. I just updated to the latest snapshot and it's been fixed.

Jim, you're awesome. Thanks so much.