List Info

Thread: Re: Pluto crashes with preshared key, responders enabled pfs using 2.4.7
Re: Pluto crashes with preshared key, responders enabled pfs using 2.4.7
user name
 2007-01-15 15:26:01 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>>>>> "Matthias" == Matthias Haas
<mhpompase.net> writes:
    Matthias> The crash seems to affect the responder to
a preshared key
    Matthias> connection, where just the responder has
pfs activated. As
    Matthias> soon as the client tries ti setup phase 2
the responder
    Matthias> crashes. The initiator is not hit by this
crash. At the
    Matthias> moment I do not have the time to check
whether this also
    Matthias> affects non psk connection.

    >> Do you have nhelpers=0?

    Matthias> Yes, I need this to avoid the other problem
I currently
    Matthias> cannot remember. Does this have an
influence upon this

  Please try again without nhelpers setting, then, so you
can recall
what the problem is. We are slowly fixing all of these.
2.5.xx is much
better in that regard.

  nhelpers=0 means that the single pluto process will do
all
cryptographic operations. That means that it will do things
"inline",
vs suspending (STF_SUSPEND) the state, and waiting for a
helper process
to do the work.

  Helper processes let you use multiple CPUs (a full
threads
implementation would also do that, but at significantly
more
complexity, and far less determinism), and also on v3.0.xx
let you
interface to OCF for assymetric crypto if you have
hardware.

  Right now, the default is to start n-1 helper processes on
a system
with "n" CPUs (or hyperthreads), with a minimum
value of n=1, so you get
a helper even on a uniprocessor. 

  That way, you can have 3 of your Xeon threads doing
DiffieHelman
during that aggressive-mode denial of service attack, while
your main
pluto process can still have a CPU to service your existing
connections.

- -- 
]            Bear: "Me, I'm just the shape of a
bear."          |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON
   |net architect[
] mcrxelerance.com      http://www.san
delman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel
hacking, security guy"); [


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Finger me for keys

iQEVAwUBRavxYICLcPvd0N1lAQLL3Af/Za6rYHMPSsg0knjZRFXNr7yIIsXb
SF9m
oX/Wzp/sCESRPlDtsQib9AQhy5Ul3EgmvE1Om976BYmLJWKtLyTYjUGELMuG
Yhsr
EYV3tnBHuYgEtPa1eyvMzNES+Zy/82yy6uRKPPIkBTOWsEB2G0Pbz0PlCq5H
5eYg
wo1owo4wdwkSc3d97/YBz7cTt9T+IwplSWcoiEOJmHNy2p2S2fM8EUySLy3F
OH9P
vZ1cLYGTgK9cpLFpAzbl1S84mP4ptxYgeL9+/urWoZxY4lKG1wIiWTnky8oK
Trw8
6mcInjRSPhdiRfAomg+QO0sKTdMWIxt6w66oZRIA3GIZn+sF68n8GA==
=YpZw
-----END PGP SIGNATURE-----
_______________________________________________
Dev mailing list
Devopenswan.org
http:/
/lists.openswan.org/mailman/listinfo/dev
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )