It's good to know that cross-compiling is an option, though cross-debugging (e.g. with an interactive debugger) can be an adventure too.Uh, this is a double misinformation :-)
Source of my comment was: http://community.openvpn.net/openvpn/wiki/BuildingOnWindows, which says
his new build system allows building OpenVPN on Windows more easily, but some parts of the build may r*equire a commercial version of the Visual Studio development environment.* /Visual Studio 2008 Professional/is used to build OpenVPN on Windows. Note that the free Express edition might not work. Full installation installs*/x86 cross-tools/*which *may cause nasty, hard to debug issues*.
(The professional tools are > $1,000 US, which is not in my budget.)You may want to reword that after validating your comment. M$'s name for the 'free' tools is 'express edition'. The license terms vary based on M$'s whims, the current statement is:
The current version requires at least windows 7 and a 2.2GHz+ processor. (My XP laptop won't do.) The 2008 Express edition (http://www.microsoft.com/en-us/download/confirmation.aspx?id=7940) is also a resource hog. It doesn't include all of the templates and other files needed to make many kinds of applications, though it is serviceable.http://www.visualstudio.com/products/visual-studio-express-vsVisual Studio Express products are available at no charge and may be used for commercial, production usage subject to the license terms provided with each product. For example, you can use Express for Windows to create apps that you can then submit for sale in the Windows Store.
I do run these on a windows 7 machine, but can't reconfigure them just for debugging OpenVPN.
In any case, I think that we have found root cause of this issue the old-fashioned way - code inspection based on some debugging I did on the server and a hint from Steffan.
It seems that the cryptoapi interface (and probably other external key loaders, such as pkcs11 according to James) has not be updated for TLS1.2. TLS1.2 adds some new signatures. The error that I saw comes - I believe - from code that sanity checks the requested hash size against the generated hash size; cryptoapi only knows how to generate md5/sha1 signatures.
This makes it clear that:- the key loaders need to be updated for TLS1.2 This includes the cryptoAPI on windows, pkcs11, and the cert stores on other platforms (IOS, Android, Mac - if that's ever merged). - There does need to be a way to specify a maximum TLS version (1.1 will do in this case) - I'm inclined to have components, such as the key loaders, specify their min/max requirements so that if you specify an option (e.g. cryptoapicert), the auto-negotiation does the right thing transparently. And as things get fixed, the auto-negotiation will upgrade to higher security. A quick fix would be for the options invoking these features to adjust & lock the version max (and I suppose min) value - that's all in options.h,c. Long term, a more expressive API would be better.
James is suggesting that --tls-version-{min,max} should be the only controls. The advantage is that the code is localized; the disadvantage is that the config file writer gets involved. And since once 'things work' they aren't changed, I suspect people will tend to stay with less secure configurations forever. Especially on the client end.
I'll leave sorting that out to you folks. Timothe Litt ACM Distinguished Engineer -------------------------- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. On 24-Apr-14 03:01, Gert Doering wrote:
Hi, On Wed, Apr 23, 2014 at 07:21:48PM -0400, Timothe Litt wrote:As I can't build the windows client (it's really annoying that it requires commercial tools), further debug will need help from folks who can.Uh, this is a double misinformation :-) - you can build with MSVC, and you can get a MSVC version for free for some sort of "non-commercial use" (I'm not sure about the exact terms) - but you don't really want that, as building on windows is more painful than the alternative - you build with mingw64 on linux, see here: https://community.openvpn.net/openvpn/wiki/BuildingUsingGenericBuildsystem (basically cross-compiling). It's still not as easy as building on the linux target platform, but I find it much easier than with MSVC. gert
smime.p7s
Description: S/MIME Cryptographic Signature
