Il 07/09/2016 15:56, Jan Just Keijser ha scritto: > On 07/09/16 14:15, Samuli Seppänen wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> On 07/09/16 11:43, Gert Doering wrote: >>>> Hi, >>>> >>>> On Wed, Sep 07, 2016 at 12:18:17PM +0300, Samuli Seppänen wrote: >>>>> We have already dropped XP support from OpenVPN Git "master". I >>>>> think now is the time to drop official XP support altogether, but >>>>> to maintain Vista support util the next tap-windows6 release. >>>> Oh, regarding Vista support: I noticed that major open source >>>> projects (like chrome) have already dropped Vista support - so I >>>> think dropping Vista for 2.4 should be OK. >>> I agree. I believe the majority of most users upgraded to Win7 from >>> Vista, as Vista was a slow giant beast compared to Win7. Those left >>> on Vista are probably not the kind of users interested in setting up >>> VPNs - and if they do, it would probably be one of the more commercial >>> offerings than configuring your own client. >>> >>> Put Vista and XP in the same "support category", which basically means >>> OpenVPN 2.3 and we'll see how long we are willing to officially >>> support 2.3. >> Maintaining Windows Vista support will be tricky without extra effort, >> as it enforces strict driver signing requirements like Windows 7, but >> lacks SHA2 support. This is not a showstopper for the user-space >> components (openvpn, openssl, etc), which just give the "Unknown >> publisher" warning. However, if we need to fix something in >> tap-windows6, the new driver will only have a SHA2 signature, and Vista >> will thus refuse to install and load it to the kernel. >> >> Windows XP is easier to support, as it allows loading of unsigned >> kernel-mode code without putting the operating system to "test mode"; it >> will just complain about "Unknown publisher". >> >> We could try to beg for a SHA1 code-signing certificate from Digicert >> using their support system. However, I will try to get some download >> figures for I00x and I60x installers before we go down that route. >> > > we could consider a quick&dirty method: > > XP/Vista -> NDIS5 only > 7+ -> NDIS 6 only > > I can't see why M$ would not allow SHA1 signed NDIS5 drivers anymore... > It would mean that the OpenVPN 2.3 code base needs to be remain > compatible with NDIS5 and 6, as it is now. > > JJK >
We can easily support Windows Vista as long as we don't have to rebuild the tap-windows6 (NDIS6) driver. If/when we do rebuild, we can just point Vista users to the I00x (tap-windows) installers as you said. This plan of course assumes that a security issue does not force us to rebuild tap-windows (NDIS5) and thus lose the SHA1 signature. -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock ------------------------------------------------------------------------------ _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
