Here's the summary of today's IRC meeting.



Place: #openvpn-meeting on irc.freenode.net
Date: Wednesday 15th Mar 2017
Time: 20:00 CET (19:00 UTC)

Planned meeting topics for this meeting were here:


The next meeting has not been scheduled yet.

Your local meeting time is easy to check from services such as



cron2, mattock and syzzer participated in this meeting.


Discussed the OpenVPN 2.4.1 release. Agreed to make the release the
upcoming Monday (20th March). The OpenSSL support patches will have to
be postponed to 2.4.2.


Discussed the VLAN patchset:


Agreed that it is too big a chunk to tackle right now.


Full chatlog has been attached to this email.

Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

(21:05:12) mattock: hello all
(21:05:17) syzzer: hi mattock 
(21:05:26) cron2: ullo
(21:05:48) syzzer: what language is that? :p
(21:06:46) mattock: :)
(21:07:16) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2017-03-15
(21:07:17) vpnHelper: Title: Topics-2017-03-15 – OpenVPN Community (at 
(21:07:27) mattock: start from the top?
(21:07:29) mattock: 2.4.1
(21:07:40) cron2: right
(21:08:21) cron2: 3 weeks ago, we planned for a release "in about two weeks", 
then mattock went hiding :)
(21:08:43) mattock: well you could say so, yes
(21:08:46) mattock: but not because of 2.4.1 :P
(21:08:54) cron2: I would say "we agree whether we want the --ns-cert-type 
deprecation patch in, and then release" - anything else missing?
(21:08:57) mattock: it was vacation to which I was forced to :D
(21:09:03) cron2: poor guy :)
(21:09:47) syzzer: yeah, it kind of depends on the --ns-cert-type
(21:10:14) cron2: syzzer: how's the "we make --remote-cert-tls work with funky 
CAs" patch coming along?
(21:10:26) syzzer: cron2: sort-of ready, but not well tested yet
(21:12:11) cron2: does it make sense to release 2.4.1 with just one of them?  I 
know that my users will then try the other option, and fail...
(21:14:49) syzzer: so, what I think we should do wrt --ns-cert-type / 
--remote-cert-tls is:
(21:14:49) syzzer: 1) Change --remote-cert-tls to require a specific EKU, but 
only *some* KU in the certificate, and let the crypto library check KU on its 
own (which both mbed TLS and OpenSSL do, but only if the extension is present)
(21:14:49) syzzer: 2) Deprecate --ns-cert-type
(21:14:50) syzzer: 3) release 2.4.1
(21:14:50) syzzer: 3) in 2.4.2+, change --ns-cert-type to just to what 
--remote-cert-tls does
(21:15:27) syzzer: where the last 3 should of course be a 4
(21:15:45) cron2: I guessed so :-) - so with 1), my funky CA would work again?
(21:15:52) syzzer: indeed
(21:16:11) cron2: works for me... do you have an estimate how long 1) will take?
(21:16:23) syzzer: it basically makes --remote-cert-tls less picky (it is now 
way more strict than it should be)
(21:16:44) syzzer: if we don't quarrel too much, I can get the patch out tonight
(21:17:35) cron2: sounds good :-) - mattock: any time that would be 
particularily convenient/inconvenient for you for a release?
(21:18:33) mattock: not in particular
(21:18:44) mattock: except weekends :)
(21:19:08) mattock: better do it on Monday, just in case
(21:19:17) mattock: rather than Friday
(21:19:47) cron2: shall we aim for "next monday", then?  And I'll go over the 
bug list until then to see whether I've missed something important
(21:19:56) cron2: AFAIK all stuff from Selva got in
(21:19:59) mattock: fine by me
(21:20:23) syzzer: yeah, for me too
(21:20:43) cron2: (and we should send a reminder to the -devel list "if you are 
aware of anything bugfixy that should go in, remind gert!")
(21:20:55) cron2: so - openssl 1.1 support patches
(21:21:33) cron2: about half the stuff is in, 05 has started a discussion 
syzzer/dazo which got stuck
(21:23:20) mattock: dazo will be more or less absent for the the next two weeks 
(his own words)
(21:24:02) syzzer: yeah, this basically got stuck on the --ns-cert-type stuff
(21:24:33) syzzer: and I got side tracked by our current --remote-cert-tls 
(21:25:20) cron2: ok, so we just postpone until that is settled, and then maybe 
we can discuss with more technical arguments about the (new) impact...
(21:25:55) syzzer: indeed :)
(21:26:06) syzzer: I'll continue with other patches if possible
(21:26:21) ***cron2 stands ready to test & merge :)
(21:26:37) cron2: that concludes 2., I think... 
(21:26:58) syzzer: yep, think so too
(21:27:04) mattock: so do we postpone 2.4.1, or postpone the OpenSSL 1.1 
patches to 2.4.2?
(21:27:11) syzzer: the latter
(21:27:12) cron2: mattock: the latter
(21:27:13) mattock: ok
(21:27:46) cron2: the way they are coded and merged mean they can go on one by 
one, with no negative impact on 1.0 builds - and when they are all in, we 
magically are 1.1 compatible
(21:27:50) mattock: 2.4.2 might get some patches related to the security audit, 
(21:28:16) cron2: indeed, so maybe 2.4.2 will follow quickly after 2.4.1 - and 
openssl 1.1 will be in 2.4.3 - we'll see :-)
(21:28:21) mattock: yeah
(21:28:31) ***cron2 is VERY curious what they have found
(21:28:32) mattock: so then we only have the long-term topic of VLAN patchset
(21:28:36) mattock: yeah, me too
(21:28:54) syzzer: uhuh
(21:29:13) cron2: I have nothing new to contribute to that :-( - no time to 
work on such a big chunk
(21:29:22) mattock: yeah, it's a hanful
(21:29:24) mattock: handful
(21:29:46) mattock: plus, as cron2 so nicely said once, "all features have 
their merits, and then it blows up"
(21:29:50) mattock: or something along those lines :P
(21:30:19) cron2: it has blown up years ago, and then James ran away screaming 
(21:30:46) mattock: well put
(21:30:47) cron2: "wouldn't it be much nicer to have a small and compact 
openvpn client library with just the important options?" ;-)
(21:30:58) mattock: indeed
(21:31:09) mattock: until enough features are added, and then it's a garbage 
dump again
(21:31:19) cron2: it's not completely true, though... but we indeed inherited 
quite a list of features :)
(21:31:50) mattock: well OpenVPN 2.x is extremely stable all things considered
(21:32:20) mattock: anyways, any other topics for today?
(21:32:30) mattock: or was this really a 27 minute meeting?
(21:32:47) cron2: true... no other topics from me (there's the --auth-nocache 
patch, but all we can do today is "remind people that it needs review and 
(21:33:05) syzzer: nothing from my side either
(21:33:09) mattock: ok, great!
(21:33:19) cron2: so, let's conclude the meeting and go work on the patches :-)
(21:33:23) mattock: +1
(21:33:32) cron2: $wife is out anyway, kids are sleeping...
(21:33:52) mattock: good hacking!
(21:33:59) cron2: good night!
(21:34:15) mattock: and good night!
(21:34:27) syzzer: good night!

Attachment: 0x40864578.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature

Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Openvpn-devel mailing list

Reply via email to