Hi Gert,
On Thu, May 18, 2017 at 10:49 PM, Gert Doering <g...@greenie.muc.de> wrote: > > Hi Emmanuel, > > On Mon, Mar 27, 2017 at 05:49:48PM +0200, Emmanuel Deloget wrote: > > I'll post my new patches as soon as I get over every issues > > that have been talked on the ML (is that even a valid > > sentence?) > > I'm wondering where this got stuck - are you waiting for us to move > forward (like, missing review of parts of the patch set), or are we > waiting for you, and you've been busy? Problem is that I'm working in a more-than-full-time manner on way-too-many-other subjects :) > We didn't really follow up on this from our end since the CVEs and > 2.4.2 got in the way - but I think now would be a good time to move > ahead with this... I have a git tree out there that I have not fully tested yet. It compiles OK with OpenSSL 0.9.8, 1.0.0, 1.0.1, 1.0.2 and 1.1.0 but I haven't checked the behavior. The main difference with the previous version of the patch is the way the certificate purpose is checked. A) we do a fairly full check of the purpose using X509_check_purpose(). This check is harder that the previous version B) if that fails, we check for the certificate purpose using a lighter method which is strictly equivalent to what was done before (it uses X509_get_ext_d2i() to fetch the certificate type from within the certificate). The branch is available for viewing on github at https://github.com/emmanuel-deloget/openvpn/tree/openssl-1.1-v6. The followup emails contains the 7 patches which are needed to finish the work. BR, -- Emmanuel Deloget ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
