Here's the summary of the IRC meeting.



Place: #openvpn-meeting on irc.freenode.net
Date: Wednesday 14th November 2018
Time: 11:30 CET (10:30 UTC)

Planned meeting topics for this meeting were here:


The next meeting has not been scheduled yet.

Your local meeting time is easy to check from services such as



cron2, dazo, mattock, ordex, plaisthos, rozmansi and syzzer participated
in this meeting.


Discussed tls-crypt-v2 patches. Noted that two of the are not merged yet:



Discussed networking API patches. The same fucntionality is implemented
in openvpn3-linux codebase and that has been working very well. One IPv6
related bug has been fixed and a patch is about to be sent for OpenVPN 2.


Discussed rozmansi's MSI patches. Noted that Jon has given ACKs with
different wording ("Looks good to me") to many of them so they can be
merged. There is also an openvpn-build PR pending which mattock is
having a look:



Talked about tap-windows6 HLK testing. Sgstair has made good progress on
that front and has fixed a number of issues. So besides getting WHQL
certification we also get a better driver and OpenVPN in the process.


Discussed the HackerOne report about OpenVPN on Windows having (generic)
DLL hijacking vulnerabilities. Agreed to migrated the report from
HackerOne to Trac:


Also agreed that fixing this in a meaningful way would be very tricky.


Briefly discussed the integration of openvpn-build and rozmansi's
WiX-based MSI packaging. Agreed that mounting the openvpn-build
directory (of the Linux builder) as a Samba share on the WiX builder
(Windows host) is adequate.


Full chatlog attached.

Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

(12:23:19) plaisthos: hey
(12:23:44) plaisthos: I won't have much time today and will probably leave in a 
half hour :(
(12:24:04) mattock2: Hi all
(12:24:43) plaisthos: As for the client-connect patches. ordex pointed out that 
I should rerun uncrustify to fix code style issues 
(12:25:30) ***ordex ducks
(12:25:35) plaisthos: I did that and running it on the first patch only changed 
minor things I got rebase conflict on all other patches, so I will resend the 
patches shortly
(12:27:02) cron2: hey
(12:27:13) dazo: hey
(12:32:30) cron2: plaisthos: makes sense, thanks
(12:32:52) mattock2: First topic? I'm my phone for a while
(12:33:10) ***cron2 feels smarter than his phone today
(12:33:31) syzzer: hi 
(12:33:44) rozmansi: hi
(12:33:44) cron2: here's topic #1 :)
(12:34:08) ***ordex is here
(12:34:43) ordex: so we still have GA on the agenda?
(12:34:50) ordex: ahj no, wrong link :D
(12:35:20) ordex: well #1: I think the status is "merged", so syzzer ? :)
(12:35:37) cron2: I've seen discussions about bugs and crashes with tincantech. 
 Are these all fixed?
(12:35:47) cron2: (last two weeks were more crazy than usual)
(12:36:06) ordex: at least the patch was sent to the ml
(12:36:09) ordex: let me chekc if it was also merged
(12:36:23) ordex: it seems the patch wasn't merged yet
(12:36:34) syzzer: I think there's one patch waiting for review
(12:36:46) ordex: https://patchwork.openvpn.net/patch/583/
(12:36:47) vpnHelper: Title: [Openvpn-devel] tls-crypt-v2: fix client reconnect 
bug - Patchwork (at patchwork.openvpn.net)
(12:37:09) ordex: tincantech tested it and it was all fine
(12:37:23) ordex: do you need additional review? maybe I should do that if 
(12:37:24) ordex: (?)
(12:37:49) cron2: since you broke it :-) that would be the easiest, I think
(12:38:33) dazo: tls-crypt-v2 should be merged
(12:38:47) ordex: ok, will review it. it should be fairly easy for me
(12:38:50) ordex: good morning dazo !
(12:38:50) cron2: ("broke" in the sense of "introduced per-instance keys and 
reloading" which conflicted here)
(12:38:55) ordex: yap
(12:39:04) ordex: I can get the blame ! no worries :D
(12:40:06) ordex: I have delegated it to me on pw
(12:40:15) syzzer: thanks :)
(12:40:25) dazo: patch looks trivial though
(12:40:30) ordex: there is a patch about the manpage too
(12:40:44) ordex: yeah, it's a little change, that becomes obvious when you 
read the context around
(12:40:48) ordex: we also have: https://patchwork.openvpn.net/patch/582/
(12:40:49) vpnHelper: Title: [Openvpn-devel] tls-crypt-v2: clarify 
--tls-crypt-v2-genkey man page section - Patchwork (at patchwork.openvpn.net)
(12:40:49) syzzer: although I am to blame too, since I only half-fixed the 
merge conflict with the per-connection tls-auth patch...
(12:41:15) ordex: syzzer: I wouldn't be surprised if that chunk actually did 
not raise any real conflict
(12:41:37) cron2: syzzer: you already got to write the patch
(12:44:03) syzzer: but I think that's all for tls-crypt-v2
(12:44:48) cron2: that was easy :) - networking API is "sitnl"?
(12:45:35) dazo: I would say so, yes
(12:46:21) ordex: yap
(12:46:41) ordex: we have been using it in openvpn3 in our tests for now and it 
all looks good
(12:46:43) dazo: we're implementing basically the same code in openvpn3-linux 
.... and that is working very well; ordex can fill out the details though.  One 
IPv6 related bug has been fixed, not sure if ordex submitted updated openvpn2 
patch for that
(12:47:01) cron2: nice
(12:47:07) plaisthos: I am going to review that (at least the non netlink) this 
week or early next week
(12:47:20) ordex: we have some minor fixes to add compared to the version we 
have on the mailing list, but nothing major. in a bit I will send another set
(12:47:36) ordex: yeah, plaisthos can still review, because my fixes are really 
minor netlink bits
(12:48:15) cron2: o
(12:48:17) cron2: ok even
(12:50:18) mattock2: do all msi patches have acks a.k.a. "lgtm samuli"?
(12:50:45) rozmansi: nope, the initial msi patch has not been reviewed by 
anyone yet.
(12:50:48) plaisthos: look good to me
(12:51:09) plaisthos: Need to hit the the road, talk to you later
(12:51:13) cron2: *wave*
(12:51:18) mattock2: maybe we need to point jon at it then
(12:51:22) ordex: plaisthos: bye
(12:51:29) rozmansi: plaisthos: bye
(12:51:40) mattock2: bye plaisthos!
(12:52:25) rozmansi: The https://patchwork.openvpn.net/patch/555/ is 
stand-alone (only indirectly related to MSI packages), and it has Jon's "LGTM".
(12:52:26) vpnHelper: Title: [Openvpn-devel,5/5] Detect TAP interfaces with 
root-enumerated hardware ID - Patchwork (at patchwork.openvpn.net)
(12:53:34) cron2: LGTM from Jon sounds very ACKish to me :-)  (and I'm not sure 
we have anyone else qualified to have a closer look, except maybe mattock)
(12:54:37) cron2: ordex: thanks for the ACKs.  I can merge tonight
(12:54:46) ordex: cool
(12:57:26) cron2: so, HLK testing
(12:57:56) cron2: mattock: do you want to report more verbosely?
(12:58:36) mattock2: summary: stephen is fixing things and future ia looking 
(12:58:44) cron2: *g*
(12:59:12) rozmansi: excellent
(12:59:13) cron2: yes, and we fixes his client-to-client interconneciton issues 
just an hour ago (by adding --client-to-client to the tap server ;-) ) so "even 
(12:59:22) mattock2: the call to drop radixweb was clearly the right one
(12:59:39) mattock2: oh nice!
(12:59:47) ordex: :D
(12:59:51) cron2: in more details, stephen is fixing all those nasty things 
that led to test client misbehaviour (like, "running out of memory due to lack 
of flow control in the driver")
(13:00:16) cron2: some required calls were not there (easily fixed)
(13:00:39) cron2: the test rig wants to send "raw ethernet stuff" (as far as we 
understand), so we changed from --dev tun to --dev tap, and that now looks all 
(13:02:56) ordex: oh ok
(13:04:38) mattock: so this clearly improves tap-windows6 instead of just 
getting us the WHQL certificate
(13:04:57) ordex: yeah, hopefully less bugs later :p
(13:05:08) mattock: anyways, so that's probably it about tap-windows6
(13:05:22) mattock: DLL hijacking thingy real quick?
(13:05:38) mattock: basically: we have a hackerone report about this (generic) 
DLL loading problem
(13:05:52) mattock: as it is generic and not openvpn-related, should we create 
a Trac ticket about it
(13:05:55) mattock: ?
(13:06:18) mattock: as in: "we should fix that eventually"
(13:08:12) mattock: i'd put that into the same category as "generic NSIS 
security issues which have nothing to do with OpenVPN in particular" 
(13:08:17) cron2: yep
(13:08:34) mattock: I can do that right now
(13:08:42) mattock: OpenVPN 2.5 status?
(13:08:52) syzzer: it's less problematic that the NSIS installers, because 
users are not expected to run openvpn from their downloads dir
(13:09:20) cron2: yep, you need some other sort of privilege escalation first
(13:09:33) syzzer: but it sounds like "hygiene on broken platforms" we should 
probably do
(13:10:11) cron2: I wonder how we build on linux... do we use -Wl,rpath= or do 
we just trust the dynamic linker?
(13:10:41) syzzer: I think we just trust the dynamic linker
(13:10:44) cron2: or do we just not formally care since we need root anyway...
(13:11:14) mattock: do you mind if I just copy-and-paste what is in the 
HackerOne report?
(13:11:28) cron2: wfm
(13:11:32) syzzer: to trac?  I'd be fine with that
(13:11:42) mattock: yes to trac
(13:14:52) mattock: anything about 2.5 we should discuss and have not already?
(13:15:34) cron2: the status update for the client-connect patches came from 
plaisthos at the beginning - "patch set sent, ordex complained about style, new 
patch set coming"
(13:15:39) syzzer: we should probably update 
(13:15:40) vpnHelper: Title: StatusOfOpenvpn25 – OpenVPN Community (at 
(13:15:41) cron2: (which I should put on a keyboard hotkey)
(13:15:48) ordex: yup
(13:16:08) cron2: ordex: yup to "hotkey for 'patch set sent, ordex 
complained...'"? ;-)
(13:16:19) ordex: yes right
(13:16:24) ordex: waiting for the next set
(13:16:32) cron2: :)
(13:16:42) cron2: and yup to "update the wiki page", since tls-crypt-v2 is done 
for good now
(13:21:13) rozmansi: mattock: I have a question about Windows  packaging and my 
PR to openvpn-build.git from yesterday...
(13:21:43) rozmansi: What's the usual workflow when you package NSIS installers?
(13:22:47) rozmansi: openvpn-build/generic on Linux, then sign binaries on 
code-signing comp, then transfer the signed binaries .tar.gz back to 
openvpn-build/windows-nsis on Linux, right?
(13:23:28) mattock: rozmansi: I use windows-nsis/build-complete
(13:23:32) mattock: it calls generic/build
(13:23:50) rozmansi: Can't do that with MSI packaging, as it runs on Windows. :(
(13:23:55) mattock: the build artefacts are available under 
windows-nsis/tmp/build I believe
(13:24:11) mattock: so you could get the artefacts and do the MSI magic on those
(13:24:33) rozmansi: exactly. what is your preferred way to transfer binaries 
to Windows?
(13:24:38) mattock: essentially build-complete creates a staging directory and 
NSIS pulls the files from there
(13:24:58) rozmansi: (for developement purposes, I mounted openvpn-build as a 
Samba share)
(13:25:15) mattock: our internal Windows servers have SSH, but a Samba share 
might be ok as well
(13:25:25) mattock: I don't have any preferences tbh
(13:26:08) mattock: https://community.openvpn.net/openvpn/ticket/1141
(13:26:10) vpnHelper: Title: #1141 (Harden OpenVPN on Windows against generic 
DLL hijacking vulnerabilities) – OpenVPN Community (at community.openvpn.net)
(13:26:17) rozmansi: The Win32 tar.exe is not happy with those .tar.gz files as 
they contain symlinks.
(13:27:49) syzzer: what a mess...
(13:27:51) mattock: ah did not realize that
(13:28:02) syzzer: I'm still trying to figure out how to do the same for 
(13:28:13) mattock: syzzer: MSI or hardening?
(13:28:16) syzzer: both
(13:28:29) mattock: join forces?
(13:28:30) mattock: :P
(13:28:51) syzzer: but mostly "a good way to build decent-and-signed installers"
(13:28:52) mattock2 ha abbandonato la stanza (quit: Quit: IRC for Sailfish 0.9).
(13:30:16) syzzer: the thing for me is that I want to build all the binaries 
(not installers), then go through QA and evaluation, then 
(13:30:21) rozmansi: Anyway, as the PR for MSI packaging is done now, it 
expects to find OpenVPN binaries in ../generic/image-win(32|64)/... So, if you 
just mount the openvpn-build directory where you built those binaries as a 
Samba share to make it available to a Windows box, you can package MSI inside 
openvpn-build/windows-msi folder.
(13:30:49) mattock: rozmansi: I will check your PR
(13:31:05) syzzer: that sounds reasonable, that way I should be able to just 
have a "signing VM"
(13:31:22) rozmansi: Great. Feel fre, to let me know, how can I make it as easy 
to use for you as possible.
(13:32:14) mattock: rozmansi: ok so the PR is big - I won't do the review in 
the meeting then :P
(13:32:19) mattock: will have a look after
(13:32:32) rozmansi: :) sure
(13:32:41) mattock: immediately so that I do not forget
(13:32:57) mattock: regarding DLL hijacking thing
(13:33:02) rozmansi: (perhaps I am only too nervous - putting my newborn child 
into evaluation)
(13:33:16) mattock: do we actually have to stop giving people the option to 
install OpenVPN in directory <n> to fix the problem?
(13:33:53) mattock: pardon my ignorance: evaluation?
(13:35:59) syzzer: mattock1: don't worry, that's my problem for -nl ;)
(13:36:33) rozmansi: You can't hardcode "C:\WINDOWS\system32\fwpuclnt.dll" into 
your binaries, as the recommended fix says.
(13:36:55) rozmansi: What if somebody has Windows installed on D:\Windows?
(13:37:22) mattock: yeah
(13:37:43) mattock: anyways, it is a mess
(13:37:54) mattock: thanks Microsoft
(13:38:05) mattock: but we can look at it later
(13:38:15) mattock: I will review rozmansi's mega-PR
(13:38:15) syzzer: for now I'll just keep following the discussions and leave 
you to it
(13:38:23) syzzer: is there something we need to discuss now?
(13:38:30) ***syzzer is getting hungry ;-)
(13:38:45) mattock: we also need to get rozmansi's patches to openvpn in before 
merging the openvpn-build PR 
(13:38:47) vpnHelper: Title: Windows MSI Packaging by rozmansi · Pull Request 
#141 · OpenVPN/openvpn-build · GitHub (at github.com)
(13:38:52) mattock: I'm good for today
(13:38:55) rozmansi: My personal oppinion: if an attacker already has admin 
privileges, he could just as well replace the openvpn.exe with his own version. 
So hardcoding DLL paths is pointless.
(13:39:57) mattock: maybe this had to do with fooling some antivirus programs, 
but even in that case the benefits of "fixing" this are not big
(13:40:05) mattock: plus it ends up being a management mess probably
(13:41:47) mattock: actually, the use of DLLs was to work around the signature 
in openvpn.exe
(13:42:08) mattock: so when launching openvpn.exe the signature would still be 
valid ("all is good")
(13:42:17) mattock: anyways, adding this to the trac ticket
(13:42:24) mattock: let's call this a day unless somebody has something
(13:42:30) ordex: not me
(13:42:38) ordex: just...ipv6!
(13:43:15) cron2: ipv6!
(13:43:52) syzzer: ?
(13:44:01) cron2: no idea what he's talking about it
(13:44:28) mattock: end of meeting then
(13:44:29) mattock: :P
(13:45:31) syzzer: hehe, thanks. ttyl :)
(13:45:46) cron2: *wave*
(13:46:39) rozmansi: bye
(13:46:47) rozmansi ha abbandonato la stanza.
Openvpn-devel mailing list

Reply via email to