Here's the summary of the IRC meeting.



Place: #openvpn-meeting on irc.freenode.net
Date: Thu 23rd April 2020
Time: 20:00 CEST (18:00 UTC)

Planned meeting topics for this meeting were here:


Your local meeting time is easy to check from services such as



cron2, dazo, mattock, ordex and Pippin participated in this meeting.


Talked about the proposed update to our patch to pkcs11-helper:


It was agreed that using the patch version from Fedora Rawhide would
make more sense, as that is more widely tested. Plus the patch does not
seem to have any Linux-specifisms that could break on Windows (=our
target system here).


Mattock mentioned that OSTIF.org is currently waiting for 2.5.0 before
launching their security audit.


Discussed the OpenVPN 2.5 release.

Ordex and cron2 revived the ipv6-only patchset. Wiscii has tested it
already and has reported that it works. OpenVPN Inc. will provide
additional QA resources to test it as well.

Cron2 has a couple of Windows-specific patches on his plate (tun-mtu,
IPv6 netbits in netsh / iService) which need some focused review effort.

There are also a couple of patches from plaisthos which could be merged
easily once there's a bit of time for a review.

The async-cc patchset is waiting for testing, but we have a volunteer
who is willing to test the rebased code.

Ordex will review the tls-group patch in the upcoming days.

Mattock should have time to focus on the MSI work starting next week
after wrapping up a rather big internal project.


Noted that AAAA record seems to be missing for community.openvpn.net.
Mattock will fix that. Also, he will add monitoring of the IPv6
addresses of the community services to OpenVPN Inc's monitoring system.


Full chatlog attached
(21:00:55) cron2: yeaaha
(21:01:02) mattock: hi
(21:01:09) ***cron2 complains about topic
(21:03:33) mattock: ok complain
(21:03:40) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2020-04-23
(21:06:37) ***dazo is here
(21:06:51) mattock: hi!
(21:09:35) cron2: hi dazo!
(21:09:40) cron2: how's madness?
(21:12:20) dazo: mad :-P
(21:13:47) cron2: you're all so talkative today... :)
(21:14:40) dazo: hehe ... looked at the #1 topic ... surprised to see a red hat 
bz reference in a project used for Windows builds .... 
(21:15:05) mattock: ok now distractions are over
(21:15:26) mattock: so, I wanted to bring up the pkcs11 patch because I don't 
want decide by myself whether it is acceptable or not
(21:15:30) mattock: thoughts?
(21:16:03) cron2: I have no idea what he's talking about
(21:16:20) cron2: ah
(21:16:46) cron2: so we import the pkcs11 patch from redhat (or a common 
source), and that patch has issues.  So it ended up in RH's BZ and they now let 
us know
(21:17:52) cron2: 2017
(21:18:55) dazo: okay ... so .... there is a patch in the opensc project (where 
pkcs11-helper comes from, managed by alonb) ... which is not being accepted 
because it is "too complex", and it has been an open pull-req for 2 years.  And 
the patch we have in our build repo is based on that.  What I don't understand 
yet is how we have a "faulty" patch in our repo
(21:19:08) cron2: that patch has a bug
(21:19:15) cron2: which is explained in the RH BZ
(21:19:27) cron2: so we get a patch for the patch now :)
(21:20:18) cron2: and we actually have an open trac ticket (1075) related to 
"long IDs do not work"
(21:20:22) dazo: yeah ... I would probably look into what dwm2's git repo has 
and compare that patch/commit with our patch
(21:20:50) mattock: I would = I will?
(21:20:52) mattock: :P
(21:21:02) dazo: I suggest! :-P
(21:21:11) mattock: I thought so!
(21:22:09) ordex: are we doomed ?
(21:22:15) cron2: ordex: yes
(21:23:05) dazo: from a quick look ... the first change (token[1] -> token[0]) 
that looks fine and sane
(21:23:44) dazo: the second change I don't see in dwm2's repo during my quick 
glance .... from a style perspective it looks odd too
(21:24:07) dazo: (but that style seems to be common in that repo)
(21:27:00) dazo: This is what Fedora ships in Rawhide ... and I would presume 
prior release has the same patch though ... 
(21:27:01) vpnHelper: Title: Tree - rpms/pkcs11-helper - src.fedoraproject.org 
(at src.fedoraproject.org)
(21:27:12) dazo: (and that is related that rh bz)
(21:27:51) dazo: Rawhide ships with pkcs11-helper-1.22
(21:28:51) dazo: the patch was introduced Nov 2017 and seems to have been 
unmodified since then
(21:32:14) mattock: well
(21:32:15) mattock: https://github.com/OpenSC/pkcs11-helper
(21:32:17) vpnHelper: Title: GitHub - OpenSC/pkcs11-helper: Library that 
simplifies the interaction with PKCS#11 providers for end-user applications 
using a simple API and optional OpenSSL engine (at github.com)
(21:32:18) dazo: I see that the Fedora patch have the same tokstr[0] reference, 
but is lacking the second change
(21:32:24) mattock: has been unmodified since then
(21:32:32) dazo: yeah
(21:32:52) dazo: I would suggest to rather use the patch from Fedora and see if 
that resolves the issue
(21:33:09) mattock: is there anything in there that could behave differently on 
(21:33:10) dazo: That patch is tested on quite some installs
(21:33:22) cron2: mattock: doesn#t look like it
(21:33:43) dazo: I wouldn't say, no
(21:33:56) mattock: then I think dazo's suggestion makes sense
(21:34:14) mattock: I can ask the guy about that approach and ask him to test
(21:35:33) mattock: ok and done with this?
(21:35:37) cron2: wfm
(21:35:49) dazo: sounds good
(21:35:52) mattock: I have two other small topics
(21:35:55) mattock: just an update
(21:36:24) mattock: right now OSTIF is waiting for OpenVPN 2.5.0 before they 
launch their audit
(21:36:36) cron2: Derek reappeared?
(21:36:40) mattock: yes
(21:37:13) mattock: I poked the other guy there, Amir, to get Derek's attention 
and that worked :D
(21:38:42) mattock: I had something else but I forgot, so let's move on
(21:38:58) mattock: OpenVPN 2.5?
(21:39:19) cron2: ordex and I have started to revive the ipv6-only patchset
(21:39:37) cron2: (that is, ordex has poked me, and I have agreed)
(21:40:08) mattock: why did it not go in the last time?
(21:40:11) ordex:  it's not far from completion though
(21:40:18) ordex: lack of test
(21:40:21) mattock: ok
(21:40:23) ordex: but corp has QA to allocate now
(21:40:24) cron2: lack of review, mostly
(21:40:28) ordex: that too
(21:40:31) cron2: wiscii has tested and reported "it works"
(21:40:43) cron2: so it should not generally be very painful
(21:41:54) ordex: yap
(21:42:15) ordex: as next step it'd be nice to write down a couple of tests we 
want to see happening, so that i can pass them to QA
(21:42:30) ordex: I'll try to poke cron2 again the coming days to make this 
happen :] if he's fine
(21:43:09) cron2: ordex: yes
(21:43:39) cron2: I have a core router to swap tomorrow night, but all the prep 
work is done (except "carry the 70kg monster into the 3rd floor, put it in the 
(21:44:20) cron2: but besides this, time planning looks lighter these days :)
(21:44:44) cron2: Besides ipv6-only, there are two windows specific patches 
that are sitting on my plate, one for "tun interface MTU" (which got stalled, 
and the author has re-sent and rebased).  The other is related to IPv6 netbits 
in windows netsh and/or iservice, which needs brains + testing.
(21:46:30) cron2: there's a few patches from plaisthos that need a bit of time 
for review, and could be merged then quickly...
(21:47:00) cron2: and then we're waiting for the async-cc patchset... (for 
which a tester has volunteered a few days ago, if I saw this right)
(21:47:08) ordex: yap
(21:47:23) ordex: a guy says he's using that patchset, so he'd be fine with 
testing the rebased code
(21:47:54) cron2: yes!
(21:48:06) ordex: I have the tls-group patch on my plate too
(21:48:12) ordex: will review these days
(21:48:15) cron2: nice
(21:48:28) cron2: oh, and the tls-auth-token stuff is still not working 
(21:48:40) cron2: it is biting people @ work, so I know what to look for
(21:49:19) cron2: (when the token expires after 8h, and people re-login with 
2FA, this *new* token is then not stored properly in the client, and 1h later - 
tls reneg-sec - the client is AUTH_FAILED again)
(21:49:41) cron2: I need to reproduce this in a test setup with shorter timers, 
and then I can poke plaisthos about it
(21:50:30) cron2: mattock: what about your end?
(21:52:23) mattock: my end has not moved forward, because I wanted to get a 
rather big internal project out of my hands first - but that is almost done so 
I can probably really move forward with the MSI stuff etc. next week
(21:52:36) cron2: cool
(21:52:43) mattock: I want to minimize multi-tasking and rather focus on it 
(21:52:43) cron2: well, the outlook is :)
(21:55:20) mattock: anything else?
(21:55:22) cron2: we need to add some sort of motivation for people here to be 
a bit more talkative, like "who types most words gets a free bottle of beer" :-)
(21:55:35) cron2: not on 2.5, but on community & IPv6...
(21:56:25) Pippin_: free beer? i'm in :)
(21:56:52) ordex: :p
(21:56:56) cron2: mattock: shall I add your e-mail address to our monitoring, 
so you can hear first-hand if IPv6 breaks...?
(22:02:16) mattock: Pippin_: congratulations: you made it to the attendee list 
with that!
(22:02:18) mattock: :)
(22:02:28) mattock: cron2: hmm
(22:02:43) mattock: I could maybe actually add those IPv6 addresses to our 
monitoring system
(22:02:54) cron2: sounds like a plan :)
(22:02:57) mattock: it is a recent EC2 instance all of which _do_ have IPv6 
(22:03:09) cron2: (right now, the problem is "there is no v6 address in the DNS 
for community", so it seems cloudflare messed that up)
(22:03:09) mattock: I really don't know what broke it, unless reboot changes 
the public IPv6 address
(22:03:16) mattock: oh
(22:03:18) mattock: ok
(22:03:29) cron2: no, it's 
(22:03:30) cron2: $ ping6 community.openvpn.net
(22:03:30) cron2: ping6: hostname nor servname provided, or not known
(22:03:47) cron2: it was cloudflared to death
(22:04:00) mattock: regardless, monitoring the IPv6 addresses makes sense 
because not too many people use it so breakages may go unnoticed for too long, 
even without manual cron2-monitor
(22:04:16) mattock: ok I'll add a ticket about this to myself
(22:04:19) cron2: +1 *like* *thumbsup* :-)
(22:04:20) cron2: thanks
(22:08:21) mattock: created
(22:08:50) mattock: we need service and certificate monitoring anyways and we 
already have the tools for it
(22:08:58) mattock: so this is just a small extension of it
(22:09:03) mattock: not a big deal(tm)
(22:09:08) mattock: ok 9 minutes past so that's it
(22:09:15) mattock: summary almost ready
(22:09:16) dazo: :)
(22:09:51) cron2: fine.  I'm tired and need a beer & sofa now - good night, 
(22:10:19) mattock: good night!

Attachment: signature.asc
Description: OpenPGP digital signature

Openvpn-devel mailing list

Reply via email to