[Openvpn-devel] The end of the Gmane archive

2016-07-29 Thread Jonathan K. Bullard 
Yesterday Lars Ingebrigtsen, who established and has run Gmane since
2002, posted an article saying that Gmane might go away [1].

He posted an update [2] which says the Gmane archive *has* gone away
and unless someone steps up to take it over, it is gone for good.

The OpenVPN mailing list archives are still available on SourceForge,
but it might be worth thinking about adding openvpn-dev and
openvpn-users to The Mail Archive [3] or some other such service.

[1] https://lars.ingebrigtsen.no/2016/07/28/the-end-of-gmane
[2] 
https://lars.ingebrigtsen.no/2016/07/28/the-end-of-gmane/comment-page-1/#comment-13502
[3] https://www.mail-archive.com

Re: [Openvpn-devel] [PATCH] Allow ncp-disable and ncp-ciphers to be specified in ccd files

2016-07-29 Thread Jan Just Keijser 

Hi,

On 25/07/16 20:52, Steffan Karger wrote:

This allows the ncp-disable and ncp-ciphers options to be used in 'client
config dir' files, to disable or change the negotiable crypto parameter
settings for specific clients.

Signed-off-by: Steffan Karger 
---
  src/openvpn/options.c | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 18af179..79dcb79 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -,12 +,12 @@ add_option (struct options *options,
  }
else if (streq (p[0], "ncp-ciphers") && p[1] && !p[2])
  {
-  VERIFY_PERMISSION (OPT_P_GENERAL);
+  VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_INSTANCE);
options->ncp_ciphers = p[1];
  }
else if (streq (p[0], "ncp-disable") && !p[1])
  {
-  VERIFY_PERMISSION (OPT_P_GENERAL);
+  VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_INSTANCE);
options->ncp_enabled = false;
  }
else if (streq (p[0], "prng") && p[1] && !p[3])


another remark: making this option CCD-file specific a good idea, but 
how you do ensure that the server only applies it to this particular 
client?  o->ncp_enabled seems a global at first glance. Consider this 
scenario:


1) client A connects , for which we want to disable NCP; hence a 
client-connect script or CCD file with 'ncp-disable' in it;

2) client B connects, no CCD file, it's running v2.4+, so we want NCP.

How does the server handle this?  Or did I miss the "per-client options" 
struct?


JJK

Re: [Openvpn-devel] [Openvpn-users] tls-cipher

2016-07-29 Thread Steffan Karger 
On Thu, Jul 28, 2016 at 11:28 PM, Yevgeny Kosarzhevsky
 wrote:
> On 25 July 2016 at 12:18, Steffan Karger  wrote:
>> This is likely due to the ECDHE part - this is not supported for
>> OpenVPN 2.3 with OpenSSL (it is for PolarSSL).  Use DHE instead, or
>> switch to the OpenVPN master branch.  The master branch does have
>> ECDH(E) support for OpenSSL too.
>
> I am getting this cipher in the list of supported showed by --show-tls
> option on both sides. So I consider there is something wrong. May be it
> makes sense not to show unsupported ciphers?

Yes, that would make sense, but we can't.  Primarily because OpenSSL
does not provide an interface to do so, but also because we don't know
up front what kind of certificates will be used, and whether OpenVPN
will be run as a client or server (client-side support for ECDH should
work with ovpn-2.3 + openssl too, but I didn't test).

-Steffan