Re: [Openvpn-devel] pkcs11 config changes from 2.5.4 to 2.6.6 ?

2023-09-29 Thread mike tancsa 

On 9/28/2023 9:55 PM, Selva Nair wrote:

Hi Mike

I misunderstood Arne's comment. We default to security level 1 but 
that forbids SHA1 signatures in OpenSSL 3.0+.


Could you test with "tls-cert-profile Insecure" in the config file? 
It's not recommended but useful to check.


Thanks! That allows it to connect

    ---Mike



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] pkcs11 config changes from 2.5.4 to 2.6.6 ?

2023-09-28 Thread mike tancsa 

Hi Selva,

    Thank you for looking!



My guess is that something in the certificate or private key is not to
OpenSSL 3.1's liking and it rejects it. Is there any way for you to 
check the
contents of the token independently using a tool linked against 
OpenSSL 3.1 ?


What am I looking for in that case ?  Taking a look at the cert just 
with openssl 3.0 on FreeBSD releng14 it seems ok with it. Same with the 
Windows version 3.1.x that comes with OpenVPN. Is it possible it doesnt 
like the sha1RSA sig ?


# openssl version
OpenSSL 3.0.10 1 Aug 2023 (Library: OpenSSL 3.0.10 1 Aug 2023)
#

Certificate:
    Data:
    Version: 3 (0x2)
    Serial Number: 7109 (0x1bc5)
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: C = CA, ST = ON, L = Cambridge, O = Sentex CA, CN = 
Sentex private1test CA CA, emailAddress = m...@sentex.ca

    Validity
    Not Before: Sep 27 19:43:01 2023 GMT
    Not After : Nov 13 19:43:01 2033 GMT
    Subject: C = CA, ST = ON, L = Cambridge, O = Sentex CA, OU = 
win10, CN = test123456mdt, emailAddress = m...@sentex.ca

    Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
    Public-Key: (2048 bit)
    Modulus:
    00:f5:e0:27:b5:28:0a:f8:a9:ce:13:33:a2:ca:27:

...

    ac:a8:b6:55:bb:a3:a4:43:e5:74:05:aa:c8:69:3d:
    ed:ef
    Exponent: 65537 (0x10001)
    X509v3 extensions:
    X509v3 Basic Constraints:
    CA:FALSE
    Netscape Comment:
    Easy-RSA Generated Certificate
    X509v3 Subject Key Identifier:
74:72:3A:87:0D:34:7B:1E:11:C6:18:D2:41:99:C6:5E:D1:8A:81:95
    X509v3 Authority Key Identifier:
keyid:4F:A0:B0:94:92:6F:24:A7:D4:C6:93:A6:AA:25:63:6C:ED:1E:E3:8C
    DirName:/C=CA/ST=ON/L=Cambridge/O=Sentex Parklands 
CA/CN=Sentex Parklands CA CA/emailAddress=ppsupp...@sentex.ca

    serial:F5:3E:37:76:69:AC:EF:EC
    X509v3 Extended Key Usage:
    TLS Web Client Authentication
    X509v3 Key Usage:
    Digital Signature
    Signature Algorithm: sha1WithRSAEncryption
    Signature Value:
    10:72:36:db:5c:f3:f5:fb:52:82:c7:4c:72:8f:31:ae:
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] pkcs11 config changes from 2.5.4 to 2.6.6 ?

2023-09-28 Thread mike tancsa 
I am starting to test out 2.6.6 with a config that worked in 2.5.4 but 
am getting a failure con connect.  I did have a look through the 
Changes.rst file but didnt see anything different ? The only pkcs11 bits 
I have in the config are


pkcs11-providers eTpkcs11.dll
pkcs11-id 'pkcs11:model=eToken;token='

and the same config works with the older version. Are there new 
directives I need to add ?  This is an Gemalto/Thales etoken. Again, it 
works fine in this environment with the only change being the version of 
OpenVPN.



2023-09-28 17:05:12 us=484000 OpenVPN 2.6.6 
[git:v2.6.6/c9540130121bfc21] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] 
[PKCS11] [AEAD] [DCO] built on Aug 15 2023
2023-09-28 17:05:12 us=484000 Windows version 10.0 (Windows 10 or 
greater), amd64 executable
2023-09-28 17:05:12 us=484000 library versions: OpenSSL 3.1.2 1 Aug 
2023, LZO 2.10

2023-09-28 17:05:12 us=484000 DCO version: v0
2023-09-28 17:05:12 us=484000 PKCS#11: pkcs11h_setProperty return 
rv=0-'CKR_OK'
2023-09-28 17:05:12 us=484000 PKCS#11: pkcs11h_setProperty entry 
property='1', value=007116AFD5A0, value_size=4
2023-09-28 17:05:12 us=484000 PKCS#11: pkcs11h_setProperty return 
rv=84-'CKR_FUNCTION_NOT_SUPPORTED'
2023-09-28 17:05:12 us=484000 PKCS#11: pkcs11h_setProperty entry 
property='7', value=007116AFD5A8, value_size=8

2023-09-28 17:05:12 us=484000 PKCS#11: Setting property 7=*size*
2023-09-28 17:05:12 us=484000 PKCS#11: pkcs11h_setProperty return 
rv=0-'CKR_OK'

2023-09-28 17:05:12 us=484000 NOTE: --mute triggered...
2023-09-28 17:05:12 us=484000 15 variation(s) on previous 20 message(s) 
suppressed by --mute
2023-09-28 17:05:12 us=484000 PKCS#11: Adding PKCS#11 provider 
'eTpkcs11.dll'
2023-09-28 17:05:12 us=484000 PKCS#11: pkcs11h_registerProvider entry 
version='1.29.0', reference='eTpkcs11.dll'

2023-09-28 17:05:12 us=484000 PKCS#11: Register provider 'eTpkcs11.dll'
2023-09-28 17:05:12 us=484000 PKCS#11: pkcs11h_registerProvider Provider 
'eTpkcs11.dll'
2023-09-28 17:05:12 us=484000 PKCS#11: Provider 'eTpkcs11.dll' 
registered rv=0-'CKR_OK'
2023-09-28 17:05:12 us=484000 PKCS#11: pkcs11h_registerProvider return 
rv=0-'CKR_OK'
2023-09-28 17:05:12 us=484000 PKCS#11: pkcs11h_setProviderProperty entry 
reference='eTpkcs11.dll', property='0', value=018E5DBA6E88, 
value_size=13

2023-09-28 17:05:12 us=484000 NOTE: --mute triggered...
2023-09-28 17:05:12 us=578000 75 variation(s) on previous 20 message(s) 
suppressed by --mute
2023-09-28 17:05:12 us=578000 PKCS#11: Failed to set cert and private 
key for OpenSSL
2023-09-28 17:05:12 us=578000 PKCS#11: __pkcs11h_openssl_ex_data_free 
entered - parent=018E5F93D200, ptr=, 
ad=018E5F93D290, idx=1, argl=0, argp=7FFDBF4E3D38
2023-09-28 17:05:12 us=578000 PKCS#11: 
pkcs11h_certificate_freeCertificate entry certificate=018E5DC4BA20
2023-09-28 17:05:12 us=578000 PKCS#11: _pkcs11h_session_release entry 
session=018E5DC00AC0
2023-09-28 17:05:12 us=578000 PKCS#11: _pkcs11h_session_release return 
rv=0-'CKR_OK'
2023-09-28 17:05:12 us=578000 PKCS#11: 
pkcs11h_certificate_freeCertificateId entry certificate_id=018E5FAF18B0
2023-09-28 17:05:12 us=578000 PKCS#11: pkcs11h_token_freeTokenId entry 
certificate_id=018E5FAF1CE0

2023-09-28 17:05:12 us=578000 NOTE: --mute triggered...
2023-09-28 17:05:12 us=578000 8 variation(s) on previous 20 message(s) 
suppressed by --mute
2023-09-28 17:05:12 us=578000 Cannot load certificate 
"pkcs11:model=eToken;token=ess123456mdt;manufacturer=SafeNet%2c%20Inc.;serial=02ca3753;id=%d2-%f7%94%98%8f%a2%60" 
using PKCS#11 interface
2023-09-28 17:05:12 us=578000 Error: private key password verification 
failed

2023-09-28 17:05:12 us=578000 Exiting due to fatal error


Thanks,

    ---Mike



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Adding RSA-PSS support in pkcs11-helper

2021-07-30 Thread mike tancsa 
Hi,

    Thanks, I finally got around to testing this with the current
version of OpenVPN from git and it works great on my
Aladin/SafeNet/Gemalto/Thales token (model 510x)

Would be great if this was part of the default build/distribution.

I can now get TLS1.3 working using the pkcs11 interface.

    ---Mike

On 5/2/2021 7:13 PM, Selva Nair wrote:
> Hi,
>
> Currently RSA-PSS signatures are handled in pkcs11-helper by asking
> the token to do raw RSA signature of data already padded by OpenSSL.
> Many new hardware tokens refuse to support this mode and require the
> padding to be done in hardware.
>
> For a recent user report see this thread:
> https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg05732.html
> 
>
> Probably there are some related tickets on Trac too.
>  
> In OpenVPN, we have a couple of options to fix this:
>
> (i) Use a different library like libp11 (for OpenSSL only).
> (ii) Extend pkcs11-helper
> (iii) Roll something new on our own :)
>
> After some thought, I have decided that extending pkcs11-helper may be
> the least painful approach --- not including the mental distress in
> getting code reviews and changes accepted. The "helper" has several
> features that we depend on and not readily available in alternatives.
>
> If anyone is interested in testing this, see
> https://github.com/selvanair/pkcs11-helper/releases/tag/pss-support
> 
>
> Though I've opened a PR at
> https://github.com/OpenSC/pkcs11-helper/pull/31
>  , it's only an RFC
> and would likely require some iterations.
>
> Comments, suggestions for improvement, and test reports, are most welcome.
>
> Thanks,
>
> Selva
>
>
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v2] Allow PKCS#11 uri to be used as --cert and --key file names

2021-07-27 Thread mike tancsa 
That would be VERY handy to have for our use case

    ---Mike

On 7/27/2021 10:56 AM, Selva Nair wrote:
>
> It seems no one is interested in this to elicit a review.. I thought
> this would be a nifty feature ;)
>
> On Sun, May 9, 2021 at 9:32 PM  > wrote:
>
> From: Selva Nair mailto:selva.n...@gmail.com>>
>
> v2 changes
>   - do not allow so-path embedded in cert and key uri
>   - add --pkcs11-engine option to optionally specify the
>         engine and provider module to use
>
> If either --cert or --key is specified as a PKCS#11 uri, try to
> load the certificate and key from any accessible PKCS#11 device.
> This does not require linking with any pkcs11 library, but needs
> pkcs11 engine to be available on the target machine.
>
> In its simplest form, just have
>
> --cert 'pkcs11:id=%01'
>
> Either do not specify --key, or use the same uri for --key.
> Do not include type=cert or type=private in the uri
> as the same uri is used for both certificate and private key.
>
> That's all what is required if pkcs11 engine is installed in the
> right location and optionally set up to load any necessary provider
> libraries (e.g., via openssl.cnf or via PKCS11_MODULE_PATH).
>
> If both cert and key are specified, the last entry takes precedence
> and is used to locate both the certificate and key. Use of different
> uri's for the cert and key are not supported. Specifying --cert as
> a file and --key as a uri or vice versa is treated as a usage error.
>
> If the engine cannot be automatically loaded, or a custom engine
> object
> has to be loaded, the engine name or shared library may be specified
> using the newly added option
>
>    --pkcs11-engine engine [module_path]
>
> Here engine may the the engine-id that OpenSSL is configured to
> locate,
> or the path to a shared object. The optional 'module_path' specifies
> any provider module that must be loaded. It must be given as a path.
> Use full path or relative path for these shared objects based on the
> target system setup.
>
> Requires building with OpenSSL engine support although the pkcs11 or
> a compatible engine, and provider libraries are required only at
> run time.
>
> Signed-off-by: Selva Nair  >
> ---
>  Changes.rst                      |   6 +
>  doc/man-sections/tls-options.rst |  31 ++
>  src/openvpn/options.c            |  68 +++-
>  src/openvpn/options.h            |   7 ++
>  src/openvpn/ssl.c                |  15 ++-
>  src/openvpn/ssl_backend.h        |  10 ++
>  src/openvpn/ssl_openssl.c        | 183
> ++-
>  7 files changed, 316 insertions(+), 4 deletions(-)
>
> diff --git a/Changes.rst b/Changes.rst
> index 9185b55f..19d311e3 100644
> --- a/Changes.rst
> +++ b/Changes.rst
> @@ -4,6 +4,12 @@ Overview of changes in 2.6
>
>  New features
>  
> +Specification of private key and certificates as PKCS#11 URI
> +    ``--cert`` and ``--key`` options can take RFC7512 PKCS#11
> +    URI's pointing to certificate and key in a token. Both cert
> +    and key must use the same URI. Requires OpenSSL with engine
> +    support and pkcs11 (or compatible) engine installed.
> +
>  Keying Material Exporters (RFC 5705) based key generation
>      As part of the cipher negotiation OpenVPN will automatically
> prefer
>      the RFC5705 based key material generation to the current custom
> diff --git a/doc/man-sections/tls-options.rst
> b/doc/man-sections/tls-options.rst
> index 00ea063a..7acfbdae 100644
> --- a/doc/man-sections/tls-options.rst
> +++ b/doc/man-sections/tls-options.rst
> @@ -116,6 +116,20 @@ certificates and keys:
> https://github.com/OpenVPN/easy-rsa
> 
>    authority functions, you must set up the files
> :code:`index.txt` (may be
>    empty) and :code:`serial` (initialize to :code:`01`).
>
> +--cert pkcs11-uri
> +  The local peer's certificate in a PKCS#11 token specified as a
> RFC 7512
> +  uri with optional custom attributes described below. Cannot be
> used with
> +  ``--key file``. ``--key`` must be left unspecified or point to
> the same
> +  uri. All other requrements for the certificate described under
> +  ``--cert file`` applies.
> +
> +  Requires OpenSSL with pkcs11 engine installed and configured.
> Also see
> +  the option ``--pkcs11-engine``.
> +
> +  As the same uri is used for certificate and private key, do not
> include type
> +  attribute (i.e., :code: `type=cert;` or :code: `type=private;`
> should not
> +  be included)
> +
>  --crl-verify args
>    Check peer certificate against a Certificate

Re: [Openvpn-devel] [Openvpn-users] FreeBSD+cryptodev testers wanted

2015-03-31 Thread Mike Tancsa 

On 3/31/2015 10:30 AM, Mike Tancsa wrote:

On 3/31/2015 10:23 AM, Gert Doering wrote:

Hi,

On Tue, Mar 31, 2015 at 09:39:46AM -0400, Mike Tancsa wrote:

I am not able to reproduce this.


You need to use --daemon to make openvpn fork().  Otherwise, it will
"just work", but after forking, the cryptodev file descriptor is no
longer valid -> boom.  Steffan's patch should fix that.


Hi,
Is having in the config

daemon openvpn-hq

not the same as --daemon from the arguments ?


commenting out daemon in the config, and starting it up with

openvpn --daemon --config /usr/local/etc/openvpn/openvpn.conf

also works for me.  Perhaps its the way the engine is loaded with this 
version of openssl in the base of FreeBSD ?


# openssl engine -t -c
(cryptodev) BSD cryptodev engine
 [RSA, DSA, DH, AES-128-CBC, AES-192-CBC, AES-256-CBC]
 [ available ]
(rsax) RSAX engine support
 [RSA]
 [ available ]
(rdrand) Intel RDRAND engine
 [RAND]
 [ available ]
(dynamic) Dynamic engine loading support
 [ unavailable ]

---Mike





--
-------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, m...@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/

Re: [Openvpn-devel] [Openvpn-users] FreeBSD+cryptodev testers wanted

2015-03-31 Thread Mike Tancsa 

On 3/31/2015 10:23 AM, Gert Doering wrote:

Hi,

On Tue, Mar 31, 2015 at 09:39:46AM -0400, Mike Tancsa wrote:

I am not able to reproduce this.


You need to use --daemon to make openvpn fork().  Otherwise, it will
"just work", but after forking, the cryptodev file descriptor is no
longer valid -> boom.  Steffan's patch should fix that.


Hi,
Is having in the config

daemon openvpn-hq

not the same as --daemon from the arguments ?

---Mike


--
-------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, m...@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/

[Openvpn-devel] new OpenSSL Security Advisories

2014-08-07 Thread Mike Tancsa 
Has anyone had a chance to evaluate the latest security issues and how 
they might impact OpenVPN ?


https://www.openssl.org/news/secadv_20140806.txt


--
---
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, m...@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/

[Openvpn-devel] latest OpenSSL security advisories

2014-06-05 Thread Mike Tancsa 
A few more vulnerabilities it would seem. Can anyone shed light on how 
this impacts OpenVPN ?


http://www.openssl.org/news/secadv_20140605.txt

Does OpenVPN make use of DTLS ? or SSL_MODE_RELEASE_BUFFERS  ?

---Mike
--
---
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, m...@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/

Re: [Openvpn-devel] Heartbleed

2014-04-08 Thread Mike Tancsa 

On 4/8/2014 10:13 AM, Steffan Karger wrote:

On 08/04/2014 16:04, Mike Tancsa wrote:

How does one attack the client ? In my case, the client only connects
to my servers ? I use a tls-auth key file as well. If I understand
correctly, the scenario would be the attacker would have to have the
tls-auth key file, and then do a man in the middle attack to pretend
its the server's IP, and then coax the client into allocating the 64k
block of memory as described in the above link ?


Correct. But man-in-the-middle can also be something like DNS poisoning.



If you use TLS-auth, the attacker must have previously obtained the TLS-auth 
key. When the user base is large, it is not unlikely that one of the users was 
compromised and should be considered malicious.


Thanks!  Although we are certainly planing to update the vulnerable 
clients, this is not quite as dire and urgent as first described in the 
popular press-- at least as it applies to my client base. We also use IP 
addresses for the target servers in the client configs.


---Mike

--
---
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, m...@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/

Re: [Openvpn-devel] Heartbleed

2014-04-08 Thread Mike Tancsa 

On 4/8/2014 9:42 AM, Steffan Karger wrote:


Perhaps a dumb question, but if the server instance is linked against
an older version of openssl (9.8.x), but the client is compiled and
linked against the vulnerable version, is it still an issue for both
sides, or is the client going to leak private information ?


The client can then leak keys (both private master key and session keys), which 
completely breaks your secure connection, for that client.

So when the server is not vulnerable, each client has to be attacked 
individually, and not-vulnerable clients have a secure connection to the 
server. As long as there are vulnerable clients, you should consider those as 
potentially malicious, and thus you should consider the network as insecure.


Thanks for the replay. I am still trying to understand as it relates to 
the analysis here


http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html

How does one attack the client ? In my case, the client only connects to 
my servers ? I use a tls-auth key file as well. If I understand 
correctly, the scenario would be the attacker would have to have the 
tls-auth key file, and then do a man in the middle attack to pretend its 
the server's IP, and then coax the client into allocating the 64k block 
of memory as described in the above link ?


---Mike

--
---
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, m...@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/

Re: [Openvpn-devel] Easy-RSA v3 release planning

2013-12-23 Thread Mike Tancsa 
On 12/23/2013 4:38 AM, Jan Just Keijser wrote:
 Hi,
>> Its been a while since I tried / checked, but is there any support for
>> generating keys on an actual hardware token in Windows ?
>> Specifically, it would be great if I could do this with the
>> Safenet/Aladin java etoken.
>>
>> I can do it on Unix using the older non java version keys, but I never
>> quite figured out how to do it in Windows, and there is no Java etoken
>> support that I have found on FreeBSD as it requires pkcs15 via OpenSC.
>>   
> the newer Safenet java etokens require the Safenet driver software (or
> Aladdin eToken driver v5.0+). If you don't have access to this software
> then you're out of luck. If you do have access then generating keys on
> the token is doable (but not supported by easy-rsa at this moment).
> I've written scripts that work in both Windows (cygwin) and Linux to
> generate and install keys and certs on Aladdin/SafeNet etokens
> (32K/64K/72K). At one point I documented this for an older version of
> the eToken driver
>  http://wiki.nikhef.nl/grid/EToken
> esp section
> http://wiki.nikhef.nl/grid/Storing_your_grid_certificate_on_an_Aladdin_eToken
> 
> but the basic principe is the same for the newer driver (use
> eTPKcs11.dll on Windows)
> If there's any interest we could integrate this into the easy-rsa
> scripts, but as Eric Crist pointed out, this is VERY hardware and
> platform dependent.

Thanks! I will give this a try over the holidays. I do have the drivers
and client software for Windows. I just was never able to get a cert
generated under windows

---Mike



-- 
---
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, m...@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/

Re: [Openvpn-devel] [PATCH] Fix --show-pkcs11-ids

2013-01-18 Thread Mike Tancsa 
On 1/17/2013 4:34 PM, Gert Doering wrote:
> 
>> I was following the directions at 
>> https://community.openvpn.net/openvpn/wiki/BuildingUsingGenericBuildsystem#Checkingoutopenvpn-buildrepository
>
>> 
> On what platform did you build, and for which target?  Which git
> repository was checked out, and which branch?

I think the issue is that the source codes that is downloaded in the
above URL through the git clone, does not grab 2.3, but a snapshot
from 6 months ago.  I am cross building on Fedora, AMD64.

%git clone https://github.com/OpenVPN/openvpn-build.git
% cd openvpn-build/generic
% IMAGEROOT=`pwd`/image-win32 CHOST=i686-w64-mingw32 \
CBUILD=x86_64-pc-linux-gnu ./build

Will build just fine, but the older version.

There also needs some manual fetching of files as URLs are out of date
for pkcs
FATAL: Cannot download
https://github.com/downloads/alonbl/pkcs11-helper/pkcs11-helper-1.10.tar.bz2
FATAL: Cannot download
https://github.com/downloads/OpenVPN/tap-windows/tap-windows-9.9.0_master.zip


If I make the following changes, I get the newer version built.
manually fetch
http://swupdate.openvpn.org/community/releases/openvpn-2.3.0.tar.gz
into the openvpn-build/generic/sources
Get rid of the 2.3_master.tar.gz file
change the build.vars
--- build.vars.prev 2013-01-17 16:56:06.356577031 -0500
+++ build.vars  2013-01-17 16:56:21.970578237 -0500
@@ -5,7 +5,7 @@
 PKCS11_HELPER_VERSION="${PKCS11_HELPER_VERSION:-1.10}"
 LZO_VERSION="${LZO_VERSION:-2.05}"
 TAP_WINDOWS_VERSION="${TAP_WINDOWS_VERSION:-9.9.0_master}"
-OPENVPN_VERSION="${OPENVPN_VERSION:-2.3_master}"
+OPENVPN_VERSION="${OPENVPN_VERSION:-2.3.0}"
 OPENVPN_GUI_VERSION="${OPENVPN_GUI_VERSION:-1.0.3}"

 
OPENSSL_URL="${OPENSSL_URL:-http://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz};

and that builds the latest release.

---Mike




-- 
---
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, m...@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/

Re: [Openvpn-devel] [PATCH] Fix --show-pkcs11-ids

2013-01-16 Thread Mike Tancsa 
On 1/16/2013 6:06 PM, David Sommerseth wrote:
> On 16/01/13 23:11, Mike Tancsa wrote:
> 
> $ git tag --contains fd02ae905df21e1119fb63521e7ff773d6f812dc 
> v2.3.0 v2.3_rc2
> 
> 
> However, it seems that the generic build tool needs some more
> tweaking to grab the packages correctly from github - they changed
> the download URLs.  Might be more issues there as well.
> 
> Samuli, can you check this?
> 
> How I compile OpenVPN is basically directly from the git tree,
> with these steps:
> 
> $ autoreconf -vi
Hi,
I think for me, the issue was in the initial cloning of the repo.

Looking at
https://github.com/OpenVPN

I see
https://github.com/OpenVPN/openvpn
updated 10 days ago

But the instructions point to
https://github.com/OpenVPN/openvpn-build

which was updated 6 months ago

---Mike

-- 
---
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, m...@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/

Re: [Openvpn-devel] [PATCH] Fix --show-pkcs11-ids

2013-01-16 Thread Mike Tancsa 
Hi,
I have been following the steps to build OpenVPN from the sources and
was scratching my head as to why the prebuilt binary would work, but my
build from the sources would bork on --show-pkcs11-ids ?!?!   Searching
through the mailling list archives shows the patch below, which fixes my
problem.  It seems that this patch is not in the generic sources?

I was following the directions at
https://community.openvpn.net/openvpn/wiki/BuildingUsingGenericBuildsystem#Checkingoutopenvpn-buildrepository

My question is, why would I not get the correct sources with the fix
below using the generic build ?  Is there a different / better way to do
it that whats outlined in the above url ?

Thanks!

---Mike

On 11/14/2012 4:03 AM, Adriaan de Jong wrote:
> [PATCH] Fix --show-pkcs11-ids (Bug #239)
> 
> Broken by 75b49e406430299b187964744f82e50a9035a0d3.
> 
> Signed-off-by: Joachim Schipper <joachim.schip...@fox-it.com>
> ---
>  src/openvpn/pkcs11.c |2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/src/openvpn/pkcs11.c b/src/openvpn/pkcs11.c index 
> 645f1f4..3a15ef6 100644
> --- a/src/openvpn/pkcs11.c
> +++ b/src/openvpn/pkcs11.c
> @@ -887,7 +887,7 @@ show_pkcs11_ids (
> (dn = pkcs11_certificate_dn (
>   certificate,
>   
> -   ))
> +   )) == NULL
>   ) {
>   goto cleanup1;
>   }
> --
> 1.7.9.5
> 
> 
> --
> Monitor your physical, virtual and cloud infrastructure from a single
> web console. Get in-depth insight into apps, servers, databases, vmware,
> SAP, cloud infrastructure, etc. Download 30-day Free Trial.
> Pricing starts from $795 for 25 servers or applications!
> http://p.sf.net/sfu/zoho_dev2dev_nov
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
> 
> 


-- 
---
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, m...@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/