On 2009.11.12 at 10:01:55 -0700, James Yonan wrote:
> Victor Wagner wrote:
> > On 2009.10.24 at 13:39:56 -0600, James Yonan wrote:
> >
> >> Can you submit a patch (as an email attachment) with this fix?
> > Attached
> >
> > This patch also contains X509_NAME_oneline replacement, which handles
> >
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/11/09 16:37, Victor Wagner wrote:
> On 2009.11.11 at 16:04:12 +0100, David Sommerseth wrote:
>> I completely agree, that under normal circumstances, it should be enough
>> by letting OpenSSL take care of the certificate chain. But as OpenVPN
>>
Victor Wagner wrote:
> On 2009.10.24 at 13:39:56 -0600, James Yonan wrote:
>
>> Can you submit a patch (as an email attachment) with this fix?
> Attached
>
> This patch also contains X509_NAME_oneline replacement, which handles
> MSB characters.
>
> I've not checked if this patch applies cleanly
On 2009.11.11 at 16:04:12 +0100, David Sommerseth wrote:
> I completely agree, that under normal circumstances, it should be enough
> by letting OpenSSL take care of the certificate chain. But as OpenVPN
> now do list more certificates already, I was just trying to keep that
> possibility still
Yes indeed. Much appreciated James.
Matt.
Dunc wrote:
I see,
Thanks very much for clearing that up James.
Cheers,
Dunc
James Yonan wrote:
Well the problem is that even though OpenVPN doesn't rely on OpenSSL
renegotiations, it does not explicitly disable them. So to be safe,
it's
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
I've rebased and rewritten the patch which gives SHA1
fingerprints/digests of the certificates in the environment table for
plug-ins and scripts.
The patch can be downloaded here:
Hi,
I rebased the latest incarnation of the ipv6 patch (0.4.10)
to openvpn 2.1_rc21 release.
Changes from v0.4.9..v0.4.10:
* All platforms:
- implemented redirect-gateway support for ipv4 on ipv6 endpoints
- several src cleanups (no actual code changes)
- doc updates
* win32:
- expanded usage
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/11/09 12:51, Till Maas wrote:
> On Wed, Nov 11, 2009 at 01:26:04PM +0100, David Sommerseth wrote:
>
>> 1) The certificate is first dumped to file. Would it be possible to
>> pass it only via environment table, to avoid the file stage? The
I see,
Thanks very much for clearing that up James.
Cheers,
Dunc
James Yonan wrote:
> Well the problem is that even though OpenVPN doesn't rely on OpenSSL
> renegotiations, it does not explicitly disable them. So to be safe,
> it's better to upgrade to the fixed version of OpenSSL (0.9.8l).
On Wed, Nov 11, 2009 at 01:26:04PM +0100, David Sommerseth wrote:
> 1) The certificate is first dumped to file. Would it be possible to
> pass it only via environment table, to avoid the file stage? The reason
> for this is primarily security (not to write more to disk than what you
> really
Well the problem is that even though OpenVPN doesn't rely on OpenSSL
renegotiations, it does not explicitly disable them. So to be safe,
it's better to upgrade to the fixed version of OpenSSL (0.9.8l).
Also note that using tls-auth prevents the cited MITM attack
(CVE-2009-3555) even when
Hi James,
Thanks for getting back to me.
I was starting to wonder the same myself, but when I found this thread
http://article.gmane.org/gmane.network.openvpn.user/28105
I thought I must be missing something.
So if OpenVPN always uses a new session, what would be the point of
adding an option
Hello,
I have posted an email to this list regarding 2.1 rc20 and multiple
network interfaces. It was at October 29.
As I see no reply, please tell me where is the place to put bug reports.
Regards,
Olaf Frączyk
--
Olaf Frączyk
NAVI
http://www.navi.pl
http://www.ntp.navi.pl
This release is to respond to the OpenSSL vulnerability CVE-2009-3555.
Some people have worried that the fix made to OpenSSL to address this
vulnerability (ban all SSL/TLS renegotiations) would break OpenVPN's
session renegotiation capability. This is not the case. OpenVPN does
not rely on
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 11/11/09 22:15, Karl O. Pinc wrote:
> On 11/11/2009 06:26:04 AM, David Sommerseth wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> On 11/11/09 12:06, Mathieu GIANNECCHINI wrote:
>>> Victor Wagner a écrit :
>
But if entire
OpenVPN uses a fresh SSL/TLS session for each of its mid-session
renegotiations. This means that when you see:
TLS: soft reset sec=0 bytes=314/0 pkts=6/0
OpenVPN is actually creating a brand new SSL/TLS session. So the
important point here is that OpenVPN does not rely on the session
16 matches
Mail list logo