[Openvpn-devel] [PATCH] [PATCHv2] enhance tls-verify possibility

From: Mathieu GIANNECCHINI It should be nice to enhance tls-verify check possibilities against peer cert during a pending TLS connection like : - OCSP verification - check any X509 extensions of the peer certificate - delta CRL verification - ... This patch add a new

Re: [Openvpn-devel] [PATCH] Allow 'lport 0' setup for random port binding

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 28/02/10 14:44, David Sommerseth wrote: > From: Enrico Scholz > > I am running a multihomed host where 'local ' must be specified > for proper operation. Unfortunately, this implies 'lport 1194' or > another

Re: [Openvpn-devel] FreeBSD funny in the code

On 01.03.2010 22:59, David Sommerseth wrote: Could you please have a look at git://git.birkenwald.de/openvpn.git test-rebase branch? The history of gert-ipv6 was starting to look a bit weird (duplicate commits with the same content), to I rebased it on your bugfix2.1 branch (and dropped the

Re: [Openvpn-devel] FreeBSD funny in the code

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/03/10 22:41, Bernhard Schmidt wrote: > Hi David, > >>> It doesn't make a difference at the moment (since the patch came from >>> feat_ipv6_payload in the first place), but what's the general wish for >>> the future? What to rebase on? >> >> To

Re: [Openvpn-devel] OpenVPN default gateway problems on Windows after resume from hibernation

On Tue, Jan 26, 2010 at 05:51:36PM +0200, Pasi Kärkkäinen wrote: > On Wed, Dec 16, 2009 at 10:48:30AM +0200, Pasi Kärkkäinen wrote: > > On Thu, Dec 10, 2009 at 02:15:01PM +0200, Pasi Kärkkäinen wrote: > > > Hello, > > > > > > I'm having some problems with OpenVPN (2.1rc20) on Windows Vista. > >

Re: [Openvpn-devel] FreeBSD funny in the code

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/03/10 22:09, Bernhard Schmidt wrote: > David Sommerseth wrote: > > Hi David, > >>> David, could you please pull my branch from Berni, and move that patch >>> to wherever bugfixes/code cleanups go? It should

[Openvpn-devel] [PATCH] The man page needs dash escaping in UTF-8 environments

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 From: Jan Brinkmann There was a debian bugreport which was filed in 2005 . It was patched but it seems that nobody forwarded the patch to the openvpn project itself. The problem is quite simple: The dashes for

[Openvpn-devel] Sent "testers wanted" mail to -users list

Hi, I noted we've had some problems testing the new code against some OS'es (e.g. OpenBSD), so I just sent a "OpenVPN testers wanted" mail to the "openvpn-users" list: http://sourceforge.net/mailarchive/forum.php?thread_name=4B8BF01A.20501%40openvpn.net_name=openvpn-users I suggest we use a new

Re: [Openvpn-devel] [PATCH] enhance tls-verify possibility

Hi, On Sun, Feb 28, 2010 at 02:59:42PM +0100, David Sommerseth wrote: > It should be nice to enhance tls-verify check possibilities against peer > cert during a pending TLS connection like : > - OCSP verification > - check any X509 extensions of the peer certificate > - delta CRL verification > -

Re: [Openvpn-devel] [PATCH] FQDN for routes should expand to all IPs (second round)

On 03/01/2010 08:12:03 AM, Stefan Monnier wrote: > >> If someone could give at least some vaguely plausible scenario, > >> that'd help. > > Maybe there's more than one tunnel and there's some stupid > > load balancing going on using a hosts file? (Along with > > deleting all non-vpn routes.) > >

[Openvpn-devel] Free copies of Packt's new OpenVPN book at Cebit, Hannover, Germany

Hello list, Thanks a lot for the great software you are building here! I have a little announcement: "On wednesday, March 03, Packt author Markus Feilner will have a signing event at the german Cebit IT conference (http://www.cebit.de). In hall 2, at the booth of his employer Linux New

Re: [Openvpn-devel] [PATCH] FQDN for routes should expand to all IPs (second round)

>> If someone could give at least some vaguely plausible scenario, >> that'd help. > Maybe there's more than one tunnel and there's some stupid > load balancing going on using a hosts file? (Along with > deleting all non-vpn routes.) [ Setting aside the fact that using OpenVPN's broken handling

Re: [Openvpn-devel] Openvpn 2.1.1 bad tcp performance but good pingwhen -l 1472 (with packet size = MTU)

I spend much time on this problem and it is not simple question of configuration to be discussed on users forum. I've tried all sort combinations of MTU sizes from extremally small to very big all settings regarding MSS, RWIN, mssfix and so on... I'm not accuseing anyone because of

Re: [Openvpn-devel] [PATCH] enhance tls-verify possibility

On 03/01/2010 04:22:04 AM, David Sommerseth wrote: > On 01/03/10 06:32, Karl O. Pinc wrote: > > On 02/28/2010 10:24:36 PM, Peter Stuge wrote: > >> David Sommerseth wrote: > >>> +++ b/options.c > >>> @@ -529,6 +529,9 @@ static const char usage_message[] = > >>>" tests of

Re: [Openvpn-devel] [PATCH] enhance tls-verify possibility

On 02/28/2010 11:52:56 PM, Karl O. Pinc wrote: > On 02/28/2010 11:39:11 PM, Peter Stuge wrote: > > Karl O. Pinc wrote: > > > > > + "--tls-export-cert [directory] : Get peer cert in PEM > format > > and > > > > > > There is no man page. It's in sample-scripts/. > > > > It's a new option, right?

Re: [Openvpn-devel] Openvpn 2.1.1 bad tcp performance but good ping when -l 1472 (with packet size = MTU)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/03/10 13:04, booyakasha wrote: > Hello, > there are so many complains about openvpn performance in proto tcp mode > that it is almost unbelievable that nobody took care of it. I am using two > 20/20 MB connections and openvpn > tunnel in tcp

[Openvpn-devel] Openvpn 2.1.1 bad tcp performance but good ping when -l 1472 (with packet size = MTU)

Hello, there are so many complains about openvpn performance in proto tcp mode that it is almost unbelievable that nobody took care of it. I am using two 20/20 MB connections and openvpn tunnel in tcp mode. without vpn my ping is about 10ms but with vpn it jumps to 520ms. What is most

Re: [Openvpn-devel] [PATCH] Add CID to the management status overview

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 28/02/10 15:28, Gert Doering wrote: > Hi, > > On Sun, Feb 28, 2010 at 01:50:35PM +0100, David Sommerseth wrote: >> There are commands in the management interface which require the cid. The >> only way at the moment to get the cid of connected

[Openvpn-devel] Regarding patch reviews

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all! I am delighted to see that more people begin to respond to patches being sent. These discussions are crucially important for us and the OpenVPN community, and even the OpenVPN company I would presume. However, I would like you to do a

Re: [Openvpn-devel] OpenVPN Pf plugin/small status patch

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/03/10 12:03, Arne Schwabe wrote: > On 01.03.2010 11:16, David Sommerseth wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> On 28/02/10 15:56, Arne Schwabe wrote: >>> On 28.02.2010 14:22, David Sommerseth wrote: -BEGIN

Re: [Openvpn-devel] OpenVPN Pf plugin/small status patch

On 01.03.2010 11:16, David Sommerseth wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 28/02/10 15:56, Arne Schwabe wrote: On 28.02.2010 14:22, David Sommerseth wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 26/06/09 17:00, Arne Schwabe wrote: Hi, I have written a simple

Re: [Openvpn-devel] [Feedback needed] Fix cross compile support

Hi, On Sun, Feb 28, 2010 at 10:25:10PM +0100, David Sommerseth wrote: > I'm reviewing this patch in the patch tracker, and cannot make up my > mind if this is correct or not. Can someone please advise if this is > something we should include or not? > >

Re: [Openvpn-devel] [PATCH] enhance tls-verify possibility

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/03/10 06:32, Karl O. Pinc wrote: > On 02/28/2010 10:24:36 PM, Peter Stuge wrote: >> David Sommerseth wrote: >>> +++ b/options.c >>> @@ -529,6 +529,9 @@ static const char usage_message[] = >>>" tests of certification. cmd

Re: [Openvpn-devel] OpenVPN Pf plugin/small status patch

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/03/10 04:52, Karl O. Pinc wrote: >>> If one of this files is found the file is used as PF configuration. >> > Maybe >>> > > this plugin is useful for someone else. >> > >> > Hi! >> > >> > Thank you for your patches. I've been looking at both

Re: [Openvpn-devel] special-case code for OpenBSD - advice needed

Hi, On Sun, Feb 28, 2010 at 10:13:10PM -0600, Karl O. Pinc wrote: > So, you should not need to do the ifconfig at all unless you're > interested in tap functionality or there's other odd > frobbing going on. You need ifconfig to set an IP address :-) - which might be considered "odd frobbing",

[Openvpn-devel] [PATCH] Final frobbing of openvpn(8) --tls-verify

From: Karl O. Pinc --- openvpn.8 |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/openvpn.8 b/openvpn.8 index 70e1e68..51d6ac5 100644 --- a/openvpn.8 +++ b/openvpn.8 @@ -4236,7 +4236,7 @@ should return 0 to allow the TLS handshake to proceed, or 1

[Openvpn-devel] [PATCH] Yet another tweak of openvpn(8) --tls-verify

From: Karl O. Pinc --- openvpn.8 |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn.8 b/openvpn.8 index 9512fc3..70e1e68 100644 --- a/openvpn.8 +++ b/openvpn.8 @@ -4235,8 +4235,8 @@ should return 0 to allow the TLS handshake to proceed, or 1

Re: [Openvpn-devel] [PATCH] enhance tls-verify possibility

On 02/28/2010 11:39:11 PM, Peter Stuge wrote: > Karl O. Pinc wrote: > > > > + "--tls-export-cert [directory] : Get peer cert in PEM format > and > > > > There is no man page. It's in sample-scripts/. > > It's a new option, right? The sample script has a new option, yes. But the --tls-verify

Re: [Openvpn-devel] [PATCH] enhance tls-verify possibility

On 02/28/2010 11:32:46 PM, Karl O. Pinc wrote: > However, the openvpn(8) --tls-verify section of the man page > is poor. I just sent another patch that clarifies it. > Perhaps this is what you're looking for? If not then > just ignore my man page patch. I just sent another man page patch to be

Re: [Openvpn-devel] [PATCH] enhance tls-verify possibility

Karl O. Pinc wrote: > > > + "--tls-export-cert [directory] : Get peer cert in PEM format and > > There is no man page. It's in sample-scripts/. It's a new option, right? //Peter

Re: [Openvpn-devel] [PATCH] enhance tls-verify possibility

On 02/28/2010 10:24:36 PM, Peter Stuge wrote: > David Sommerseth wrote: > > +++ b/options.c > > @@ -529,6 +529,9 @@ static const char usage_message[] = > >" tests of certification. cmd should return 0 > to allow\n" > >" TLS handshake to proceed, or 1 to

[Openvpn-devel] [PATCH] Frob the openvpn(8) man page tls-verify section to clarify

From: Karl O. Pinc --- openvpn.8 | 22 +- 1 files changed, 13 insertions(+), 9 deletions(-) diff --git a/openvpn.8 b/openvpn.8 index f1612a7..0150ba7 100644 --- a/openvpn.8 +++ b/openvpn.8 @@ -4232,11 +4232,23 @@ test). .B cmd should return 0 to

Re: [Openvpn-devel] [PATCH] OpenVPN PKCS11-ID autoselect

I disagree. First certificate tells you nothing, usually you have several (signing, authentication, decryption). First is random, and random is bad. After a while the old certificates also expires and you have new ones added to the card. It would be not wise to enforce your card scheme on others.

Re: [Openvpn-devel] [Feedback needed] Fix cross compile support

Yes, it is better than current. Should use --host= and not --target= for cross compile. 1. I would not touch host_alias it is irrelevant and may lead to problems. Use only host variable in autoconf. 2. The case in autoconf should be '*-*-os*)' and not '*os*)' 3. I don't think it is so important

Re: [Openvpn-devel] [PATCH] FQDN for routes should expand to all IPs (second round)

On 02/28/2010 02:04:01 PM, Stefan Monnier wrote: > > I'm at a loss when it comes to try and imagine someone who's used to > the > current behavior and bothered by the new behavior. Really. How can > the > current behavior ever be preferable? Why would someone ever prefer > that > a route

Re: [Openvpn-devel] special-case code for OpenBSD - advice needed

On 02/28/2010 08:50:01 AM, Gert Doering wrote: > Hi, > > while working on "make IPv6 payload work on Win32", I found something > quite peculiar for OpenBSD in the OpenVPN code. > > Now, for all operatings systems *except* Win32 and OpenBSD, the > sequence > of execution is > > open_tun() >

Re: [Openvpn-devel] OpenVPN Pf plugin/small status patch

On 02/28/2010 07:22:16 AM, David Sommerseth wrote: > On 26/06/09 17:00, Arne Schwabe wrote: > > Hi, > > > > I have written a simple plugin for packet filtering that looks up > fw > rules > > in the order > > > > Commonname.pf > > IP_Port.pf > > IP.pf > > default.pf > > > > If one of this files is

Re: [Openvpn-devel] OpenVPN Pf plugin/small status patch

On 28.02.2010 14:22, David Sommerseth wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 26/06/09 17:00, Arne Schwabe wrote: Hi, I have written a simple plugin for packet filtering that looks up fw rules in the order Commonname.pf IP_Port.pf IP.pf default.pf If one of this files is