On 21/04/2014 05:33, Arne Schwabe wrote:
On 21.04.2014 09:10, James Yonan wrote:
remote-override -- replace the hostname in all remote
directives with alt-remote.
Just a question. How does remote-override differ from ip-remote-hint?
Both options seem to have the same effect aside from very su
On 21/04/2014 05:27, Arne Schwabe wrote:
On 21.04.2014 09:10, James Yonan wrote:
Define PIP_OPT_MASK to represent all flags of interest to
process_ip_header, so that it can have a fast exit path
if no flags are set.
I haven't look at the code but if remember correctly, this method does
not ge
On 21/04/2014 05:49, Gert Doering wrote:
Hi,
On Mon, Apr 21, 2014 at 01:11:05PM +0200, Arne Schwabe wrote:
Yes. But with this patch it is always turned off, keeping OpenVPN in 99%
of installations in TLS 1.0. Is there any other known case where it
breaks aside from the Tomato OpenVPN client?
Patch has been applied to the master and release/2.3 branches.
commit 1e3a1786a80e4afac37133ce5d6a1dcff779a4ce (master)
commit 413f052937179c60cadf571933a3eb4b3058a7dc (release/2.3)
Author: Gert Doering
List-Post: openvpn-devel@lists.sourceforge.net
Date: Sun Apr 20 20:41:01 2014 +0200
Mi
Hi,
On Mon, Apr 21, 2014 at 01:11:05PM +0200, Arne Schwabe wrote:
> Yes. But with this patch it is always turned off, keeping OpenVPN in 99%
> of installations in TLS 1.0. Is there any other known case where it
> breaks aside from the Tomato OpenVPN client?
http://community.openvpn.net/openvpn/
Flags like {OPEN,POLAR}SSL_CFLAGS were used by the core build, but not by
the plugins. However, all plugins include openvpn-plugin.h, which need
crypto/ssl headers.
Signed-off-by: Steffan Karger
---
src/plugins/auth-pam/Makefile.am | 5 +++--
src/plugins/down-root/Makefile.am | 3 ++-
2 files c
On 21.04.2014 09:10, James Yonan wrote:
remote-override -- replace the hostname in all remote
directives with alt-remote.
Just a question. How does remote-override differ from ip-remote-hint?
Both options seem to have the same effect aside from very subtle
differences. Perhaps we should add t
On 21.04.2014 09:10, James Yonan wrote:
Define PIP_OPT_MASK to represent all flags of interest to
process_ip_header, so that it can have a fast exit path
if no flags are set.
I haven't look at the code but if remember correctly, this method does
not get passed the actual flags but the flags s
ACK (you're the one who builds most with MSVC anyway, so you know).
Your patch has been applied to the master and release/23 branches.
commit 6b8e2f4a8143a7260a06b6999dcb21c4c72fc620 (master)
commit 040b306f58fa0cc175c66ed67f390c0a289ddd4e (release/2.3)
Author: James Yonan
List-Post: openvpn-dev
On 21.04.2014 12:42, Gert Doering wrote:
Hi,
On Mon, Apr 21, 2014 at 12:24:30PM +0200, Steffan Karger wrote:
On 21-04-14 09:10, James Yonan wrote:
For OpenSSL, this means to use TLSv1_(client|server)_method rather
than SSLv23_(client|server)_method combined with SSL_OP_NO_x flags
for specific
On 20.04.2014 20:41, Gert Doering wrote:
- remove built tests/t_client.sh script on "make clean"
- ignore Linux iproute2 "ssthresh " output that sometimes shows up
in "ip -6 route show" and breaks before/after comparison
ACK.
Arne
ACK (as in "fixes the build for me". None of the default plugins will
actually *use* this, and any plugin using x509 stuff would have to be
adapted to the 1.3 API - yes, this is the way it is)
Your patch has been applied to the master branch.
commit cc1cee74c683ce92e56bb6a6170988fb6520b803
Autho
Hi,
On Mon, Apr 21, 2014 at 12:24:30PM +0200, Steffan Karger wrote:
> On 21-04-14 09:10, James Yonan wrote:
> > For OpenSSL, this means to use TLSv1_(client|server)_method rather
> > than SSLv23_(client|server)_method combined with SSL_OP_NO_x flags
> > for specific TLS versions to disable.
>
> I
Hi,
On 21-04-14 09:10, James Yonan wrote:
> For OpenSSL, this means to use TLSv1_(client|server)_method rather
> than SSLv23_(client|server)_method combined with SSL_OP_NO_x flags
> for specific TLS versions to disable.
I'm not sure I understand the rationale behind this. If I don't specify
a min
Hi,
On 21-04-14 11:04, Gert Doering wrote:
> When test-building, it seems that there is a patch missing to the plugin
> API bits...
Ah, right, I usually compile polar builds without the plugin api.
Attached a patch that should fix this. It compiles and passes client_t
tests, but I don't have plu
Your patch has been applied to the master branch.
commit 5e0112d9c60c488d3951491052d1aec8ef793023
Author: Steffan Karger
List-Post: openvpn-devel@lists.sourceforge.net
Date: Tue Feb 4 13:58:05 2014 +0100
Improve error reporting during key/cert loading with PolarSSL.
Signed-off-by: St
Your patch has been applied to the master branch.
commit 03df3a990f71b3d02653eba364ac89f8400611c3
Author: Steffan Karger
List-Post: openvpn-devel@lists.sourceforge.net
Date: Tue Feb 4 13:57:15 2014 +0100
Upgrade to PolarSSL 1.3
Signed-off-by: Steffan Karger
Acked-by: James Yon
Updated patch.
vpn_binding_key:
- keying material derived by openvpn's crypto later (ssl.c:tls1_*)
- life time across negotiations (works a bit like EKM)
tls_ekm: Exported Keying Material [RFC 5705]
- derived when crypto backend support ( currently openssl >= 1.0.2 )
diff --git a/src/op
Hi,
On Sat, Apr 19, 2014 at 04:33:39PM +0200, Steffan Karger wrote:
> Ouch, James was totally right. This would always be true, but should
> always be *false* for reasonable input; the check has to be the other
> way around. Attached the same two patches, except for that single
> character...
Mer
On 19/04/2014 08:33, Steffan Karger wrote:
Hi,
On 04/18/2014 02:49 PM, Steffan Karger wrote:
On 04/17/2014 09:41 PM, James Yonan wrote:
I'm not sure I understand the (SIZE_MAX - hashlen) > asn_len part.
Wouldn't this always be true for reasonable values of hashlen and asn_len?
This should in
For OpenSSL, this means to use TLSv1_(client|server)_method rather
than SSLv23_(client|server)_method combined with SSL_OP_NO_x flags
for specific TLS versions to disable.
For PolarSSL, this means to avoid calling ssl_set_min_version and
instead implicitly control the TLS version via allowed ciphe
MSVC 2013 C library now defines strtoull() function,
so use the native implementation when available.
Signed-off-by: James Yonan
---
config-msvc.h | 3 +++
1 file changed, 3 insertions(+)
diff --git a/config-msvc.h b/config-msvc.h
index 99c00f9..9a95ae6 100644
--- a/config-msvc.h
+++ b/config-m
Define PIP_OPT_MASK to represent all flags of interest to
process_ip_header, so that it can have a fast exit path
if no flags are set.
Merged from OpenVPN 2.1
Signed-off-by: James Yonan
---
src/openvpn/forward.c | 6 +-
src/openvpn/forward.h | 4 +++-
2 files changed, 4 insertions(+), 6 del
remote-override -- replace the hostname in all remote
directives with alt-remote.
Merged from OpenVPN 2.1
Signed-off-by: James Yonan
---
src/openvpn/options.c | 7 ++-
src/openvpn/options.h | 2 ++
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/options.c b/src/op
24 matches
Mail list logo