Re: [Openvpn-devel] [PATCH 1/1] add more security features for systemd units

> You can break this with something like: > > status /etc/openvpn/client/status.log > > in your configuration. Writing a status file > to /run/openvpn-{client,server}/status.log works, though. So the default > setups should be fine. Do we have any more cases where openvpn wants write > access

Re: [Openvpn-devel] [PATCH 1/1] bind mount systemd notification socket into chroot

On 10/12/16 00:19, Christian Hesse wrote: > From: Christian Hesse > > sd_notify() uses a socket to communicate with systemd. Communication > fails if the socket is not available within the chroot. So bind mount > the socket into the chroot when startet from systemd. > > Unsharing

Re: [Openvpn-devel] [PATCH 1/1] Clean up plugin path handling

David Sommerseth on Fri, 2016/12/09 23:40: > On 09/12/16 22:54, Christian Hesse wrote: > > David Sommerseth on Fri, 2016/12/09 > > 22:37: > >> On 29/11/16 12:07, Christian Hesse wrote: > >>> From: Christian Hesse

[Openvpn-devel] [PATCH 1/1] bind mount systemd notification socket into chroot

From: Christian Hesse sd_notify() uses a socket to communicate with systemd. Communication fails if the socket is not available within the chroot. So bind mount the socket into the chroot when startet from systemd. Unsharing namespace and mounting requires extra capability

Re: [Openvpn-devel] [PATCH 1/1] Clean up plugin path handling

On 09/12/16 22:54, Christian Hesse wrote: > David Sommerseth on Fri, 2016/12/09 22:37: >> On 29/11/16 12:07, Christian Hesse wrote: >>> From: Christian Hesse >>> >>> Drop --with-plugindir, instead use an environment variable PLUGINDIR >>> to

Re: [Openvpn-devel] [PATCH 1/1] Clean up plugin path handling

David Sommerseth on Fri, 2016/12/09 22:37: > On 29/11/16 12:07, Christian Hesse wrote: > > From: Christian Hesse > > > > Drop --with-plugindir, instead use an environment variable PLUGINDIR > > to specify the plugin directory. > > > > This

Re: [Openvpn-devel] [PATCH 1/1] add more security features for systemd units

David Sommerseth on Fri, 2016/12/09 20:42: > On 09/12/16 19:13, Christian Hesse wrote: > > From: Christian Hesse > > > > ProtectSystem=strict mounts the entire file system hierarchy read-only, > > except for the API file system subtrees /dev,

Re: [Openvpn-devel] Coding style clean-up ... phase 1

On Fri, Dec 9, 2016 at 4:39 PM, David Sommerseth < open...@sf.lists.topphemmelig.net> wrote: > On 09/12/16 22:27, Steffan Karger wrote: > > > > Sounds like we have a final config on the CodeStyle page now. Are we > > ready to run it on all code now, and publish a reformat branch? > > > > Agreed.

Re: [Openvpn-devel] [PATCH applied] systemd: Intermediate --chroot fix with the new sd_notify() implementation

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Your patch has been applied to the master branch commit 65140a3acfa42e5d42cdfcf8108f00a62d5767ff Author: David Sommerseth Date: Wed Dec 7 03:51:52 2016 +0100 systemd: Intermediate --chroot fix with the new sd_notify() implementation

Re: [Openvpn-devel] Coding style clean-up ... phase 1

On 09/12/16 22:27, Steffan Karger wrote: > > Sounds like we have a final config on the CodeStyle page now. Are we > ready to run it on all code now, and publish a reformat branch? > Agreed. I can do this later this night. -- kind regards, David Sommerseth OpenVPN Technologies, Inc

Re: [Openvpn-devel] [PATCH 1/1] Clean up plugin path handling

On 29/11/16 12:07, Christian Hesse wrote: > From: Christian Hesse > > Drop --with-plugindir, instead use an environment variable PLUGINDIR > to specify the plugin directory. > > This always defines PLUGIN_LIBDIR and enables plugin search path. > > Signed-off-by: Christian Hesse

Re: [Openvpn-devel] Coding style clean-up ... phase 1

On 9 December 2016 at 21:43, Selva Nair wrote: > On Fri, Dec 9, 2016 at 8:41 AM, Steffan Karger wrote: >> On 9 December 2016 at 00:14, David Sommerseth >> wrote: >> > I just spotted in ssl.c that we need sp_assign=add.

Re: [Openvpn-devel] Coding style clean-up ... phase 1

On Fri, Dec 9, 2016 at 8:41 AM, Steffan Karger wrote: > > On 9 December 2016 at 00:14, David Sommerseth > wrote: > > I just spotted in ssl.c that we need sp_assign=add. > > > > [ ssl.c, tls1_PRF() ] > > len = slen/2; > > S1 = sec; >

Re: [Openvpn-devel] [PATCH] systemd: Intermediate --chroot fix with the new sd_notify() implementation

On 09/12/16 18:59, Christian Hesse wrote: > Christian Hesse on Fri, 2016/12/09 18:37: >> David Sommerseth on Wed, 2016/12/07 03:51: >>> Commit c5931897ae8d663e7e introduced support for talking directly >>> to the systemd service manager about the situation for

Re: [Openvpn-devel] [PATCH 1/1] add more security features for systemd units

On 09/12/16 19:13, Christian Hesse wrote: > From: Christian Hesse > > ProtectSystem=strict mounts the entire file system hierarchy read-only, > except for the API file system subtrees /dev, /proc and /sys (which can > be protected using PrivateDevices=, ProtectKernelTunables=, >

Re: [Openvpn-devel] On saving passwords

9 дек. 2016 г. 22:40 пользователь "Selva Nair" написал: Hi, A comment on the GUI github page said: "For ISO27001 certification, we are not allowed to let users save their VPN passwords locally. Is there a way to remove or disable the 'save password' box upon

[Openvpn-devel] [PATCH 1/1] add more security features for systemd units

From: Christian Hesse ProtectSystem=strict mounts the entire file system hierarchy read-only, except for the API file system subtrees /dev, /proc and /sys (which can be protected using PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=). ProtectHome=true makes the

Re: [Openvpn-devel] [PATCH] systemd: Intermediate --chroot fix with the new sd_notify() implementation

Christian Hesse on Fri, 2016/12/09 18:37: > David Sommerseth on Wed, 2016/12/07 03:51: > > Commit c5931897ae8d663e7e introduced support for talking directly > > to the systemd service manager about the situation for the OpenVPN > > tunnel. This approach makes a

[Openvpn-devel] On saving passwords

Hi, A comment on the GUI github page said: "For ISO27001 certification, we are not allowed to let users save their VPN passwords locally. Is there a way to remove or disable the 'save password' box upon authentication ?" Although I suggested to use an up script to delete the saved password,

Re: [Openvpn-devel] [PATCH] systemd: Intermediate --chroot fix with the new sd_notify() implementation

David Sommerseth on Wed, 2016/12/07 03:51: > Commit c5931897ae8d663e7e introduced support for talking directly > to the systemd service manager about the situation for the OpenVPN > tunnel. This approach makes a lot of sense and is mostly the proper > way to do it. But it was

[Openvpn-devel] [PATCH applied] Re: mbedtls: include correct net/net_sockets header according to version

Your patch has been applied to the master branch. Thanks. I have not changed the #include formatting, as The Great Reformatting will catch it anyway. commit c00919e8bd6a4e36d9fa009f3b1a93b262a59fc6 Author: Magnus Kroken Date: Fri Dec 9 10:07:35 2016 +0100 mbedtls: include correct

[Openvpn-devel] [PATCH 2/2 v3] push: Provide a warning if --ifconfig-push have --topology mismatch

This adds a warning to the log file if --topology is configured to use subnet or net30 and the 'subnet mask' argument of an --ifconfig-push option is not an subnet mask. v2 - Make use of ifconfig_sanity_check() in tun.c instead of doing the exact same check and warning in

[Openvpn-devel] [PATCH 0/2] Improve --ifconfig and --ifconfig-push sanity check

This patch set is combining two separate mail threads [1] [2] as they are related. These patches have also been rearragned, where the first patch adds the generic improvements and prepares for the push.c update which is in the second patch. These patches combined will resolve the issue reported

Re: [Openvpn-devel] Coding style clean-up ... phase 1

Hi, On 9 December 2016 at 00:14, David Sommerseth wrote: > I just spotted in ssl.c that we need sp_assign=add. > > [ ssl.c, tls1_PRF() ] > len = slen/2; > S1 = sec; > S2 = &(sec[len]); > len += (slen&1); /* add for odd, make longer */ > > I

Re: [Openvpn-devel] [PATCH] mbedtls: include correct net/net_sockets header according to version

Hi, On 9 December 2016 at 10:07, Magnus Kroken wrote: > is deprecated as of mbedTLS 2.4.0, it is renamed > . OpenVPN will fail to build with > mbedTLS 2.4.0 with MBEDTLS_DEPRECATED_REMOVED defined. > > Check MBEDTLS_VERSION_NUMBER, and include net.h for < 2.4.0 and >

[Openvpn-devel] [PATCH 1/1] Handle SIGHUP during initialisation phase

Without this commit, if remote host cannot be reached, we get stuck in loop trying to connect and we cannot reload a new configuration using SIGHUP. In this case, the only way to reload the configuration is to kill and relaunch the daemon. With this commit, following use case can be done: - Set

Re: [Openvpn-devel] Coding style clean-up ... phase 1

Hi, On Fri, Dec 09, 2016 at 08:24:24AM -0500, Selva Nair wrote: > On Fri, Dec 9, 2016 at 2:42 AM, Gert Doering wrote: > > > if (a>0) > > { do_this(); } > > else > > { do_that(); } > > > > In such cases I would normally skip all braces, in spite of all the >

Re: [Openvpn-devel] Coding style clean-up ... phase 1

On Fri, Dec 9, 2016 at 2:42 AM, Gert Doering wrote: > if (a>0) > { do_this(); } > else > { do_that(); } > In such cases I would normally skip all braces, in spite of all the arguments against it... But that's just me. That said the proposed re-formatting

[Openvpn-devel] [PATCH 1/1] Handle SIGHUP during initialisation phase

Without this commit, if remote host cannot be reached, we get stuck in loop trying to connect and we cannot reload a new configuration using SIGHUP. In this case, the only way to reload the configuration is to kill and relaunch the daemon. With this commit, following use case can be done: - Set

Re: [Openvpn-devel] [PATCH] Improve ifconfig_sanity_check()

On 09/12/16 09:15, Gert Doering wrote: > Hi, > > On Fri, Dec 09, 2016 at 03:52:32AM +0100, David Sommerseth wrote: >> - Instead of checking the complete in_addr_t (which lacked proper htonl()), >> just do a simple peek at the last byte which contains the first octet >> of an IP address or

Re: [Openvpn-devel] help wanted: OpenSolaris building

On 09/11/16 09:51 PM, Gert Doering wrote: > Hi, > > as you might know, we try to build everything we commit to git on all > supported platforms (using buildbot). This works quite well and has > helped us keep things consistently working across all platforms, at least > as far as we have tests for

[Openvpn-devel] [PATCH] Use getpassphrase on Solaris/illumos

-- С уважением, Александр Пыхалов, программист отдела телекоммуникационной инфраструктуры управления информационно-коммуникационной инфраструктуры ЮФУ >From 971d1d5e66ba714fc8f74b8da0672e7da47dc557 Mon Sep 17 00:00:00 2001 From: Alexander Pyhalov Date: Fri, 9 Dec 2016

[Openvpn-devel] [PATCH] mbedtls: include correct net/net_sockets header according to version

is deprecated as of mbedTLS 2.4.0, it is renamed . OpenVPN will fail to build with mbedTLS 2.4.0 with MBEDTLS_DEPRECATED_REMOVED defined. Check MBEDTLS_VERSION_NUMBER, and include net.h for < 2.4.0 and net_sockets.h for >= 2.4.0. Signed-off-by: Magnus Kroken --- Tested,

Re: [Openvpn-devel] [PATCH] push: Provide a warning if --ifconfig-push have argument mismatch with --topology

Hi, On Fri, Dec 09, 2016 at 09:13:19AM +0100, Gert Doering wrote: > ... ifconfig_sanity_check() does *nothing* for TOP_SUBNET Overlooked the second patch (since it wasn't threaded). So with the other patch, that argument is no longer valid, of course. Apologies. [..] > Also we might to

Re: [Openvpn-devel] [PATCH] Improve ifconfig_sanity_check()

Hi, On Fri, Dec 09, 2016 at 03:52:32AM +0100, David Sommerseth wrote: > - Instead of checking the complete in_addr_t (which lacked proper htonl()), > just do a simple peek at the last byte which contains the first octet > of an IP address or subnet mask. Have you *tested* this on a non-intel

Re: [Openvpn-devel] [PATCH] push: Provide a warning if --ifconfig-push have argument mismatch with --topology

Hi, On Fri, Dec 09, 2016 at 03:50:48AM +0100, David Sommerseth wrote: > This adds a warning to the log file if --topology is configured to use > subnet or net30 and the 'subnet mask' argument of an --ifconfig-push option > is not an subnet mask. > > v2 - Make use of ifconfig_sanity_check() in