[Openvpn-devel] Getting rid of bundled lz4 ?

Hello, It was broadcasted several times that we will get rid of bundled lz4 someday. Currently, windows installer is built using that lib. Does it make sense to change windows installer? Cheers, Ilya Shipitsin -- Check

Re: [Openvpn-devel] [PATCH] Do not assume that SSL_CTX_get/set_min/max_proto_version are macros

Hi, On Sun, Mar 4, 2018 at 6:22 PM, Steffan Karger wrote: > > On 05-03-18 00:13, Jeremie Courreges-Anglas wrote: >> On Sun, Mar 04 2018, Selva Nair wrote: >> --8<-- >> [...]. OpenSSL itself only provided said setters (since 2015)[2]. The >> getters

Re: [Openvpn-devel] [PATCH applied] Re: Add --tls-cert-profile option for mbedtls builds

On 05-03-18 00:26, Steffan Karger wrote: > Yes, I'd rather not use the workaround if not needed. Bad wording. Read that as "I'm no longer opposed to a patch". -Steffan -- Check out the vibrant tech community on one of

Re: [Openvpn-devel] [PATCH applied] Re: Add --tls-cert-profile option for mbedtls builds

Hi, On 04-03-18 19:59, Jeremie Courreges-Anglas wrote: > On Thu, Dec 14 2017, Steffan Karger wrote: > > [...] > >> NAK. >> >> Looking at this patch again I realize I have misunderstood the >> intentions when first looking at it. I thought LibreSSL *did* have an >>

Re: [Openvpn-devel] [PATCH] Do not assume that SSL_CTX_get/set_min/max_proto_version are macros

On 05-03-18 00:13, Jeremie Courreges-Anglas wrote: > On Sun, Mar 04 2018, Selva Nair wrote: > --8<-- > [...]. OpenSSL itself only provided said setters (since 2015)[2]. The > getters were added to OpenSSL later (Sep 2017)[3]. > > [2] >

Re: [Openvpn-devel] LibreSSL support in OpenVPN 2.4.5

On 04-03-18 23:23, Jeremie Courreges-Anglas wrote: > On Sun, Mar 04 2018, Selva Nair wrote: >> Libressl developers break API compatibility with openssl in such >> perverse ways that there are no easy ways to support it. Take, for >> example, the patch I just sent out which

Re: [Openvpn-devel] LibreSSL support in OpenVPN 2.4.5

Hi, Most has been said, so I won't reiterate that. Gert++, Selva++. On 04-03-18 13:43, Mina Barret via Openvpn-devel wrote: > Ok, bummer, the (german) wikipedia experience again - rejected. The > second and third read of the well distributed Changelog(s) and release > note(s) does not bring up

Re: [Openvpn-devel] LibreSSL support in OpenVPN 2.4.5

On Sun, Mar 04 2018, Selva Nair wrote: [...] > Libressl developers break API compatibility with openssl in such > perverse ways that there are no easy ways to support it. Take, for > example, the patch I just sent out which checks for certain functions > instead of

Re: [Openvpn-devel] [PATCH] Do not assume that SSL_CTX_get/set_min/max_proto_version are macros

Hi, On Sun, Mar 4, 2018 at 1:48 PM, Jeremie Courreges-Anglas wrote: > On Sun, Mar 04 2018, selva.n...@gmail.com wrote: >> From: Selva Nair >> >> Openssl docs do not explicitly state these to be macros although they >> are currently defined as such. > >

Re: [Openvpn-devel] [PATCH applied] Re: Add --tls-cert-profile option for mbedtls builds

On Thu, Dec 14 2017, Steffan Karger wrote: [...] > NAK. > > Looking at this patch again I realize I have misunderstood the > intentions when first looking at it. I thought LibreSSL *did* have an > SSL_CTX_get0_certificate() and this patch would make us use it (instead > of

Re: [Openvpn-devel] LibreSSL support in OpenVPN 2.4.5

Hi, On Sun, Mar 4, 2018 at 11:47 AM, Jeremie Courreges-Anglas wrote: > On Sun, Mar 04 2018, Gert Doering wrote: > > [...] > >> "Please note that LibreSSL is not a supported crypto backend. We >> accept patches and we do test on OpenBSD 6.0 which comes with

Re: [Openvpn-devel] [PATCH] Do not assume that SSL_CTX_get/set_min/max_proto_version are macros

On Sun, Mar 04 2018, selva.n...@gmail.com wrote: > From: Selva Nair > > Openssl docs do not explicitly state these to be macros although they > are currently defined as such. Actually they are documented as macros by OpenSSL since day 1, see NOTES. > Use AC_CHECK_DECLS to

Re: [Openvpn-devel] [PATCH] Do not assume that SSL_CTX_get/set_min/max_proto_version are macros

Great, Thank You! -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list

[Openvpn-devel] [PATCH] Do not assume that SSL_CTX_get/set_min/max_proto_version are macros

From: Selva Nair Openssl docs do not explicitly state these to be macros although they are currently defined as such. Use AC_CHECK_DECLS to test for these so that both function and macro forms could be detected. Signed-off-by: Selva Nair --- Though

Re: [Openvpn-devel] LibreSSL support in OpenVPN 2.4.5

On Sun, Mar 04 2018, Gert Doering wrote: [...] > "Please note that LibreSSL is not a supported crypto backend. We > accept patches and we do test on OpenBSD 6.0 which comes with > LibreSSL, but if newer versions of LibreSSL break API compatibility > we do not take

Re: [Openvpn-devel] [PATCH] Add a warning that we do not officially support LibreSSL

On Sun, Mar 04 2018, Steffan Karger wrote: > Hi, > > On 04-03-18 10:08, Gert Doering wrote: >> On Thu, Mar 01, 2018 at 12:11:23AM +0100, Steffan Karger wrote: >>> As discussed in the community meeting of 13-12-2017, we should warn our >>> users that LibreSSL is not officially

Re: [Openvpn-devel] LibreSSL support in OpenVPN 2.4.5

Hi, On Sun, Mar 04, 2018 at 07:43:14AM -0500, Mina Barret via Openvpn-devel wrote: > The release last week was different than the releases before. > Usually all i have to do is updating the version, rebuild and QA. > The release notes state 'This is primarily a maintenance release, > with further

[Openvpn-devel] [PATCH] Improve management-external-key/cert error handling

Check the return values of management_query_cert() and tls_ctx_use_external_private_key(), and error out with a more descriptive error message. To do so, we make the openssl-backed implementation of tls_ctx_use_external_private_key() not throw fatal error anymore. (And fix line wrapping while

[Openvpn-devel] LibreSSL support in OpenVPN 2.4.5

Hallo OpenVPN developers, The last years i closely follow your advances in the source. When you release a new version of the software, i will pull it, build it in different configurations and ship it to a small userbase. To allow the users to choose the flavor of SSL, one of the configurations

[Openvpn-devel] [PATCH applied] Re: Make return code external tls key match docs

Your patch has been applied to the master and release/2.4 branch (with some conflicts due to changed context in master, but that was easy enough to resolve). Thanks. commit 6bee1a1fc01f3d3ddf114b48e52e5b10d57033cb (master) commit 1f342aad6a13aaae1cc54f632498e0646a1bfe1a (release/2.4) Author:

Re: [Openvpn-devel] [PATCH v2] Check for time_t overflow in event_timeout_trigger()

Hi, On 01-03-18 05:15, Selva Nair wrote: > We can avoid all overflow and eliminate the check and the ASSERT > by writing it as > > time_t wakeup = (et->last - local_now) + et->n; // parens added for clarity > > For the first subtraction to overflow, last and now have to differ by >> INT_MAX

Re: [Openvpn-devel] [PATCH] Make return code external tls key match docs

Hi, On 28-02-18 14:52, Joost Rijneveld wrote: > In tls_ctx_use_external_private_key, the return codes were inverted > compared to what is documented in ssl_backend.h (and what can > reasonably be expected). Internally the return code is never checked, > so this did not directly result in any

Re: [Openvpn-devel] [PATCH] Add a warning that we do not officially support LibreSSL

Hi, On 04-03-18 10:08, Gert Doering wrote: > On Thu, Mar 01, 2018 at 12:11:23AM +0100, Steffan Karger wrote: >> As discussed in the community meeting of 13-12-2017, we should warn our >> users that LibreSSL is not officially supported. We expect that it >> currently works, but it might suddenly

Re: [Openvpn-devel] [PATCH] Add a warning that we do not officially support LibreSSL

Hi, On Thu, Mar 01, 2018 at 12:11:23AM +0100, Steffan Karger wrote: > As discussed in the community meeting of 13-12-2017, we should warn our > users that LibreSSL is not officially supported. We expect that it > currently works, but it might suddenly break or we might decide to no > longer

[Openvpn-devel] [PATCH applied] Re: Add missing #ifdef SSL_OP_NO_TLSv1_1/2

Your patch has been applied to the release/2.4 branch. (I've added a commit message explaining what Selva wrote about the cherrypick etc., setting you as author) commit 88abb911ea22a306e87fba58410da45c2baad57f Author: Simon Matter Date: Fri Mar 2 08:49:31 2018 +0100 Add missing #ifdef

[Openvpn-devel] [PATCH applied] Re: Delete the IPv6 route to the connected network on tun close

Acked-by: Gert Doering Test compiled, not actually run - but "stare at code" is convincing enough. Your patch has been applied to the master and release/2.4 branch. commit b607900ba937b5f45796d2e3810ef91a32826927 (master) commit 716fdb24be7857e242c3174a51485446502481ea

Re: [Openvpn-devel] Trac tickets

On 04/03/18 16:05, Samuli Seppänen wrote: > The owner would get a notification email but the ticket would not be > automatically assigned to him/her. > > Thoughts? I like that. Because we mostly need "somebody responsible for that area" to be notified and it does not necessarily need to be the

Re: [Openvpn-devel] Trac tickets

Il 03/03/2018 17:58, Selva Nair ha scritto: > Hi, > > These days many (all?) trac tickets appears with an owner set. When I > see an owner it gives the impression that person is looking into it > and makes me less inclined to investigate. > > But it looks like this is automatically assigned and