-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Before this goes any further, I doubt very much that Openvpn intends to "Remove
P2MP mode".
Sent with ProtonMail Secure Email.
‐‐‐ Original Message ‐‐‐
On Thursday, 1 April 2021 18:27, Arne Schwabe wrote:
> Am 01.04.21 um 15:13
Hi,
On Sat, Apr 03, 2021 at 07:28:39PM +, tincantech via Openvpn-devel wrote:
> > This also removes the ENABLE_SHAPER and TIME_BACKTRACK_PROTECTION
> > defines, which also depend only on the HAVE_GETTIMEOFDAY or WIN32.
>
> Is this the end of --shaper option ?
No.
gert
--
"If was one
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Sent with ProtonMail Secure Email.
‐‐‐ Original Message ‐‐‐
On Saturday, 3 April 2021 19:46, Arne Schwabe wrote:
> Using OpenVPN without P2MP support (pull, TLS) is unrealistic and
> building a binary without it is not something we
Using OpenVPN without P2MP support (pull, TLS) is unrealistic and
building a binary without it is not something we realistically want
to support anyway. Building P2MP support now only depends on
HAVE_GETTIMEOFDAY or win32, which has a compat function for it.
This also removes the ENABLE_SHAPER
From: Selva Nair
Fixes:
tun.c: In function ‘do_ifconfig_ipv4’:
tun.c:1217:17: warning: variable ‘ifconfig_remote_netmask’ set but not
used [-Wunused-but-set-variable]
const char *ifconfig_remote_netmask = NULL;
tun.c:1213:10: warning: unused variable ‘tun’ [-Wunused-variable]
Hi,
On Sat, Apr 03, 2021 at 03:07:11PM +0200, Simon Matter wrote:
> Apr 3 15:00:30 gw-X1 openvpn[1477]: pre-compress bytes,833300152
> Apr 3 15:00:30 gw-X1 openvpn[1477]: post-compress bytes,796650159
> Apr 3 15:00:30 gw-X1 openvpn[1477]: pre-decompress bytes,343572096
> Apr 3 15:00:30 gw-X1
Your patch has been applied to the master branch.
commit 411fc52eb19d359f1a698a884667cd7282db0b3c
Author: Antonio Quartulli
Date: Sat Apr 3 17:59:37 2021 +0200
tun.c: remove unused variable
Signed-off-by: Antonio Quartulli
Acked-by: Selva Nair
Message-Id:
Hi
On Sat, Apr 3, 2021 at 12:01 PM Antonio Quartulli wrote:
>
> From: Antonio Quartulli
>
> Signed-off-by: Antonio Quartulli
> ---
> src/openvpn/tun.c | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
> index 6b7c8ef1..60a3a179 100644
> ---
On 01/04/2021 15:13, Arne Schwabe wrote:
> Signed-off-by: Arne Schwabe
> ---
> src/openvpn/forward.c | 3 ++-
> src/openvpn/openvpn.h | 12 +++-
> 2 files changed, 13 insertions(+), 2 deletions(-)
>
> diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
> index
From: Antonio Quartulli
Signed-off-by: Antonio Quartulli
---
src/openvpn/tun.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
index 6b7c8ef1..60a3a179 100644
--- a/src/openvpn/tun.c
+++ b/src/openvpn/tun.c
@@ -281,7 +281,6 @@ out:
static bool
Acked-by: Gert Doering
Yeah, right. Sorry for not noticing. None of my current client tests
build with --enable-async-push, and the server testbed only does this
on other days (some of the build options are varied by day of the week),
so I shouldn't have tested this on a Saturday... "today
Hi,
On Wed, Mar 17, 2021 at 02:03:12PM +0100, Arne Schwabe wrote:
> This patch also refactors the if condition that checks the result of
> the authentication since that has become quite unreadable. It renames
> s1/s2 and extracts some parts of the condition into individual variables
> to make the
Acked-by: Gert Doering
Changes make sense now :-) - only compile tested, I have no way to trigger
these error messages in regular use.
Your patch has been applied to the master branch.
commit 8ccce69dc1b7ffdb533939cf5e5d054c64e23617
Author: Arne Schwabe
Date: Sat Apr 3 14:30:00 2021 +0200
Hi,
On 28/03/2021 14:02, Arne Schwabe wrote:
> When OpenVPN sees a new (SSL) connection via HARD_RESET or SOFT_RESET with
> the same port/ip as an existing session, it will give it the slot of the
> renegotiation session (TM_UNTRUSTED). And when the authentication
> succeeds it will replace the
> Hi,
>
> On 03/04/2021 12:06, Simon Matter wrote:
>> Our use case is simple, we don't want ANY application in our company to
>> consume more WAN bandwidth than is absolutely needed. Of course we're
>> using compression like in rsync where it's possible, but that's not
>> possible everywhere and
This add the fd to the epoll event error message and the x_check_status
message. This helps debugging when thing go wrong with event handling.
Also add logging when ep_del fails to remove a socket from the structure.
In constract to ep_ctl that has this as a FATAL message (M_ERR), we only
log
Commit c5fec838e moved the auth control file related
states into its own struct. Unfortunately I forgot
to also do the part inside #if defined(ENABLE_ASYNC_PUSH)
Signed-off-by: Arne Schwabe
---
src/openvpn/multi.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git
Am 02.04.21 um 15:26 schrieb Max Fillinger:
> From: Uipko Berghuis
>
> In mbedtls 2.16.0 mbedtls_ctr_drbg_update() changed to
> mbedtls_ctr_drbg_update_ret(). Change the function name and handle
> the new return value error code.
> ---
> src/openvpn/ssl_mbedtls.c | 5 -
> 1 file changed, 4
> }
>
> void
> +make_empty_crl(struct tls_root_ctx *ctx)
> +{
> +if (ctx->crl == NULL)
> +{
> +ALLOC_OBJ_CLEAR(ctx->crl, mbedtls_x509_crl);
> +}
> +else
> +{
> +mbedtls_x509_crl_free(ctx->crl);
> +}
> +}
> +
This function is confsung me. This needs at
Hi,
On 28/03/2021 14:02, Arne Schwabe wrote:
> context_2 and tls_multi have the same life cycle for TLS connections
> but so this move does not affect behaviour of the variable.
>
> OpenVPN TLS multi code has a grown a lot more complex and code that
> handles multi objects needs to know the
Acked-by: Gert Doering
As Antonio has already stated, this really only moves 3 structure
elements into their own substructure, and all functions working on
these elements are now passed a pointer to the substructure (so the
next patch can then use two substructures to have individual files
for
Hi,
On 03/04/2021 12:06, Simon Matter wrote:
> Our use case is simple, we don't want ANY application in our company to
> consume more WAN bandwidth than is absolutely needed. Of course we're
> using compression like in rsync where it's possible, but that's not
> possible everywhere and with every
> Hi,
>
> On Sat, Apr 03, 2021 at 11:52:59AM +0200, Simon Matter wrote:
>> > It sounds like there is no answer to this?
>> > Then why are we even discussing further?
>>
>> It could be at least one feature to prevent people from moving over to
>> WireGuard?
>
> Unless people can come up with real
Hi,
On Sat, Apr 03, 2021 at 11:52:59AM +0200, Simon Matter wrote:
> > It sounds like there is no answer to this?
> > Then why are we even discussing further?
>
> It could be at least one feature to prevent people from moving over to
> WireGuard?
Unless people can come up with real use cases why
> Hi,
>
> On 03/04/2021 11:18, Simon Matter wrote:
>>> If you have a use case that you think can benefit big time by having
>>> compression, please feel free to describe it in details. Therefore
>>> might
>>> be saner ways to address it.
>>>
>
> It sounds like there is no answer to this?
> Then
Your patch has been applied to the master branch.
I had conflicts in init.c and options.c due to the previously-merged
"TLS libraries without BF-CBC" patch, but that was trivially resolved
(3 calls to "init_key_type()", remove the keysize option from all of
them). To be sure I didn't break
Hi,
On 03/04/2021 11:18, Simon Matter wrote:
>> If you have a use case that you think can benefit big time by having
>> compression, please feel free to describe it in details. Therefore might
>> be saner ways to address it.
>>
It sounds like there is no answer to this?
Then why are we even
Acked-by: Gert Doering
The code change is simple enough to review. My p2p tests now complain
to me in large letters that I should not be doing this (but still work
fine).
I have spent a bit of time on the commit message and I hope I made it
even more clear.
I have added a note to Changes.rst
> Hi,
>
> On 03/04/2021 10:32, Simon Matter wrote:
>> I'm not asking to enable it by default or even compile it by default.
>> I'm
>> only asking to keep the code in so those who know what they are doing
>> can
>> enable it as a compile time option or expert mode option or something
>> like
>>
On 03/04/2021 11:06, Antonio Quartulli wrote:
> Compile tested on Linux against:
> * OpenSSL 1.1.1
> * OpenSSL 1.0.1
this was meant to be 1.1.0
> * OpenSSL 1.0.2
> * mbedTLS 2.26.0
> * mbedTLS 2.20.0
> * mbedTLS 2.10.0
Cheers,
--
Antonio Quartulli
Hi,
On 01/04/2021 14:37, Arne Schwabe wrote:
> This option has been deprecated in OpenVPN 2.4 and the ciphers that allow
> using this option fall all into the SWEET32 category of ciphers with
> 64 bit block size.
>
> Patch V2: Remove superflous check in OpenSSL codepath to check keysize
Thanks
Acked-by: Gert Doering
Taking Antonio's ACK on v3, adding my own (positive) test results on v5
to make my own ACK.
The code of v3 and v5 only differs in one line
++|| (options->ncp_enabled && tls_item_in_cipher_list("BF-CBC",
options->ncp_ciphers))
which covers the special case
Hi,
On 03/04/2021 10:32, Simon Matter wrote:
> I'm not asking to enable it by default or even compile it by default. I'm
> only asking to keep the code in so those who know what they are doing can
> enable it as a compile time option or expert mode option or something like
> that.
If you ask
>
>>
>> To me it seems like you can of course build a scenario where compression
>> _could_ be a problem some how, but there are certainly many use cases
>> where it can be considered almost impossible to have your security
>> weakaned by compression. I mean, there is also the SSH VPN mode with c>
34 matches
Mail list logo
