Hi,
On Thu, Apr 08, 2021 at 05:30:52PM +0200, Jan Just Keijser wrote:
> I don't have any evidence with 2.5 right now but this is just a matter
> of use/principle to me: I can very well see that I would like to have a
> setup *without* NCP as I simply do not need it (e.g. my cipher is
>
On 08/04/21 16:55, Arne Schwabe wrote:
Am 08.04.21 um 16:36 schrieb Jan Just Keijser:
Hi,
On 08/04/21 16:02, Arne Schwabe wrote:
NCP has proven to be stable and apart from the one VPN Provider doing
hacky things with homebrewed NCP we have not had any reports about
ncp-disable being required.
Am 08.04.21 um 16:36 schrieb Jan Just Keijser:
> Hi,
>
> On 08/04/21 16:02, Arne Schwabe wrote:
>> NCP has proven to be stable and apart from the one VPN Provider doing
>> hacky things with homebrewed NCP we have not had any reports about
>> ncp-disable being required. Remove ncp-disable to
Hi,
On 08/04/21 16:02, Arne Schwabe wrote:
NCP has proven to be stable and apart from the one VPN Provider doing
hacky things with homebrewed NCP we have not had any reports about
ncp-disable being required. Remove ncp-disable to simplify code paths.
Note: This patch breaks client without
NCP has proven to be stable and apart from the one VPN Provider doing
hacky things with homebrewed NCP we have not had any reports about
ncp-disable being required. Remove ncp-disable to simplify code paths.
Note: This patch breaks client without --pull. The follow up patch
for P2P NCP will
Currently P2P mode of OpenVPN is on of the few places that cannot negotiate
modern OpenVPN features. This becomes more and more problematic since P2P and
P2MP code diverge more and more and also the lack of switching to more
advanced features like Data v2 currently blocks P2P mode from working
Instead maintaining two different representation of the data channel
options in struct options and struct tls_options, use the same
flags variable that tls_options uses.
Signed-off-by: Arne Schwabe
---
src/openvpn/multi.c | 5 -
src/openvpn/options.c | 4 ++--
src/openvpn/options.h | 4
This patch also refactors the if condition that checks the result of
the authentication since that has become quite unreadable. It renames
s1/s2 and extracts some parts of the condition into individual variables
to make the condition better understandle
Patch v2: add refactoring of the if
Note: this patchset requires the "Move context_auth from context_2
to tls_multi and name it multi_state" patch to be applied first.
Our P2P mode is currently lacking in features compared to the
P2MP mode. Especially EKM, DATA_v2 and NCP cannot be used with
P2P mode. And the differences increase
These functions return const pointers in OpenSSL 3.0.0alpha14, so
our pointers should be also const to avoid casting the const away.
Signed-off-by: Arne Schwabe
---
src/openvpn/ssl_openssl.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/src/openvpn/ssl_openssl.c
Hi Max,
I was starting to comment to the various points in this email, but I
believe it was getting confusing.
Now that I have a better overview (thanks to your explanations!) I would
suggest splitting the problem in smaller sub-problems to help our
discussion.
[Later it'd be very nice to have
Signed-off-by: Arne Schwabe
---
src/openvpn/options.c | 11 +++
src/openvpn/options.h | 3 +++
2 files changed, 14 insertions(+)
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index a72e1b9ae..00ad98f15 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@
The makes the code path for pull and non-pull more aligned and even
though this might do extra work for non-pull scenarios, saving the
few bytes of memory is not a worthwhile optimisation here.
Additionally with the upcoming P2P mode NCP, the client needs to
save/restore a subset of these options
OpenSSL also allows ARIA-GCM and that works well with our implementation
While the handpicked list was needed for earlier OpenSSL versions (and
is still needed for Chacha20-Poly1305), the API nowadays with OpenSSL
1.0.2 and 1.1.x works as expected.
Signed-off-by: Arne Schwabe
---
Hi Antonio,
Thanks for taking a look!
> Mh... I have tried to reproduce this issue, but I was not able to.
> Would you be able to provide me with the exact steps to hit this
> situation?
This bug happens only if the CRL file can't be opened in init_ssl().
(Un-openable CRL files and un-parseable
15 matches
Mail list logo
