Hi,
Looks good in my tests using the msvc artifacts from
https://github.com/lstipakov/openvpn/actions/runs/1496339867#artifacts.
Loads config from \ssl\openssl.cnf and engines specified with
relative paths load from \ssl\engines. So the env vars are
being seen by OpenSSL and being used as
Thanks,
I tried this one and client wasn't able to connect:
OpenSSL: error:14201076:SSL routines:tls_choose_sigalg:no suitable
signature algorithm
So it looks like config loading works.
The binaries for V4 could be found here:
https://github.com/lstipakov/openvpn/actions/runs/1496339867
From: Lev Stipakov
Commits
- 92535b6 ("contrib/vcpkg-ports: add openssl port with --no-autoload-config
option set (CVE-2121-3606)")
- 447cfb4 ("crypto_openssl.c: disable explicit initialization on Windows
(CVE-2121-3606)")
disabled OpenSSL config loading functionality, which could be
Hi,
On Tue, Nov 23, 2021 at 1:37 PM Lev Stipakov wrote:
> I don't have a setup to properly test it, like actually loading the
> config - I only checked that the openvpn.exe attempted to access
> openssl.cnf at the correct location.
>
> If someone wants to test - binary artifacts could be found
On Tue, Nov 23, 2021 at 1:46 PM Gert Doering wrote:
> Hi,
>
> On Fri, Nov 19, 2021 at 02:53:06AM +0200, Lev Stipakov wrote:
> > +if ((install_path[wcslen(install_path) - 1]) == L'\\')
> > +{
> > +install_path[wcslen(install_path) - 1] = L'\0';
> > +}
> > +
> > +WCHAR
Hi,
On Fri, Nov 19, 2021 at 02:53:06AM +0200, Lev Stipakov wrote:
> +if ((install_path[wcslen(install_path) - 1]) == L'\\')
> +{
> +install_path[wcslen(install_path) - 1] = L'\0';
> +}
> +
> +WCHAR openssl_cnf[MAX_PATH] = {0};
> +WCHAR openssl_engines[MAX_PATH] = {0};
I don't have a setup to properly test it, like actually loading the
config - I only checked that the openvpn.exe attempted to access
openssl.cnf at the correct location.
If someone wants to test - binary artifacts could be found here:
https://github.com/lstipakov/openvpn/actions/runs/1496114596
From: Lev Stipakov
Commits
- 92535b6 ("contrib/vcpkg-ports: add openssl port with --no-autoload-config
option set (CVE-2121-3606)")
- 447cfb4 ("crypto_openssl.c: disable explicit initialization on Windows
(CVE-2121-3606)")
disabled OpenSSL config loading functionality, which could be
Hi,
> Does this string concatenation like L"foo" "bar" work correctly on MSVC? I
> know it works on mingw, but in the past with the GUI resources we had run
> into issues with such usage -- iirc, MSVC wanted L"foo" L"bar".
I think so, at least result of concatenation looks correct in procmon:
Hi,
+1 for setting these env vars. I will test this but some quick comments
On Tue, Nov 23, 2021 at 10:08 AM Lev Stipakov wrote:
> From: Lev Stipakov
>
> Commit 7e33127d5 ("contrib/vcpkg-ports: remove openssl port")
> disabled OpenSSL config loading to prevent loading config
> from untrusted
Sure,
(mingw got angry on V1 because I missed 'static' on function
declaration, so we have V2)
arm64:
https://github.com/lstipakov/openvpn/suites/4442265006/artifacts/117764629
x64: https://github.com/lstipakov/openvpn/suites/4442265006/artifacts/117764631
From: Lev Stipakov
Commit 7e33127d5 ("contrib/vcpkg-ports: remove openssl port")
disabled OpenSSL config loading to prevent loading config
from untrusted locations.
Config loading feature might be useful for some users. This
brings it back, and sets OpenSSL enviroment variables
OPENSSL_CONF,
Hi,
On Tue, Nov 23, 2021 at 04:30:57PM +0200, Lev Stipakov wrote:
> See https://patchwork.openvpn.net/patch/2083/
>
> I only tested with procmon that openvpn.exe tries to load openssl.cnf
> from a trusted location.
Thanks. For a non-windows person this looks good, but I leave the
final word on
Hi,
> > On startup we could read the installation path from
> > HKLM\SOFTWARE\OpenVPN and assume
> > something like \ssl\openssl.cnf ?
>
> To me, this feels like the least annoying way forward... and then we can
> also stop worrying about any future changes on the vcpkg side (even if
> they
From: Lev Stipakov
Commit 7e33127d5 ("contrib/vcpkg-ports: remove openssl port")
disabled OpenSSL config loading to prevent loading config
from untrusted locations.
Config loading feature might be useful for some users. This
brings it back, and sets OpenSSL enviroment variables
OPENSSL_CONF,
Hi,
On Tue, Nov 23, 2021 at 01:39:16PM +0200, Lev Stipakov wrote:
> > Can our installer use "custom locations", like "install all our software
> > to "d:\mystuff\openvpn\"?
> Yes.
OK.
> > In that case, built-in paths won't work well (as was pointed out in the PR,
> > to my dismay).
>
> We
> Can our installer use "custom locations", like "install all our software
> to "d:\mystuff\openvpn\"?
Yes.
> In that case, built-in paths won't work well (as was pointed out in the PR,
> to my dismay).
We could use something like C:\Windows\System32\SSL ?
One could install Windows to a
Hi,
On Tue, Nov 23, 2021 at 12:19:07PM +0200, Lev Stipakov wrote:
> How should we proceed? Do we define safe conf/engines/modules locations and
>
> 1) build them into openssl with our own port, and
Can our installer use "custom locations", like "install all our software
to
Hi,
> I have no opinion on _putenv() vs. SetEnvironmentVariableW() - this is
> Windows API stuff, so whatever MS thinks we should be using...
SetEnvironmentVariableW() doesn't work for me with MSVC. Similar thing
with curl - openssl uses getenv, which
doesn't find variables added after the
Hi,
On Tue, Nov 23, 2021 at 10:05:16AM +0100, François Kooman wrote:
> > Is this a v2, or a re-sent "because nobody picked it up"?
>
> Well, if you consider the PR on GitHub [PR#160] the v1, then yes, this
> is v2.
Oh. I really need more coffee. I remembered I had seen a mail about
this, but
On 23.11.21 09:59, Gert Doering wrote:
Hi,
Hi Gert,
Is this a v2, or a re-sent "because nobody picked it up"?
Well, if you consider the PR on GitHub [PR#160] the v1, then yes, this
is v2.
The commit message *could* have a few more words, though :-) - and
the Ticket number wants to be
Hi,
On Tue, Nov 23, 2021 at 09:37:58AM +0100, François Kooman wrote:
> fix for #1161
>
> Signed-off-by: François Kooman
Is this a v2, or a re-sent "because nobody picked it up"?
The commit message *could* have a few more words, though :-) - and
the Ticket number wants to be "Trac: #1161".
fix for #1161
Signed-off-by: François Kooman
---
src/openvpn/options.c | 2 +-
src/openvpn/route.c | 67 +--
src/openvpn/route.h | 1 +
3 files changed, 67 insertions(+), 3 deletions(-)
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
23 matches
Mail list logo