Hi,
On Thu, Jan 12, 2023 at 02:50:27AM -0500, Selva Nair wrote:
> Not sure I understand "can also be hacked alone".
I think that was intended to be "acked" alone :-)
Anyway, thanks for spotting this, and shame on me for only testing v4
("the v6 stuff is new and shiny and has none of these proble
On Wed, Jan 11, 2023 at 7:30 PM Antonio Quartulli wrote:
> Hi,
>
> for the netlink/sitnl bits: this makes sense to me.
> I agree with Selva that the v6 variant could benefit from the same
> treatment.
>
> However, this patch can also be hacked on its own
>
> Acked-by: Antonio Quartulli
>
Not so
Am 12.01.23 um 01:04 schrieb Antonio Quartulli:
When a peer is removed with reason "ping expire", we should kill the
instance with SIGUSR1 and not SIGTERM
Cc: Arne Schwabe
Signed-off-by: Antonio Quartulli
--
Arne, I am not 100% sure why but it seems for ping-restart we always use
SIGUSR1, rig
Hi,
for the netlink/sitnl bits: this makes sense to me.
I agree with Selva that the v6 variant could benefit from the same
treatment.
However, this patch can also be hacked on its own
Acked-by: Antonio Quartulli
On 11/01/2023 17:08, Gert Doering wrote:
The code in sitnl_route_set() used to
When a peer is removed with reason "ping expire", we should kill the
instance with SIGUSR1 and not SIGTERM
Cc: Arne Schwabe
Signed-off-by: Antonio Quartulli
--
Arne, I am not 100% sure why but it seems for ping-restart we always use
SIGUSR1, right? but the DCO handling code was apparently using
Signed-off-by: Antonio Quartulli
---
--no-verify is required upon commit due to changes in ovpn_dco_linux.h
Little logging improvement for https://github.com/OpenVPN/ovpn-dco/issues/9
---
src/openvpn/multi.c | 4
src/openvpn/ovpn_dco_linux.h | 5 +++--
2 files changed, 7 insertions
Hi,
Netlink is antonio's realm, but fwiw, I gave it a whirl:
On Wed, Jan 11, 2023 at 11:38 AM Gert Doering wrote:
> The code in sitnl_route_set() used to treat "route can not be installed
> because it already exists" (EEXIST) as "not an error".
>
> This is arguably a reasonable approach, but ne
On Mon, Jan 09, 2023 at 05:38:10PM +0100, Arne Schwabe wrote:
> Currently we have only one slot for renegotiation of the session/keys.
> If a replayed/faked packet is inserted by a malicous attacker, the
> legimate peer cannot renegotiate anymore.
>
> This commit introduces dynamic tls-crypt. When
The code in sitnl_route_set() used to treat "route can not be installed
because it already exists" (EEXIST) as "not an error".
This is arguably a reasonable approach, but needs to handled higher
up - if the low level add_route() function say "no error", we will try
to remove that route later on in
Acked-by: Gert Doering
I have stared-at-code a bit (looks reasonable) and ran a few manual
tests - without the patch, one of my t_client instances triggers
this (with verb 3):
2023-01-11 15:42:41 WARNING: 'link-mtu' is used inconsistently, local='link-mtu
1542', remote='link-mtu 1558'
With the
Acked-by: Gert Doering
"Seems to match my memories" :)
Your patch has been applied to the master and release/2.6 branch.
commit ee0a6026af9c47fe21217f57ab04b9cc2cc193f1 (master)
commit 4674d69c630e92d2f5ae1537ab63f8e6b9bca041 (release/2.6)
Author: Frank Lichtenheld
Date: Wed Jan 11 13:52:42 2
- Move OCC warnings to debug level. This moves the only useful OCC message
of compress-migrate to D_PUSH
- remove configure option --enable-strict-options
- ignore disable-occ in TLS mode as it is logged under debug now only
disable-occ is now strictly a non-TLS option
- mark opt-verify and dis
Acked-by: Gert Doering
Looking more closely I can see that I misread the regex, and it's all
fine indeed. Passing the test on my test candidates (ossl 1.1.x,
ossl 3.0.x but no engine support) and also on the GHA actions with
both ossl versions.
Your patch has been applied to the master branch.
The ACK from Arne is not on the list, but it's in the quote from Frank,
so I can say "I have seen it" (and since the discussion went on about
a comment line, it's not a fake :-) ). I have removed that comment
line per discussion on IRC.
Tested by compiling normally and with --disable-management,
We listed those in Changes, but did not update the documentation.
Signed-off-by: Frank Lichtenheld
---
doc/man-sections/unsupported-options.rst | 11 +++
1 file changed, 11 insertions(+)
diff --git a/doc/man-sections/unsupported-options.rst
b/doc/man-sections/unsupported-options.rst
in
On Wed, Jan 11, 2023 at 01:07:28PM +0100, Arne Schwabe wrote:
> - Move OCC warnings to debug level. This moves the only useful OCC message
> of compress-migrate to D_PUSH
> - remove configure option --enable-strict-options
> - ignore disable-occ in TLS mode as it is logged under debug now only
>
On Wed, Jan 11, 2023 at 12:02:14PM +0100, Arne Schwabe wrote:
> Am 16.12.22 um 14:11 schrieb Frank Lichtenheld:
> > On Mon, Dec 12, 2022 at 12:38:41PM +0100, Arne Schwabe wrote:
> > > Am 27.11.22 um 15:25 schrieb Frank Lichtenheld:
> > > > That makes it possible to remove several preprocessor
> > >
On Wed, Jan 11, 2023 at 08:39:51AM +0100, Gert Doering wrote:
> Hi,
>
> On Tue, Jan 10, 2023 at 06:02:57PM +0100, Frank Lichtenheld wrote:
> > @@ -27,7 +27,7 @@ ${top_builddir}/src/openvpn/openvpn --cd
> > ${top_srcdir}/sample --config sample-co
> > # first off check we died because of a key mis
- Move OCC warnings to debug level. This moves the only useful OCC message
of compress-migrate to D_PUSH
- remove configure option --enable-strict-options
- ignore disable-occ in TLS mode as it is logged under debug now only
disable-occ is now strictly a non-TLS option
- mark opt-verify and dis
Am 16.12.22 um 14:11 schrieb Frank Lichtenheld:
On Mon, Dec 12, 2022 at 12:38:41PM +0100, Arne Schwabe wrote:
Am 27.11.22 um 15:25 schrieb Frank Lichtenheld:
That makes it possible to remove several preprocessor
directives which is a good thing. The cost should be
negligible.
Acked-By: Arne S
/*
* key_id increments to KEY_ID_MASK then recycles back to 1.
* This way you know that if key_id is 0, it is the first key.
*/
++session->key_id;
session->key_id &= P_KEY_ID_MASK;
if (!session->key_id)
{
session->key_id = 1;
}
Okay, so it
21 matches
Mail list logo
