s, imo.
This was not required in the past when we used to call the script only
when openssl verify has succeeded.
Selva
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
From: Selva Nair
Fix --ca or --ca-path check when --pkcs11-id or --cryptoapicert
is used with --peer-fingerprint.
The multiple --ca or --capath checks are consolidated into a function
Signed-off-by: Selva Nair
---
src/openvpn/options.c | 44 ++-
1 file
ould
export the verification error-status to the env so that the script
could make a more informed decision.
Our internal callback is not meant to be executed multiple times with
same depth, but the side effects appear to be benign -- like repeated
VERIFY OK in the logs.
Selva
From: Selva Nair
The tapctl and openvpnmscia codebase is written with an intent of
supporting both unicode and ansi builds. This patch does not attempt
to change that although non-unicode support looks untested
and buggy.
The main change is to replace %s by PRIsLPTSR that is defined
as %ls
From: Selva Nair
The interactive service code implicitly treats TCHAR == WCHAR in
several places with the assumption that we build only with UNICODE
defined. Make this explicit and remove some redundant code.
Also replace openvpn_sntprintf(), _tprintf() and similar with
explicit wide string
From: Selva Nair
- Use %ls for wchar_t * and %hs for char * variables
This makes it possible to build correctly with or without
__USE_MINGW_ANIS_STDIO defined. When this define is not used
all printf/scanf family functions are resolved from the windows
runtime MSVCRT. Newer (since version 8
ame for cert and
key.
In practice I prefer .crt and .key as they are generally understood as
PEM encoded, and allow the same filename stub to be used for both cert
and key files: like server.crt and server.key while with pem it will
have to be something like server-cert.
Hi
On Wed, May 19, 2021 at 9:35 AM Gert Doering wrote:
>
> Inline peer-fingerprint blocks can benefit from a bit of structuring
> by indentation or by putting comments ("# this is Alice's key").
>
> v2: accept ';' and '#' as comment delimiter. Fix tab-indent.
> v3: we want ==
>
> Signed-off-by:
(line) == 0)
> +/* ignore leading whitespace */
> +while(isspace(*line))
> +{
> +line++;
> +}
> +/* skip empty lines and comment lines */
> +if (strlen(line) == 0 || *line == '#' || *line = ';')
We want == :)
Selva
_
{
> + line++;
> + }
> +/* skip empty lines and comment lines */
> +if (strlen(line) == 0 || *line == '#')
As we support two comment characters ('#' and ';'), would be better to
do the same here too. One could relax the req
y downside. And, on Windows it's a pain to get the
parent pid from a batch file. Personally, I do not have a use case
though.
Selva
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
From: Selva Nair
v2 changes
- do not allow so-path embedded in cert and key uri
- add --pkcs11-engine option to optionally specify the
engine and provider module to use
If either --cert or --key is specified as a PKCS#11 uri, try to
load the certificate and key from any accessible
Hi,
On Thu, May 6, 2021 at 6:12 AM Jan Just Keijser wrote:
>
> Hi Selva,
> > Maybe I'll have to resurrect that idea or require --script-security 2
> > for this? In either case the core code will stay the same -- will wait
> > for a review and/or more comments
Hi JJK,
On Wed, May 5, 2021 at 4:00 AM Jan Just Keijser wrote:
>
> Hi Selva,
>
> On 05/05/21 07:18, selva.n...@gmail.com wrote:
> > From: Selva Nair
> >
> > If either --cert or --key is specified as a PKCS#11 uri, try to
> > load the certificate and ke
From: Selva Nair
If either --cert or --key is specified as a PKCS#11 uri, try to
load the certificate and key from any accessible PKCS#11 device.
This does not require linking with any pkcs11 library, but needs
pkcs11 engine to be available on the target machine.
In its simplest form, just have
data is
> > --tls-crypt-v2-verify
> > (And probably --learn-address but I have not tested that).
> >
>
> Due to the inordinate resistance this patch has received, consider this my
> official
> withdrawal. I hereby NACK.
Resistance is a good thing -- it means people are considering your
patch seriously and are asking questions in earnest.
I've had patches that languished for years and finally merged,
without batting an eye.. Except for an occasional gentle nudge (say
once a year), and some patience.
Selva
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
, are most welcome.
Thanks,
Selva
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Hi,
On Wed, Apr 21, 2021 at 4:02 AM Lev Stipakov wrote:
> From: Lev Stipakov
>
> Make tapctl aware of ovpn-dco.
>
> Signed-off-by: Lev Stipakov
> ---
> src/tapctl/main.c | 13 +++--
> 1 file changed, 7 insertions(+), 6 deletions(-)
>
> diff --git a/src/tapctl/main.c
(sourceforge seems to be refusing to accept mail from me.. sending again)
Hi,
On Wed, Apr 21, 2021 at 4:02 AM Lev Stipakov wrote:
> From: Lev Stipakov
>
> Make tapctl aware of ovpn-dco.
>
> Signed-off-by: Lev Stipakov
> ---
> src/tapctl/main.c | 13 +++--
> 1 file changed, 7
From: Selva Nair
Fixes:
tun.c: In function ‘do_ifconfig_ipv4’:
tun.c:1217:17: warning: variable ‘ifconfig_remote_netmask’ set but not
used [-Wunused-but-set-variable]
const char *ifconfig_remote_netmask = NULL;
tun.c:1213:10: warning: unused variable ‘tun’ [-Wunused-variable
Hi
On Sat, Apr 3, 2021 at 12:01 PM Antonio Quartulli wrote:
>
> From: Antonio Quartulli
>
> Signed-off-by: Antonio Quartulli
> ---
> src/openvpn/tun.c | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
> index 6b7c8ef1..60a3a179 100644
> ---
From: Selva Nair
This has been replaced by openvpnserv2 since 2.4.0 and we have
stopped setting up this service in the installer since 2.5.0.
Get rid of the unused code. The mechanics of supporting multiple
services with the same executable is retained for possible future use.
For backwards
Hi,
On Thu, Mar 11, 2021 at 12:24 PM Gert Doering wrote:
> Thanks, Selva.
>
> v3 has actually been buildbot-tested on all the platforms (I tested
> v2 after the ACK, and it failed OpenSolaris, so I grumbled and adjusted
> the #ifdef's...). It has been "tested for real&
(MCL_CURRENT | MCL_FUTURE))
> {
> msg(M_WARN | M_ERRNO, "WARNING: mlockall call failed");
> diff --git a/src/openvpn/platform.h b/src/openvpn/platform.h
> index 01f3200c..02c23e38 100644
> --- a/src/openvpn/platform.h
> +++ b/src/openvpn/platform.h
> @@ -4
Hi,
On Sun, Mar 7, 2021 at 1:44 PM Gert Doering wrote:
> Hi,
>
> On Sun, Mar 07, 2021 at 01:36:03PM -0500, Selva Nair wrote:
> > > "I'm not sure", TBH. rlimit handling in unix is a bit of an unknown
> > > territory for me.
> > >
> > > Wh
On Sun, Mar 7, 2021 at 1:10 PM Gert Doering wrote:
> Hi,
>
> thanks for the review.
>
> On Sun, Mar 07, 2021 at 12:22:32PM -0500, Selva Nair wrote:
> > On Sun, Mar 7, 2021 at 11:31 AM Gert Doering
> wrote:
> >
> > > If --mlock is used, the amou
crease
> limit");
>
Mbyte -> MB or megabytes
> + }
> +}
> +#endif
> +
> if (mlockall(MCL_CURRENT | MCL_FUTURE))
> {
> msg(M_WARN | M_ERRNO, "WARNING: mlockall call failed");
> diff --git a/src/openvpn/platform
t /b
(ii) move the script to a function and call it, redirecting o/p
@echo off
call :do_work >up_script.log 2>&1
exit /b
:do_work
@echo on
@rem the original script follows..
@rem end of script
@echo off
exit /b
Selva
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
From: Selva Nair
It appears wmic needs domain names containing hyphens to
be quoted.
Trac #1375
Signed-off-by: Selva Nair
---
src/openvpnserv/interactive.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c
index
defined. AFICT, the only change required would be to
replace %s and %S by %ls and %hs in some places -- mostly in interactive
service, one instance in tun.c
Any thoughts? I'm leaning towards option (ii).
Selva
___
Openvpn-devel mailing list
Openvpn-devel
driving the openvpn core via management interface. Which commands
> exists and their syntax has so far been mostly undocumented.
>
> Condense the long and good discussion between Selva Nair and
> Jonathan K. Bullard into doc/gui-notes.txt (initial draft from
> Jonathan, comments from Sel
Hi,
On Mon, Jan 18, 2021 at 8:17 AM Gert Doering wrote:
>
> There will be a v3, as I just added "Android: Planned" to all the
> msg stuff.
>
> Selva, which GUI version will be "the one with msg support"? So I can
> have this fixed as well.
GUI is at 11.2
and
space permits, I see little point in putting it in TPM.
DPAPI supports an app-specific salt, and we could have it wrapped by TPM to
add some extra protection but I would be wary of inventing our own schemes
like that.
Storing the certificate private key in TPM makes sense.
Selva
On Wed, Jan
far been mostly undocumented.
>
> Condense the long and good discussion between Selva Nair and
> Jonathan K. Bullard into doc/gui-notes.txt (initial draft from
> Jonathan, comments from Selva and Arne), with a pointer added
> to doc/management-notes.txt.
>
> See:
>
>
> ht
Hi
Thanks for the comments.
On Fri, Dec 25, 2020 at 3:03 PM Gert Doering wrote:
> Hi,
>
> On Sun, Dec 20, 2020 at 07:31:42PM -0500, Selva Nair wrote:
> > Here is the link again.
> > https://github.com/selvanair/openvpn-gui/releases/tag/v11-echo-msg
> > I got no f
Hi,
Merry Christmas!
On Wed, Dec 23, 2020 at 6:15 AM Jan Just Keijser wrote:
> On 21/12/20 18:22, Selva Nair wrote:
>
>
>
> On Mon, Dec 21, 2020 at 2:04 AM Gert Doering wrote:
>
>> Hi,
>>
>> On Sun, Dec 20, 2020 at 07:31:42PM -0500, Selva Nair wrote:
&g
the client display this?
> >
> > (I admit that I'm neither an expert on AUTH_FAILED message, nor on
> > "what is the client doing on variations of it", nor on "what *should*
> > be the expected outcome?". Selva, Arne will know more).
>
> It is easy to a
On Mon, Dec 21, 2020 at 2:04 AM Gert Doering wrote:
> Hi,
>
> On Sun, Dec 20, 2020 at 07:31:42PM -0500, Selva Nair wrote:
> > I thought we already went through this when we discussed the proposed
> "echo
> > msg" in considerable detail 3 years ago.
>
&
A message to the user can be delivered in a useful fashion only if there is
a UI. The core itself can only write the message to log which may not be
seen in time, or to the console if one exists. And, IMO, any decent UI of
openvpn should use the management interface -- almost all do (except
s/tag/v11-echo-msg
IIRC, Jonathan had written up documentation for the proposed syntax.
I don't have links to the relevant mails at hand, but should be in the
archives.
It may be best to resurrect that effort.
Selva
___
Openvpn-devel mailing list
Op
g between ipconfig calls solves the problem.
>
> Oh! Yes, now with your patch, this is very obvious - there is a trac
> ticket (so when I merge this, I'll add the trac ticket number to the
> commit message) but it sort of puzzled Selva and me, because
e overwritten unless
explicitly asked for. At the same time, we do delete all addresses for v4
(not v6) while closing tun.
But, if we want to ensure a clean state for the adapter, as argued here, we
should be clearing current values regardless of whether new one's are being
From: Selva Nair
Trac #1079
Signed-off-by: Selva Nair
---
doc/man-sections/server-options.rst | 12 +---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/doc/man-sections/server-options.rst
b/doc/man-sections/server-options.rst
index c0b22a5..4b649b1 100644
--- a/doc/man
From: Selva Nair
Use wmic instead of directly editing the registry
as the former does not take full effect unless the dns
client service is restarted.
Editing the registry appears to work erratically depending
on whether its followed with a dchp renew or ipconfig /registerdns
etc.
DOMAIN
ains comes from (unprivileged) client and might
> not be NULL terminated. Shall we do something like
>
> msg->domains[sizeof(msg->domains) - 1] = '\0';
>
> Same for interface_t::name. Or am I missing something?
>
My mistake. Will fix. Also our own safer strncpynt instead o
From: Selva Nair
Use wmic instead of directly editing the registry
as the former does not take full effect unless the dns
client service is restarted.
Editing the registry appears to work erratically depending
on whether its followed with a dchp renew or ipconfig /registerdns
etc.
DOMAIN
a user option. Default to dynamic or
adaptive, automatically fail-over to alternate methods or change it
internally as required for wintun etc.
And work towards supporting more dhcp-options when dhcp is not possible --
using iservice, API, netsh etc.
Selva
From: Selva Nair
When wintun is in use we mutate ip_win32_type to NETSH
and then complain that ip-win32 option should be dynamic or adaptive
if any --dhcp-option directive is present in the config file. This
causes a fatal error.
How to reproduce: specify a --dhcp-option in the config
Hi
On Fri, Sep 11, 2020 at 1:45 PM RafaeHil Gava wrote:
> Hi Selva,
>
> I was wondering if it's possible to detect UAC during the installation.
> What do you think?
>
There are many ways of running the GUI as admin and all involve some
deliberate action on the part of the user.
uble updating some software by
> > automated script and turning UAC off was required.
> >
> > After re-enabling UAC, wintun started normally.
>
> Cool, thanks for digging into this and reporting back.
>
> Selva, is there any reasonable way to detect this? Or do we just go
> for
Hi
On Thu, Sep 10, 2020 at 3:10 AM Marvin Adeff wrote:
> Selva,
>
> Please allow me to back up a moment and restate this:
> 1. I installed the beta3 msi from the web site logged in as a user that
> has admin privileges. But no elevation was used to install it, just
> double
Hi,
On Thu, Sep 10, 2020 at 12:19 AM Marvin wrote:
> Hi Selva,
>
> The GUI did not have this error unless run as administrator which you
>> should not and will never work.
>
> So you are saying that if OpenVPN is installed by a user who has admin
> privileges (as
Hi
On Wed, Sep 9, 2020 at 8:30 PM Marvin wrote:
> Selva,
>
> Sorry for the wrong thread. I was replying to an earlier thread about
> this same error on Beta1 and beta2. So i am a bit confused by your
> statement that this error did not show up in earlier betas, because that's
ror running from the command line as SYSTEM please check
the logs to be sure its beta3.
Selva
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
From: Selva Nair
trac #1059
Signed-off-by: Selva Nair
---
doc/man-sections/generic-options.rst | 7 +++
1 file changed, 7 insertions(+)
diff --git a/doc/man-sections/generic-options.rst
b/doc/man-sections/generic-options.rst
index a07fe7e..d5f0883 100644
--- a/doc/man-sections/generic
From: Selva Nair
As reported in Trac 1321, additional adapter instalaltion
by tapctl.exe fails to fully setup the device node (some registry
keys missing, error in setapi.dev.log etc.).
Although the exact cause of this failure is unclear,
letting the Plug and Play subsystem handle
on
runtime. I'll check those hard corners again and submit a patch soonish
(hopefully today).
Selva
On Thu, Sep 3, 2020 at 8:11 AM Lev Stipakov wrote:
> Hi,
>
> >
> > As per setupapi.dev.log, it appears that step 4 (d) is failing with some
> access error to the driver
it with driver_info = NULL
which will force the system to use the latest matching driver. That would
also eliminate step 3 which is right now very inefficient, though not
required to fix the problem at hand.
If this sounds sane, I'll submit a patch.
Selva
___
Openvpn
oo.
>
> > Or, better, print a warning message saying the rename failed.
>
> Warning is printed inside tap_delete_adapter().
>
tap_delete_adapter() is not called here. I was suggesting that if we do
check the return value, let us also print a war
toring the return value and add the comment.
Or, better, print a warning message saying the rename failed.
Selva
> }
> }
> }
> --
> 2.17.1
>
>
>
> ___
> Openvpn
Hi,
I would suggest to keep this renaming but make it not fatal. A
descriptive name is nice to have and we could even make the name
configurable at some point in future.
Selva
On Wed, Sep 2, 2020 at 8:40 AM Lev Stipakov wrote:
> From: Lev Stipakov
>
> Renaming doesn't work on some
and probably used an elevated command prompt which will obviously lead to
that behaviour.
Selva
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
all of beta2 brings in all
binaries dated Aug 27.
Selva
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
On Mon, Aug 24, 2020 at 3:49 AM Eric Thorpe wrote:
> Hi Selva,
>
> my suggestion would be to make
> this conditional on MANAGEMNET_DEF_AUTH so that we can
> then get it from session->opt->mda_context just as we do it when
> auth is done via the management. In practice,
ode. I see
no compelling reason for such fine-grained build options.
A marginal increase in code size is of little consequence all but
embedded devices which can continue to cope without this
as they do now.
Selva
___
Openvpn-devel mailing list
Openvpn-dev
Hi,
On Wed, Aug 19, 2020 at 3:08 AM Lev Stipakov wrote:
> From: Lev Stipakov
>
> Commit 6d19775a468 has removed SYSTEM elevation hack,
> but introduced regression - inability to use wintun without interactive
> service.
>
> Proceed with ring buffers registration even if iservice is unavailable
Hi
On Tue, Aug 18, 2020 at 3:42 PM Gert Doering wrote:
> Hi,
>
> On Tue, Aug 18, 2020 at 03:29:19PM -0400, Selva Nair wrote:
> > > If you already have SYSTEM, accessing wintun from openvpn directly will
> > > also work and should bring quite a bit of speed impro
starting openvpn. It will
return you the PID of openvpn.exe which can be monitored. An advantage
of this approach is that your service and openvpn.exe can run with limited
privileges like LOCAL SERVICE or a dedicated openvpn service user.
That said, I don't know anyone who has tested such a
the logs (or use the
GUI) to see what went wrong.
Selva
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
in the GUI.
I think we can also relax the "do not connect to iservice if admin"
restriction
as that was added to protect against some Windows Vista mis-behaviour.
An additional check in openvpn.exe whether it's started as SYSTEM could be
useful as well, but less critical, IMO.
Selva
_
From: Selva Nair
- Stress that these are handled internally only on some platforms
- Correct the statement about wintun
- Document DOMAIN-SEARCH
Signed-off-by: Selva Nair
---
v2: Rebase to master and reword to match the new rst version
Add doc for DOMAIN-SEARCH
doc/man-sections/vpn
ement interface was missed
in the previous version of the patch.
Selva
>
> --
> Best Regards, Vladislav Grishenko
>
> -Original Message-
> From: Selva Nair
> Sent: Friday, August 14, 2020 11:22 PM
> To: openvpn-devel
> Subject: Re: [Openvpn-devel] [PATCH v2]
'*' is an allowed character in x509 common name unless we explicitly
forbid it. So killing a client with name ending in * would get tricky
if not impossible without side effects.
Selva
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
are triggered by CreateFile, so just wondering..
Selva
On Thu, Aug 6, 2020 at 3:02 PM Richard Bonhomme wrote:
>
> Ref: https://github.com/OpenVPN/openvpn-gui/issues/356
>
> Signed-off-by: Richard Bonhomme
> ---
> src/openvpn/tun.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
lack of alternatives in 2.3 and
older. I didn't know 3.x does not support pull-filter. Why? It's easy
to code (at least I know that for sure) so that can't be the reason.
Selva
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
name.
Both of these are described in OpenVPN howto. See
https://community.openvpn.net/openvpn/wiki/HOWTO#IncludingmultiplemachinesontheserversidewhenusingaroutedVPNdevtun
and
https://community.openvpn.net/openvpn/wiki/HOWTO#PushingDHCPoptionstoclients
Selva
On Sun, Jul 19, 2020 at 1:07 PM Fermin Francisco via Ope
-- > "all forwarding for all
other clients"
Acked-by: Selva Nair
On Wed, Jul 15, 2020 at 5:02 AM Gert Doering wrote:
>
> If OpenVPN signals deferred authentication support (by setting
> the internal environment variables "auth_control_file" and
> "deferr
service, ) < 0)
> +{
> +goto done;
Do we have to abort in this case? This will exit the background
process and cripple the server while this could be a temporary memory
pressure causing the fork to fail. Why not just break and plough
along? The core will fail to get a response via the ac_file, but that
could happen if the grand-child fails as well -- the server is
supposed to cope with such failures.
> +}
> +break;
> +}
> +
> +
> +/* non-deferred auth: wait for pam result and send
> + * result back via control socketpair
> + */
> if (pam_auth(service, )) /* Succeeded */
> {
> if (send_control(fd, RESPONSE_VERIFY_SUCCEEDED) == -1)
> --
Apart from these minor issues that could be corrected or ignored at
merge time, all look good.
We should put the usage info into README.auth-pam as that seems to be
the only documentation of the plugin. Also an entry in changelog?
Could be a separate patch.
Acked-by: Selva Nair
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Hi,
On Tue, Jun 23, 2020 at 3:22 AM Jan Just Keijser wrote:
>
> Hi,
>
> On 21/06/20 17:14, Selva Nair wrote:
> > On Sun, Jun 21, 2020 at 7:14 AM Gert Doering wrote:
> >>
> >> going through OpenVPN threads that went stale - I think this is
> >> actu
@/openvpn --status %t/openvpn-server/status-%i.log
> --status-version 2 --suppress-timestamps --config %i.conf
> +ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log
> --status-version 2 --suppress-timestamps --cipher AES-256-GCM --ncp-ciphers
> AES-2
Hi,
This was long overdue after patches after patches sprinkling fprintf() all
over the place.. mea culpa too..
Acked-by: Selva Nair
On Sat, Jun 20, 2020 at 11:18 AM Gert Doering wrote:
>
> More recent OpenVPN APIs pass a function pointer for a logging function
> (plugin_log()) t
O, MODULE, "cannot
> write to '%s'", ac_file_name );
> +}
> +close(ac_fd);
> +plugin_log(PLOG_NOTE, MODULE, "BACKGROUND: deferred auth
> finished" );
> +exit(0);
> +
I think we need both --- the current one retained as the connection
specific suffix which would be just one entry and then this search
list. As we allow multiple entries for DOMAIN right now, a user
friendly approach would be to continue doing so but internally treat
all but the first as a part of --dh
fort to make it handle pam auth asynchronously.
Things may be easier if modules that take long to verify the credentials,
return something like PAM_INCOMPLETE, so that it can be called back later.
But that is beyond our control, and I'm not familiar with async support
within PAM or in PAM modules.
From: Selva Nair
(i) Let the management-client predictably cycle through remote entries. This
is done by not aborting after two cycles. The client can abort or restart
the connection using signals (USR/HUP/TERM) as necessary.
In the current behaviour, the daemon can unexpectedly exit when
Hi,
On Wed, May 13, 2020 at 12:36 PM Gert Doering wrote:
>
> Hi,
>
> On Sun, Jun 09, 2019 at 03:33:55PM -0400, Selva Nair wrote:
> > Ref: https://patchwork.openvpn.net/project/openvpn2/list/?series=201
> >
> > These patches were meant to help implement choosing the
s in 2.4.
If we do, we'll need this one (commit
7369d01bf360bcfa02f26c05b86dde5496d120f6) and the followup one
7a8109023f4c345fe12f23421c5fa7e88e1ea85b
Both should cherry-pick without conflicts.
See also Trac #1275 https://community.openvpn.net/openvpn/ticket/1275
Thanks,
Selva
__
ved. aa6affe should cherry-pick with no issues.
Selva
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
From: Selva Nair
When only username is found in the file, redirect the auth-user-pass
query to the management interface if management-query-passwords is
enabled. Otherwise the user is prompted on console, if available,
as before.
This changes the behaviour for those who run from the command
From: Selva Nair
This helps the next patch. No functionality changes, only
refactoring.
Same as commit 461e566fb274d6f7647dc3aa81c02e4fbf362a23 in master
except for additional ifdef ENABLE_CLIENT_CR
Signed-off-by: Selva Nair
---
src/openvpn/misc.c | 61
Hi,
On Thu, Apr 2, 2020 at 12:56 PM Jonathan K. Bullard
wrote:
> Hi,
>
> On Mon, Mar 30, 2020 at 2:06 PM wrote:
> >
> > From: Selva Nair
> >
> > When only username is found in the file, redirect the auth-user-pass
> > query to the management i
for nul termination
More importantly, you have to provide a single updated patch
preferably with version indicated in the subject and sent out with
--in-reply-to referring to the previous version.
Submitting incremental pieces of fixup commits doesn't
From: Selva Nair
This helps the next patch. No functionality changes, only
refactoring.
Signed-off-by: Selva Nair
---
No changes from v1
src/openvpn/misc.c | 54 ++
1 file changed, 34 insertions(+), 20 deletions(-)
diff --git a/src/openvpn
From: Selva Nair
When only username is found in the file, redirect the auth-user-pass
query to the management if management-query-passwords is enabled.
Otherwise the user is prompted on console, if available, as before.
This changes the behaviour for those who run from the command line
Hi,
On Mon, Mar 30, 2020 at 12:11 PM Jonathan K. Bullard
wrote:
> Hi,
>
> On Mon, Mar 30, 2020 at 11:12 AM Selva Nair wrote:
> > Jonathan K. Bullard wrote:
> > >
> > > If the OS X command line user was using --management-query-passwords
> > >
Hi,
On Mon, Mar 30, 2020 at 2:07 AM Gert Doering wrote:
>
> Hi,
>
> On Sun, Mar 29, 2020 at 07:58:15PM -0400, Selva Nair wrote:
> > Yes, that's right. However, that logic wont be proper on OS-X, would it?
> > Command line users who use --log can still see password
>
Hi,
On Sun, Mar 29, 2020 at 7:13 PM Jonathan K. Bullard wrote:
>
> Hi,
>
> On Sun, Mar 29, 2020 at 4:34 PM wrote:
> >
> > From: Selva Nair
> >
> > If only username is found in the file, redirect the auth-user-pass
> > query to the management on
Hi,
On Tue, Mar 17, 2020 at 6:25 AM Gert Doering wrote:
>
> Hi,
>
> On Tue, Mar 17, 2020 at 11:06:53AM +0100, David Sommerseth wrote:
> > On 16/03/2020 14:48, Selva Nair wrote:
> > [...snip...]
> > >> I would just rephrase it to say:
> > >>
From: Selva Nair
If only username is found in the file, redirect the auth-user-pass
query to the management on Windows if (i) management-query-passwords
is enabled and (ii) stdout is redirected to a log file. These
restrictions avoid regressive behaviour: those running from the
command line
From: Selva Nair
This helps the next patch. No functionality changes, only
refactoring.
Signed-off-by: Selva Nair
---
src/openvpn/misc.c | 54 ++
1 file changed, 34 insertions(+), 20 deletions(-)
diff --git a/src/openvpn/misc.c b/src
401 - 500 of 1409 matches
Mail list logo