Re: [Openvpn-devel] [RFC PATCH v1 05/15] OpenSSL: don't use direct access to the internal of X509

Hi, On Tue, Mar 28, 2017 at 10:43:54AM +0200, Emmanuel Deloget wrote: > I'm not sure why but it seems this mail (that I send yesterday) never found > its way to the ML. So I re-send it. > > Sorry for the inconvenience. According to

Re: [Openvpn-devel] [RFC PATCH v1 05/15] OpenSSL: don't use direct access to the internal of X509

Hi, I'm not sure why but it seems this mail (that I send yesterday) never found its way to the ML. So I re-send it. Sorry for the inconvenience. BR, -- Emmanuel Deloget On Mon, Mar 27, 2017 at 5:49 PM, Emmanuel Deloget wrote: > Hi everyone, > > I got some time to try to fix

Re: [Openvpn-devel] [RFC PATCH v1 05/15] OpenSSL: don't use direct access to the internal of X509

Hi everyone, I got some time to try to fix all that stuff. First, On Sat, Mar 4, 2017 at 11:38 PM, David Sommerseth < open...@sf.lists.topphemmelig.net> wrote: > On 04/03/17 16:13, Steffan Karger wrote: > > As a last resort, we could consider keeping the old code inside #if > > OSSL_VER <

Re: [Openvpn-devel] [RFC PATCH v1 05/15] OpenSSL: don't use direct access to the internal of X509

On 04/03/17 16:13, Steffan Karger wrote: > As a last resort, we could consider keeping the old code inside #if > OSSL_VER < 1.1.0 in release/2.4, but that might just create more > confusion... Just a very quick thought here ... I do dislike different behaviours depending on which OpenSSL version

Re: [Openvpn-devel] [RFC PATCH v1 05/15] OpenSSL: don't use direct access to the internal of X509

Hello, On Sat, Mar 4, 2017 at 4:13 PM, Steffan Karger wrote: > Hi, > > On 02-03-17 22:26, Gert Doering wrote: >> On Thu, Mar 02, 2017 at 09:36:32PM +0100, Steffan Karger wrote: >>> So, what I propose instead is: >>> * remove all the nsCertType code (except the option in

Re: [Openvpn-devel] [RFC PATCH v1 05/15] OpenSSL: don't use direct access to the internal of X509

Hi, On 02-03-17 22:26, Gert Doering wrote: > On Thu, Mar 02, 2017 at 09:36:32PM +0100, Steffan Karger wrote: >> So, what I propose instead is: >> * remove all the nsCertType code (except the option in add_option()) >> * update the help strings and man page to indicate that --ns-cert-type >> is

Re: [Openvpn-devel] [RFC PATCH v1 05/15] OpenSSL: don't use direct access to the internal of X509

Hi, On Thu, Mar 02, 2017 at 09:36:32PM +0100, Steffan Karger wrote: > So, what I propose instead is: > * remove all the nsCertType code (except the option in add_option()) > * update the help strings and man page to indicate that --ns-cert-type > is no longer supported and --remote-cert-tls

Re: [Openvpn-devel] [RFC PATCH v1 05/15] OpenSSL: don't use direct access to the internal of X509

Hi, On 17-02-17 23:00, log...@free.fr wrote: > From: Emmanuel Deloget > > OpenSSL 1.1 does not allow us to directly access the internal of > any data type, including X509. We have to use the defined > functions to do so. > > In x509_verify_ns_cert_type() in particular, this

[Openvpn-devel] [RFC PATCH v1 05/15] OpenSSL: don't use direct access to the internal of X509

From: Emmanuel Deloget OpenSSL 1.1 does not allow us to directly access the internal of any data type, including X509. We have to use the defined functions to do so. In x509_verify_ns_cert_type() in particular, this means that we cannot directly check for the extended flags to