Re: [Openvpn-devel] Progress on Version negotiation

On 23-Apr-14 16:06, Steffan Karger wrote: I generated a matching pair of traces of the failure (client and server) & posted a summary. Let me know if you would like the full traces. Sent off-list. I've been trying to reproduce the error. I grabbed my spare pi from the desk drawer and built

Re: [Openvpn-devel] Progress on Version negotiation

On 23/04/2014 17:21, Timothe Litt wrote: On 23-Apr-14 16:06, Steffan Karger wrote: I generated a matching pair of traces of the failure (client and server) & posted a summary. Let me know if you would like the full traces. Sent off-list. I've been trying to reproduce the error. I grabbed my

Re: [Openvpn-devel] Progress on Version negotiation

I don't see that cryptoapi.c has been updated to work with TLS 1.2. Yes, just came to the same conclusion. Long-term the key-loaders need to get updated. Maybe short-term the options that invoke them could force NO_TLSv_1_2... That would make things work for most people in the short term. On

Re: [Openvpn-devel] Progress on Version negotiation

On 23/04/2014 18:22, Timothe Litt wrote: I don't see that cryptoapi.c has been updated to work with TLS 1.2. Yes, just came to the same conclusion. Long-term the key-loaders need to get updated. Maybe short-term the options that invoke them could force NO_TLSv_1_2... That would make things

Re: [Openvpn-devel] Progress on Version negotiation

Hi, On Wed, Apr 23, 2014 at 07:21:48PM -0400, Timothe Litt wrote: > As I can't build the windows client (it's really annoying that it > requires commercial tools), further debug will need help from folks who can. Uh, this is a double misinformation :-) - you can build with MSVC, and you can

Re: [Openvpn-devel] Progress on Version negotiation

Uh, this is a double misinformation :-) It's good to know that cross-compiling is an option, though cross-debugging (e.g. with an interactive debugger) can be an adventure too. Source of my comment was: http://community.openvpn.net/openvpn/wiki/BuildingOnWindows, which says his new build

Re: [Openvpn-devel] Progress on Version negotiation

Hi, On Thu, Apr 24, 2014 at 04:05:20AM -0400, Timothe Litt wrote: > >Uh, this is a double misinformation :-) > It's good to know that cross-compiling is an option, though > cross-debugging (e.g. with an interactive debugger) can be an adventure too. > > Source of my comment was: > >

Re: [Openvpn-devel] Progress on Version negotiation

> Hi, > > On Thu, Apr 24, 2014 at 04:05:20AM -0400, Timothe Litt wrote: >>> Uh, this is a double misinformation :-) >> It's good to know that cross-compiling is an option, though >> cross-debugging (e.g. with an interactive debugger) can be an adventure too. >> >> Source of my comment was: >> >>

[Openvpn-devel] Topics for today's community meeting

Hi, We're having an IRC meeting on Thursday, starting at 18:00 UTC on #openvpn-de...@irc.freenode.net. Current topic list is here: If you have any other things you'd like to bring up, respond to this mail, send me mail privately or

Re: [Openvpn-devel] Progress on Version negotiation

On 24-Apr-14 04:17, Gert Doering wrote: I do run these on a windows 7 machine, but can't reconfigure them just for debugging OpenVPN. No, I wasn't suggesting that you do that, I was just trying to clarify what build options we have. I find "add msg() calls, build on linux, run on windows,

Re: [Openvpn-devel] Progress on Version negotiation

> > I use interactive debuggers when I can, and I find that debugging > windows on windows and linux on linux works best for me. The M$ tools > have their flaws, but they do have excellent links to API documentation > & system RTL's sources. For debugging the cryptoapi interface, that >

Re: [Openvpn-devel] Topics for today's community meeting

The tls_read_plaintext error discussion continued past the e-mail chains pointed to on the meeting topic. I don't know if I'll be able to make the IRC meeting (and I'm just a user, not a developer), so here are a couple of notes: Both the read_plaintext error (mine) and the george ross

Re: [Openvpn-devel] [PATCH 0/3] Support non-root operation using ocproxy

On Mon, 2014-04-14 at 09:19 +0200, Jan Just Keijser wrote: > I do like the idea of not needing root access to run openvpn - esp > windows users could benefit from this, as they're not always allowed to > install the tap-win adapter. Then again, it goes against the UNIX/Linux > philosophy that

Re: [Openvpn-devel] TAP adapter detection

On Thu, 2014-04-17 at 17:01 -0400, Greg Toombs wrote: > Found the problem. tun-win32.c:45 - > #define TAP_COMPONENT_ID "tap0901" > > This is only valid for the most recent version of the TAP adapter. For > other versions, this should actually be "tapoas". So openconnect > saying that there are no

Re: [Openvpn-devel] TAP adapter detection

Hi, On Thu, Apr 24, 2014 at 02:25:55PM +0100, David Woodhouse wrote: > On Thu, 2014-04-17 at 17:01 -0400, Greg Toombs wrote: > > Found the problem. tun-win32.c:45 - > > #define TAP_COMPONENT_ID "tap0901" > > > > This is only valid for the most recent version of the TAP adapter. For > > other

Re: [Openvpn-devel] TAP adapter detection

Hi, On Thu, Apr 24, 2014 at 02:25:55PM +0100, David Woodhouse wrote: > Hm, really "tapoas"? Where did that driver come from? Looking more closely, I see if self.opt.oas: kv['PRODUCT_NAME'] = "OpenVPNAS" kv['PRODUCT_TAP_WIN_DEVICE_DESCRIPTION'] = "TAP-Win32

Re: [Openvpn-devel] Topics for today's community meeting

Sorry, I'm in meeting mode at the moment. Just time to fire in a quick comment here... > George's is not known - but the best guess is that he may be using > another external key loader (such as pkcs11, or maybe an android/ios > client. Nope. Just the following: # TLS parameters dh

Re: [Openvpn-devel] TAP adapter detection

> Hi, > > On Thu, Apr 24, 2014 at 02:25:55PM +0100, David Woodhouse wrote: >> Hm, really "tapoas"? Where did that driver come from? > Looking more closely, I see > > if self.opt.oas: > kv['PRODUCT_NAME'] = "OpenVPNAS" > kv['PRODUCT_TAP_WIN_DEVICE_DESCRIPTION'] =

Re: [Openvpn-devel] [PATCH] Keying Material Exporters [RFC 5705]

updated patch: git format-patch -n HEAD^ --stdout > ./openvpn-channel-bindings.patch vpn_binding_key: - keying material derived by openvpn's crypto later (ssl.c:tls1_*) - life time across negotiations (works a bit like EKM) tls_binding_key: Exported Keying Material [RFC 5705] - derived

Re: [Openvpn-devel] Topics for today's community meeting

On 24-Apr-14 10:52, George Ross wrote: On our server side the certificate chain goes: University CA -> School CA -> service-signing CA -> service cert. The first two of these are kept off-line. On the client side it goes: University CA -> School CA -> KCA -> kx509-cert. I wonder if that's

Re: [Openvpn-devel] More on the George Ross failure

Having stolen a few minutes, a bit closer... Backtracking, I believe George's error must be coming from openssl/ssl/s3_clnt.c: ssl3_send_client_verify(), the block of code starting 36 lines in, shown below. There is a call to EVP_SignFinal, that I believe will turn out to dispatch to

[Openvpn-devel] Summary of the IRC meeting (24th Apr 2014)

Hi, Here's the summary of the previous IRC meeting. --- COMMUNITY MEETING Place: #openvpn-devel on irc.freenode.net List-Post: openvpn-devel@lists.sourceforge.net Date: Thursday 24th Apr 2014 Time: 18:00 UTC Planned meeting topics for this meeting were on this page:

Re: [Openvpn-devel] [PATCH 1/2] Add support for elliptic curve diffie-hellmann key exchange (ECDH)

On 24-04-14 00:43, Steffan Karger wrote: > [ ECDH patch ] ... and attached a v3 of this patch with better debug / warning messages when using an OpenSSL build without EC-crypto. -Steffan >From 91bb1da0c2fb385e4a73ef1068c381797bbbe22f Mon Sep 17 00:00:00 2001 From: Steffan Karger