Re: [Openvpn-devel] [PATCH] Fix building with LibreSSL 2.5.1 by cleaning a hack.
Hi, On Mon, Feb 13, 2017 at 12:02:45AM +0100, Olivier W wrote: > I'll be sending the patch with "git format-patch" + "git send-email" > as I have three commits and I'm not sure how to send a single patch > with only "git send-email" Look at "git rebase --interactive", which will enable you to squash three commits into a single one. Then you can use "git commit --amend" to work on the (combined) commit message until you're happy with it. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de signature.asc Description: PGP signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [SPAM] [PATCH] Fix building with LibreSSL 2.5.1 by cleaning a hack.
From: Olivier W Signed-off-by: O2 Graphics --- src/openvpn/ssl_openssl.c | 5 + 1 file changed, 5 insertions(+) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index a889332..abf69c9 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -508,6 +508,10 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name const EC_GROUP *ecgrp = NULL; EVP_PKEY *pkey = NULL; +#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) +pkey = SSL_CTX_get0_privatekey(ctx->ctx); +#else +/* Little hack to get private key ref from SSL_CTX, yay OpenSSL... */ SSL *ssl = SSL_new(ctx->ctx); if (!ssl) { @@ -515,6 +519,7 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name } pkey = SSL_get_privatekey(ssl); SSL_free(ssl); +#endif msg(D_TLS_DEBUG, "Extracting ECDH curve from private key"); -- 2.11.1 -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Fix building with LibreSSL 2.5.1 by cleaning a hack.
Hello Gert, 2017-02-13 9:31 GMT+01:00 Gert Doering : > Look at "git rebase --interactive", which will enable you to squash > three commits into a single one. Then you can use "git commit --amend" > to work on the (combined) commit message until you're happy with it. Thanks a lot. I've finally squashed my commits, pushed to github. Now I'm fighting with git which doesn't want to use gmail's smtp server to send the email. My .gitconfigure file is similar to: https://git-scm.com/docs/git-send-email#_example and I've added "smtpsslcertpath = /etc/ssl/cert.pem" but I'm getting this error: "STARTTLS failed! at /usr/local/libexec/git-core/git-send-email line 1371." I'm currently searching for a solution. BTW: sorry about the previous email: "[SPAM] [PATCH] Fix building with LibreSSL 2.5.1 by cleaning a hack." :-/ I'm trying to not post anymore buggy email here. Best Regards. -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Fix building with LibreSSL 2.5.1 by cleaning a hack.
Hi, On Mon, Feb 13, 2017 at 06:46:11PM +0100, Olivier W wrote: > 2017-02-13 9:31 GMT+01:00 Gert Doering : > > Look at "git rebase --interactive", which will enable you to squash > > three commits into a single one. Then you can use "git commit --amend" > > to work on the (combined) commit message until you're happy with it. > > Thanks a lot. I've finally squashed my commits, pushed to github. Good :-) > Now I'm fighting with git which doesn't want to use gmail's smtp > server to send the email. My .gitconfigure file is similar to: > https://git-scm.com/docs/git-send-email#_example and I've added > "smtpsslcertpath = /etc/ssl/cert.pem" but I'm getting this error: > "STARTTLS failed! at /usr/local/libexec/git-core/git-send-email line > 1371." > I'm currently searching for a solution. That's a not exactly helpful error message... :( - I tend to just turn off SSL on stuff that goes to public mailing lists anyway if it causes issues... > BTW: sorry about the previous email: "[SPAM] [PATCH] Fix building with > LibreSSL 2.5.1 by cleaning a hack." :-/ I'm trying to not post anymore > buggy email here. I've created my share of weird git e-mails in the past :-) - so what I've started to do is "send the mail to myself" (if possible, on a different account) and then verify if the result is what I want to see... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de signature.asc Description: PGP signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Fix building with LibreSSL 2.5.1 by cleaning a hack. Similar to what is done in curl: https://github.com/curl/curl/blob/028391df5d84d9fae3433afdee9261d565900355/lib/vtls/openss
Use SSL_CTX_get0_privatekey() for OpenSSL >= 1.0.2 Signed-off-by: Olivier Wahrenberger --- src/openvpn/ssl_openssl.c | 14 +++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 8266595..abf69c9 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -508,10 +508,18 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name const EC_GROUP *ecgrp = NULL; EVP_PKEY *pkey = NULL; +#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) +pkey = SSL_CTX_get0_privatekey(ctx->ctx); +#else /* Little hack to get private key ref from SSL_CTX, yay OpenSSL... */ -SSL ssl; -ssl.cert = ctx->ctx->cert; -pkey = SSL_get_privatekey(&ssl); +SSL *ssl = SSL_new(ctx->ctx); +if (!ssl) +{ +crypto_msg(M_FATAL, "SSL_new failed"); +} +pkey = SSL_get_privatekey(ssl); +SSL_free(ssl); +#endif msg(D_TLS_DEBUG, "Extracting ECDH curve from private key"); -- 2.11.1 -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Fix building with LibreSSL 2.5.1 by cleaning a hack.
Hey :-) 2017-02-13 18:50 GMT+01:00 Gert Doering : > That's a not exactly helpful error message... :( - I tend to just turn > off SSL on stuff that goes to public mailing lists anyway if it causes > issues... Thanks. I also tried without SSL, but then I had messages about git not understanding "AUTH" :-/ Finally, for gmail, it's working with: smtpEncryption = ssl smtpServerPort = 465 instead of tls/587 > I've created my share of weird git e-mails in the past :-) - so what I've > started to do is "send the mail to myself" (if possible, on a different > account) and then verify if the result is what I want to see... Yes, I guess many people struggle with the email configuration :-) I had tried to first send to my personal email address and it went well, but I'm not sure how it worked since I didn't have anything related to SMTP configuration in ".gitconfig". Finally, I think it's now OK :-) Best Regards, Olivier -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] build against openssl 1.1.0
Hello everybody, Arch Linux is about to upgrade openssl to version 1.1.0. OpenVPN does not compile against this version. Did anybody start the work to support latest openssl versions? -- main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH" "CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];) putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);} pgp0Spgf86j0G.pgp Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] build against openssl 1.1.0
Hi, On Mon, Feb 13, 2017 at 08:17:58PM +0100, Christian Hesse wrote: > Arch Linux is about to upgrade openssl to version 1.1.0. OpenVPN does not > compile against this version. Did anybody start the work to support latest > openssl versions? How does Arch deal with OpenSSH (which doesn't compile with 1.1.0 either, at least "out of the repo")? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de signature.asc Description: PGP signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Fix building with LibreSSL 2.5.1 by cleaning a hack.
On 13/02/17 18:50, Gert Doering wrote: > Hi, > > On Mon, Feb 13, 2017 at 06:46:11PM +0100, Olivier W wrote: [...snip...] >> Now I'm fighting with git which doesn't want to use gmail's smtp >> server to send the email. My .gitconfigure file is similar to: >> https://git-scm.com/docs/git-send-email#_example and I've added >> "smtpsslcertpath = /etc/ssl/cert.pem" but I'm getting this error: >> "STARTTLS failed! at /usr/local/libexec/git-core/git-send-email line >> 1371." >> I'm currently searching for a solution. smtpsslcertpath needs to point at a CA certificate which issued the SMTP server certificate. You can easily verify that things are correct by grabbing the server certificate using openssl: $ openssl s_client -connect $SMTP_SERVER:$PORT -starttls smtp Copy the certificate blob printed to stdout to a file. Then take your CA certificate (including full chain in a single file, where the root CA certificate is the last one in file) and run this command: $ openssl verify -CAfile $CA_CERT_CHAIN $SERVER_CERT The output should display the file of the server certificate and ": OK". > That's a not exactly helpful error message... :( - I tend to just turn > off SSL on stuff that goes to public mailing lists anyway if it causes > issues... OpenSSL errors requires quite some efforts to get used to. And in addition the git-send-email errors on top doesn't always make life easier. >> BTW: sorry about the previous email: "[SPAM] [PATCH] Fix building with >> LibreSSL 2.5.1 by cleaning a hack." :-/ I'm trying to not post anymore >> buggy email here. No worries! As long as you don't spam us completely with non-sense, we can handle a few misfires ;-) > I've created my share of weird git e-mails in the past :-) - so what I've > started to do is "send the mail to myself" (if possible, on a different > account) and then verify if the result is what I want to see... That's a good advice :) -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] build against openssl 1.1.0
On Mon, 13 Feb 2017 20:33:38 +0100 Gert Doering wrote: > On Mon, Feb 13, 2017 at 08:17:58PM +0100, Christian Hesse wrote: > > Arch Linux is about to upgrade openssl to version 1.1.0. OpenVPN > > does not compile against this version. Did anybody start the work > > to support latest openssl versions? > > How does Arch deal with OpenSSH (which doesn't compile with 1.1.0 > either, at least "out of the repo")? Good question... I am not responsible for the openssh package. Gaetan has to deal with it. And a lot more has to be done... There's a long list of packages to be fixed. Sadly openssl developers do not care about ABI and API stability or compatibility. :( -- Best regards, Chris -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] build against openssl 1.1.0
Am 13.02.2017 um 20:50 schrieb Christian Hesse: > And a lot more has to be done... There's a long list of packages to be > fixed. Sadly openssl developers do not care about ABI and API stability > or compatibility. :( Much frustration can be muttered and uttered about OpenSSL and more so of its spin-offs such as LibreSSL, but this accusation is unjustified; the API and ABI compatibility is one of the areas where OpenSSL's documentation is adequate and transparent. -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] build against openssl 1.1.0
On 13/02/17 20:50, Christian Hesse wrote: > And a lot more has to be done... There's a long list of packages to be > fixed. Sadly openssl developers do not care about ABI and API stability > or compatibility. :( I do understand the frustration ... but lets be fair too. OpenSSL v1.1 is considered a major upgrade from v1.0 and they don't guarantee API/ABI stability across major upgrades. And the v1.1 API does indeed try to clean up a lot of the API mess and confusions. So it is a move in the right direction. I attended an OpenSSL v1.1 talk at devconf.cz in the end of January this year, I'll try to dig up the slides from Tomas Mraz who had the talk. It was quite informative why it was needed to break several APIs in v1.1. -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Fix building with LibreSSL 2.5.1 by cleaning a hack.
Hello David, 2017-02-13 20:37 GMT+01:00 David Sommerseth : > > smtpsslcertpath needs to point at a CA certificate which issued the SMTP > server certificate. You can easily verify that things are correct by > grabbing the server certificate using openssl: > > $ openssl s_client -connect $SMTP_SERVER:$PORT -starttls smtp > > Copy the certificate blob printed to stdout to a file. Then take your > CA certificate (including full chain in a single file, where the root CA > certificate is the last one in file) and run this command: > > $ openssl verify -CAfile $CA_CERT_CHAIN $SERVER_CERT > > The output should display the file of the server certificate and ": OK". Thanks for your help, but I still can't use GMail on port 587 (but everything is OK on port 465). In my .gitconfig, I have "smtpsslcertpath = /etc/ssl/cert.pem" and the .pem file exists, installed by the package "ca_root_nss" on FreeBSD. So, I tried "openssl s_client -connect smtp.gmail.com:587 -starttls smtp", copying the content from: "-BEGIN CERTIFICATE-" to "-END CERTIFICATE-" in a file, but running "openssl verify -CAfile /etc/ssl/cert.pem gmail.cert" gives: "gmail.cert: C = US, ST = California, L = Mountain View, O = Google Inc, CN = smtp.gmail.com error 20 at 0 depth lookup:unable to get local issuer certificate" I also tried on Debian and I'm getting the same error. Same thing with Hotmail on "smtp.live.com:587". Well, as long as I can use the other port with SSL, it's ok :-) >> That's a not exactly helpful error message... :( - I tend to just turn >> off SSL on stuff that goes to public mailing lists anyway if it causes >> issues... > > OpenSSL errors requires quite some efforts to get used to. And in > addition the git-send-email errors on top doesn't always make life easier. I've just tried git-send-email with "--smtp-debug=1" and the error isn't much useful, I'm getting: "... Net::SMTP=GLOB(0x8048189a8)<<< 250 SMTPUTF8 Net::SMTP=GLOB(0x8048189a8)>>> STARTTLS Net::SMTP=GLOB(0x8048189a8)<<< 220 2.0.0 Ready to start TLS Net::SMTP=GLOB(0x8048189a8)>>> STARTTLS Net::SMTP: Net::Cmd::getline(): unexpected EOF on command channel: Connection reset by peer at /usr/local/libexec/git-core/git-send-email line 1371. STARTTLS failed! at /usr/local/libexec/git-core/git-send-email line 1371." >>> BTW: sorry about the previous email: "[SPAM] [PATCH] Fix building with >>> LibreSSL 2.5.1 by cleaning a hack." :-/ I'm trying to not post anymore >>> buggy email here. > > No worries! As long as you don't spam us completely with non-sense, we > can handle a few misfires ;-) ;-) Best Regards, Olivier -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Fix building with LibreSSL 2.5.1 by cleaning a hack.
Hi, On Mon, Feb 13, 2017 at 3:55 PM, Olivier W wrote: > >> That's a not exactly helpful error message... :( - I tend to just turn > >> off SSL on stuff that goes to public mailing lists anyway if it causes > >> issues... > > > > OpenSSL errors requires quite some efforts to get used to. And in > > addition the git-send-email errors on top doesn't always make life > easier. > > I've just tried git-send-email with "--smtp-debug=1" and the error > isn't much useful, I'm getting: > "... > Net::SMTP=GLOB(0x8048189a8)<<< 250 SMTPUTF8 > Net::SMTP=GLOB(0x8048189a8)>>> STARTTLS > Net::SMTP=GLOB(0x8048189a8)<<< 220 2.0.0 Ready to start TLS > Net::SMTP=GLOB(0x8048189a8)>>> STARTTLS > Net::SMTP: Net::Cmd::getline(): unexpected EOF on command channel: > Connection reset by peer at /usr/local/libexec/git-core/git-send-email > line 1371. > STARTTLS failed! at /usr/local/libexec/git-core/git-send-email line > 1371." > On Debian jessie, the following .gitconfig works fo me. [sendemail] smtpEncryption = tls smtpServer = smtp.gmail.com smtpUser = user.n...@gmail.com smtpServerPort = 587 No smtpsslcertpath specified, I suppose it verifies the cert using /etc/ssl/certs as the capath, which is the default. Possibly your /etc/ssl/cert.pem is to blame? I do not have such a file, so no idea what it contains. Selva -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Fix building with LibreSSL 2.5.1 by cleaning a hack.
Hello Selva, 2017-02-13 22:34 GMT+01:00 Selva Nair : > On Debian jessie, the following .gitconfig works fo me. > > [sendemail] > smtpEncryption = tls > smtpServer = smtp.gmail.com > smtpUser = user.n...@gmail.com > smtpServerPort = 587 > > No smtpsslcertpath specified, I suppose it verifies the cert using > /etc/ssl/certs as the capath, which is the default. Thanks! Your configuration is what I tried, from git-send-email doc's: https://git-scm.com/docs/git-send-email#_use_gmail_as_the_smtp_server I've just tested on Debian and I've been able to send an email with TLS, so the problem isn't my git or gmail setup. It could be a FreeBSD only issue, I see they have a patched version of git-send-email because Net::SMTP::SSL is deprecated. > Possibly your /etc/ssl/cert.pem is to blame? I do not have such a file, so > no idea what it contains. My /etc/ssl/cert.pem file contains all root certificates provided by Mozilla NSS project, it should be valid. I'll ask FreeBSD users if they can successfully use TLS with git-send-email and if not I'll try to debug the script. Best Regards, Olivier -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel