Re: [Openvpn-devel] [PATCH] Fix building with LibreSSL 2.5.1 by cleaning a hack.

2017-02-13 Thread Olivier W
Hello Selva,

2017-02-13 22:34 GMT+01:00 Selva Nair :
> On Debian jessie, the following .gitconfig works fo me.
>
> [sendemail]
>   smtpEncryption = tls
>   smtpServer = smtp.gmail.com
>   smtpUser = user.n...@gmail.com
>   smtpServerPort = 587
>
> No smtpsslcertpath specified, I suppose it verifies the cert using
> /etc/ssl/certs as the capath, which is the default.

Thanks! Your configuration is what I tried, from git-send-email doc's:
https://git-scm.com/docs/git-send-email#_use_gmail_as_the_smtp_server
I've just tested on Debian and I've been able to send an email with
TLS, so the problem isn't my git or gmail setup.
It could be a FreeBSD only issue, I see they have a patched version of
git-send-email because Net::SMTP::SSL is deprecated.

> Possibly your /etc/ssl/cert.pem is to blame? I do not have such a file, so
> no idea what it contains.

My /etc/ssl/cert.pem file contains all root certificates provided by
Mozilla NSS project, it should be valid.
I'll ask FreeBSD users if they can successfully use TLS with
git-send-email and if not I'll try to debug the script.

Best Regards,
Olivier

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] [PATCH] Fix building with LibreSSL 2.5.1 by cleaning a hack.

2017-02-13 Thread Selva Nair
Hi,

On Mon, Feb 13, 2017 at 3:55 PM, Olivier W  wrote:

> >> That's a not exactly helpful error message... :( - I tend to just turn
> >> off SSL on stuff that goes to public mailing lists anyway if it causes
> >> issues...
> >
> > OpenSSL errors requires quite some efforts to get used to.  And in
> > addition the git-send-email errors on top doesn't always make life
> easier.
>
> I've just tried git-send-email with "--smtp-debug=1" and the error
> isn't much useful, I'm getting:
> "...
> Net::SMTP=GLOB(0x8048189a8)<<< 250 SMTPUTF8
> Net::SMTP=GLOB(0x8048189a8)>>> STARTTLS
> Net::SMTP=GLOB(0x8048189a8)<<< 220 2.0.0 Ready to start TLS
> Net::SMTP=GLOB(0x8048189a8)>>> STARTTLS
> Net::SMTP: Net::Cmd::getline(): unexpected EOF on command channel:
> Connection reset by peer at /usr/local/libexec/git-core/git-send-email
> line 1371.
> STARTTLS failed!  at /usr/local/libexec/git-core/git-send-email line
> 1371."
>

On Debian jessie, the following .gitconfig works fo me.

[sendemail]
  smtpEncryption = tls
  smtpServer = smtp.gmail.com
  smtpUser = user.n...@gmail.com 
  smtpServerPort = 587

No smtpsslcertpath specified, I suppose it verifies the cert using
/etc/ssl/certs as the capath, which is the default.

Possibly your /etc/ssl/cert.pem is to blame? I do not have such a file, so
no idea what it contains.

Selva
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] [PATCH] Fix building with LibreSSL 2.5.1 by cleaning a hack.

2017-02-13 Thread Olivier W
Hello David,

2017-02-13 20:37 GMT+01:00 David Sommerseth :
>
> smtpsslcertpath needs to point at a CA certificate which issued the SMTP
> server certificate.  You can easily verify that things are correct by
> grabbing the server certificate using openssl:
>
> $ openssl s_client -connect $SMTP_SERVER:$PORT -starttls smtp
>
> Copy the certificate blob printed to stdout to a file.  Then take your
> CA certificate (including full chain in a single file, where the root CA
> certificate is the last one in file) and run this command:
>
> $ openssl verify -CAfile $CA_CERT_CHAIN $SERVER_CERT
>
> The output should display the file of the server certificate and ": OK".

Thanks for your help, but I still can't use GMail on port 587 (but
everything is OK on port 465).
In my .gitconfig, I have "smtpsslcertpath = /etc/ssl/cert.pem" and the
.pem file exists, installed by the package "ca_root_nss" on FreeBSD.

So, I tried "openssl s_client -connect smtp.gmail.com:587 -starttls
smtp", copying the content from: "-BEGIN CERTIFICATE-" to
"-END CERTIFICATE-" in a file, but running "openssl verify
-CAfile /etc/ssl/cert.pem gmail.cert" gives:
"gmail.cert: C = US, ST = California, L = Mountain View, O = Google
Inc, CN = smtp.gmail.com
error 20 at 0 depth lookup:unable to get local issuer certificate"

I also tried on Debian and I'm getting the same error. Same thing with
Hotmail on "smtp.live.com:587".

Well, as long as I can use the other port with SSL, it's ok :-)

>> That's a not exactly helpful error message... :( - I tend to just turn
>> off SSL on stuff that goes to public mailing lists anyway if it causes
>> issues...
>
> OpenSSL errors requires quite some efforts to get used to.  And in
> addition the git-send-email errors on top doesn't always make life easier.

I've just tried git-send-email with "--smtp-debug=1" and the error
isn't much useful, I'm getting:
"...
Net::SMTP=GLOB(0x8048189a8)<<< 250 SMTPUTF8
Net::SMTP=GLOB(0x8048189a8)>>> STARTTLS
Net::SMTP=GLOB(0x8048189a8)<<< 220 2.0.0 Ready to start TLS
Net::SMTP=GLOB(0x8048189a8)>>> STARTTLS
Net::SMTP: Net::Cmd::getline(): unexpected EOF on command channel:
Connection reset by peer at /usr/local/libexec/git-core/git-send-email
line 1371.
STARTTLS failed!  at /usr/local/libexec/git-core/git-send-email line 1371."

>>> BTW: sorry about the previous email: "[SPAM] [PATCH] Fix building with
>>> LibreSSL 2.5.1 by cleaning a hack." :-/ I'm trying to not post anymore
>>> buggy email here.
>
> No worries!  As long as you don't spam us completely with non-sense, we
> can handle a few misfires ;-)

;-)

Best Regards,
Olivier

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] build against openssl 1.1.0

2017-02-13 Thread David Sommerseth
On 13/02/17 20:50, Christian Hesse wrote:
> And a lot more has to be done... There's a long list of packages to be
> fixed. Sadly openssl developers do not care about ABI and API stability
> or compatibility. :(

I do understand the frustration ... but lets be fair too.  OpenSSL v1.1
is considered a major upgrade from v1.0 and they don't guarantee API/ABI
stability across major upgrades.

And the v1.1 API does indeed try to clean up a lot of the API mess and
confusions.  So it is a move in the right direction.  I attended an
OpenSSL v1.1 talk at devconf.cz in the end of January this year, I'll
try to dig up the slides from Tomas Mraz who had the talk.  It was quite
informative why it was needed to break several APIs in v1.1.


-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] build against openssl 1.1.0

2017-02-13 Thread Matthias Andree
Am 13.02.2017 um 20:50 schrieb Christian Hesse:
> And a lot more has to be done... There's a long list of packages to be
> fixed. Sadly openssl developers do not care about ABI and API stability
> or compatibility. :(


Much frustration can be muttered and uttered about OpenSSL and more so
of its spin-offs such as LibreSSL, but this accusation is unjustified;
the API and ABI compatibility is one of the areas where OpenSSL's
documentation is adequate and transparent.



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] build against openssl 1.1.0

2017-02-13 Thread Christian Hesse
On Mon, 13 Feb 2017 20:33:38 +0100
Gert Doering  wrote:
> On Mon, Feb 13, 2017 at 08:17:58PM +0100, Christian Hesse wrote:
> > Arch Linux is about to upgrade openssl to version 1.1.0. OpenVPN
> > does not compile against this version. Did anybody start the work
> > to support latest openssl versions?  
> 
> How does Arch deal with OpenSSH (which doesn't compile with 1.1.0
> either, at least "out of the repo")?

Good question... I am not responsible for the openssh package. Gaetan
has to deal with it.

And a lot more has to be done... There's a long list of packages to be
fixed. Sadly openssl developers do not care about ABI and API stability
or compatibility. :(
-- 
Best regards,
Chris

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] [PATCH] Fix building with LibreSSL 2.5.1 by cleaning a hack.

2017-02-13 Thread David Sommerseth
On 13/02/17 18:50, Gert Doering wrote:
> Hi,
> 
> On Mon, Feb 13, 2017 at 06:46:11PM +0100, Olivier W wrote:
[...snip...]
>> Now I'm fighting with git which doesn't want to use gmail's smtp
>> server to send the email. My .gitconfigure file is similar to:
>> https://git-scm.com/docs/git-send-email#_example and I've added
>> "smtpsslcertpath = /etc/ssl/cert.pem" but I'm getting this error:
>> "STARTTLS failed!  at /usr/local/libexec/git-core/git-send-email line
>> 1371."
>> I'm currently searching for a solution.

smtpsslcertpath needs to point at a CA certificate which issued the SMTP
server certificate.  You can easily verify that things are correct by
grabbing the server certificate using openssl:

$ openssl s_client -connect $SMTP_SERVER:$PORT -starttls smtp

Copy the certificate blob printed to stdout to a file.  Then take your
CA certificate (including full chain in a single file, where the root CA
certificate is the last one in file) and run this command:

$ openssl verify -CAfile $CA_CERT_CHAIN $SERVER_CERT

The output should display the file of the server certificate and ": OK".

> That's a not exactly helpful error message... :( - I tend to just turn
> off SSL on stuff that goes to public mailing lists anyway if it causes
> issues...

OpenSSL errors requires quite some efforts to get used to.  And in
addition the git-send-email errors on top doesn't always make life easier.

>> BTW: sorry about the previous email: "[SPAM] [PATCH] Fix building with
>> LibreSSL 2.5.1 by cleaning a hack." :-/ I'm trying to not post anymore
>> buggy email here.

No worries!  As long as you don't spam us completely with non-sense, we
can handle a few misfires ;-)

> I've created my share of weird git e-mails in the past :-) - so what I've
> started to do is "send the mail to myself" (if possible, on a different
> account) and then verify if the result is what I want to see...

That's a good advice :)

-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] build against openssl 1.1.0

2017-02-13 Thread Gert Doering
Hi,

On Mon, Feb 13, 2017 at 08:17:58PM +0100, Christian Hesse wrote:
> Arch Linux is about to upgrade openssl to version 1.1.0. OpenVPN does not
> compile against this version. Did anybody start the work to support latest
> openssl versions?

How does Arch deal with OpenSSH (which doesn't compile with 1.1.0 either,
at least "out of the repo")?

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] build against openssl 1.1.0

2017-02-13 Thread Christian Hesse
Hello everybody,

Arch Linux is about to upgrade openssl to version 1.1.0. OpenVPN does not
compile against this version. Did anybody start the work to support latest
openssl versions?
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgp0Spgf86j0G.pgp
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] [PATCH] Fix building with LibreSSL 2.5.1 by cleaning a hack.

2017-02-13 Thread Olivier W
Hey :-)

2017-02-13 18:50 GMT+01:00 Gert Doering :
> That's a not exactly helpful error message... :( - I tend to just turn
> off SSL on stuff that goes to public mailing lists anyway if it causes
> issues...

Thanks. I also tried without SSL, but then I had messages about git
not understanding "AUTH" :-/
Finally, for gmail, it's working with:
smtpEncryption = ssl
smtpServerPort = 465
instead of tls/587

> I've created my share of weird git e-mails in the past :-) - so what I've
> started to do is "send the mail to myself" (if possible, on a different
> account) and then verify if the result is what I want to see...

Yes, I guess many people struggle with the email configuration :-) I
had tried to first send to my personal email address and it went well,
but I'm not sure how it worked since I didn't have anything related to
SMTP configuration in ".gitconfig".

Finally, I think it's now OK :-)

Best Regards,
Olivier

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] [PATCH] Fix building with LibreSSL 2.5.1 by cleaning a hack. Similar to what is done in curl: https://github.com/curl/curl/blob/028391df5d84d9fae3433afdee9261d565900355/lib/vtls/openss

2017-02-13 Thread O2 Graphics
Use SSL_CTX_get0_privatekey() for OpenSSL >= 1.0.2

Signed-off-by: Olivier Wahrenberger 
---
 src/openvpn/ssl_openssl.c | 14 +++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 8266595..abf69c9 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -508,10 +508,18 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const 
char *curve_name
 const EC_GROUP *ecgrp = NULL;
 EVP_PKEY *pkey = NULL;
 
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
+pkey = SSL_CTX_get0_privatekey(ctx->ctx);
+#else
 /* Little hack to get private key ref from SSL_CTX, yay OpenSSL... */
-SSL ssl;
-ssl.cert = ctx->ctx->cert;
-pkey = SSL_get_privatekey();
+SSL *ssl = SSL_new(ctx->ctx);
+if (!ssl)
+{
+crypto_msg(M_FATAL, "SSL_new failed");
+}
+pkey = SSL_get_privatekey(ssl);
+SSL_free(ssl);
+#endif
 
 msg(D_TLS_DEBUG, "Extracting ECDH curve from private key");
 
-- 
2.11.1


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] [PATCH] Fix building with LibreSSL 2.5.1 by cleaning a hack.

2017-02-13 Thread Gert Doering
Hi,

On Mon, Feb 13, 2017 at 06:46:11PM +0100, Olivier W wrote:
> 2017-02-13 9:31 GMT+01:00 Gert Doering :
> > Look at "git rebase --interactive", which will enable you to squash
> > three commits into a single one.  Then you can use "git commit --amend"
> > to work on the (combined) commit message until you're happy with it.
> 
> Thanks a lot. I've finally squashed my commits, pushed to github.

Good :-)

> Now I'm fighting with git which doesn't want to use gmail's smtp
> server to send the email. My .gitconfigure file is similar to:
> https://git-scm.com/docs/git-send-email#_example and I've added
> "smtpsslcertpath = /etc/ssl/cert.pem" but I'm getting this error:
> "STARTTLS failed!  at /usr/local/libexec/git-core/git-send-email line
> 1371."
> I'm currently searching for a solution.

That's a not exactly helpful error message... :( - I tend to just turn
off SSL on stuff that goes to public mailing lists anyway if it causes
issues...

> BTW: sorry about the previous email: "[SPAM] [PATCH] Fix building with
> LibreSSL 2.5.1 by cleaning a hack." :-/ I'm trying to not post anymore
> buggy email here.

I've created my share of weird git e-mails in the past :-) - so what I've
started to do is "send the mail to myself" (if possible, on a different
account) and then verify if the result is what I want to see...

gert

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] [PATCH] Fix building with LibreSSL 2.5.1 by cleaning a hack.

2017-02-13 Thread Olivier W
Hello Gert,

2017-02-13 9:31 GMT+01:00 Gert Doering :
> Look at "git rebase --interactive", which will enable you to squash
> three commits into a single one.  Then you can use "git commit --amend"
> to work on the (combined) commit message until you're happy with it.

Thanks a lot. I've finally squashed my commits, pushed to github.

Now I'm fighting with git which doesn't want to use gmail's smtp
server to send the email. My .gitconfigure file is similar to:
https://git-scm.com/docs/git-send-email#_example and I've added
"smtpsslcertpath = /etc/ssl/cert.pem" but I'm getting this error:
"STARTTLS failed!  at /usr/local/libexec/git-core/git-send-email line
1371."
I'm currently searching for a solution.

BTW: sorry about the previous email: "[SPAM] [PATCH] Fix building with
LibreSSL 2.5.1 by cleaning a hack." :-/ I'm trying to not post anymore
buggy email here.

Best Regards.

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] [SPAM] [PATCH] Fix building with LibreSSL 2.5.1 by cleaning a hack.

2017-02-13 Thread olivierw . ml
From: Olivier W 

Signed-off-by: O2 Graphics 
---
 src/openvpn/ssl_openssl.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index a889332..abf69c9 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -508,6 +508,10 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const 
char *curve_name
 const EC_GROUP *ecgrp = NULL;
 EVP_PKEY *pkey = NULL;
 
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
+pkey = SSL_CTX_get0_privatekey(ctx->ctx);
+#else
+/* Little hack to get private key ref from SSL_CTX, yay OpenSSL... */
 SSL *ssl = SSL_new(ctx->ctx);
 if (!ssl)
 {
@@ -515,6 +519,7 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const 
char *curve_name
 }
 pkey = SSL_get_privatekey(ssl);
 SSL_free(ssl);
+#endif
 
 msg(D_TLS_DEBUG, "Extracting ECDH curve from private key");
 
-- 
2.11.1


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] [PATCH] Fix building with LibreSSL 2.5.1 by cleaning a hack.

2017-02-13 Thread Gert Doering
Hi,

On Mon, Feb 13, 2017 at 12:02:45AM +0100, Olivier W wrote:
> I'll be sending the patch with "git format-patch" + "git send-email"
> as I have three commits and I'm not sure how to send a single patch
> with only "git send-email"

Look at "git rebase --interactive", which will enable you to squash
three commits into a single one.  Then you can use "git commit --amend"
to work on the (combined) commit message until you're happy with it.

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel