Before OpenSSL 1.1.1 there could be no mismatch between
compiled and actual OpenSSL version. With OpenSSL 1.1.1 we need
runtime detection to detect the actual best TLS version supported.
Allowing this runtime detection also allows removing some of the
TLS 1.3/OpenSSL 1.1.1 #ifdefs
Without this
For TLS 1.0 to 1.2 and OpenSSL 1.1.0 calls us and requires a PKCS1
padded response. As TLS 1.3 mandates RSA-PSS padding support and also
requires an TLS 1.3 implementation to support RSA-PSS for older TLS
version, OpenSSL will query us to sign an already RSA-PSS padded
string.
This patch adds an
Am 23.09.19 um 16:34 schrieb Gert Doering:
> Hi,
>
> On Mon, Sep 23, 2019 at 03:32:24PM +0200, Arne Schwabe wrote:
>> +if (!(tls_item_in_cipher_list("AES-128-GCM", options->ncp_ciphers)
>> + && tls_item_in_cipher_list("AES-256-GCM",
>> options->ncp_ciphers)))
>
> What about
Hi,
On 08-11-2019 18:37, Lev Stipakov wrote:
> From: Lev Stipakov
>
> This allows to specify which tun driver openvpn should use,
> tap-windows6 (default) or wintun.
>
> Note than wintun support will be added in follow-up patches.
>
> Signed-off-by: Lev Stipakov
> ---
>
> v3:
> - added
Hi,
> -Original Message-
> From: Lev Stipakov [mailto:lstipa...@gmail.com]
> Sent: Thursday, November 7, 2019 6:45 PM
> To: openvpn-devel@lists.sourceforge.net
> Cc: Lev Stipakov
> Subject: [Openvpn-devel] [PATCH v2 4/7] wintun: ring buffers based I/O
>
> diff --git
Hi all,
today, during the hackathon, we discussed whether it makes sense to
allow a user to compile out the VLAN tagging code.
The only reason we could came up with is "binary size". A non-negligible
difference between the openvpn binary with and without VLAN code might
be a meaningful reason
>
> +1. What functionality does this new mechanism add?
>
> Tunnelblick implements 2FA through the management interface using the
> existing static and dynamic challenge-response mechanism. For a
> dynamic challenge, for example. Tunnelblick gets a response from the user in
> a popup window or
Your patch has been applied to the master branch.
commit b8b3f1177e48678e3bbe955634fe412d5515fab0
Author: Lev Stipakov
Date: Sat Nov 9 18:40:11 2019 +0200
travis: bump MSVC to 2019
Signed-off-by: Lev Stipakov
Acked-by: Simon Rozman
Message-Id:
Hi,
> -Original Message-
> From: Lev Stipakov [mailto:lstipa...@gmail.com]
> Sent: Thursday, November 7, 2019 6:45 PM
> To: openvpn-devel@lists.sourceforge.net
> Cc: Lev Stipakov
> Subject: [Openvpn-devel] [PATCH v2 6/7] wintun: set adapter properties via
> interactive service
>
>
Your patch has been applied to the master branch.
commit 472f9809430ec7311a98df134b4a91928ade5a6f
Author: Lev Stipakov
Date: Thu Nov 7 19:45:23 2019 +0200
Visual Studio: upgrade project files to VS2019
Signed-off-by: Lev Stipakov
Acked-by: Simon Rozman
Message-Id:
Hi,
On Sat, Nov 09, 2019 at 03:49:51PM +0100, Gert Doering wrote:
> wintun: add --windows-driver config option
>
> Signed-off-by: Lev Stipakov
> Acked-by: Simon Rozman
Ooops. Misattributed the ACK, so this was really Steffan's ACK.
I am not amending & re-pusing the commit.
Hi,
Some first-round review comments. I still need to fully grasp the event
mechanism intricacies for a real in-depth review.
As a general remark: could you try to stick to the 80 char line length
limit?
On 07-11-2019 18:45, Lev Stipakov wrote:
> From: Lev Stipakov
>
> Implemented according
Hi,
On 09-11-2019 13:03, Arne Schwabe wrote:
> Before OpenSSL 1.1.1 there could be no mismatch between
> compiled and actual OpenSSL version. With OpenSSL 1.1.1 we need
> runtime detection to detect the actual best TLS version supported.
>
> Allowing this runtime detection also allows removing
From: Lev Stipakov
Since we changed MSVC version in project files to 2019,
we have to do the same in travis script.
Signed-off-by: Lev Stipakov
---
.travis/build-check.sh | 2 +-
.travis/build-deps.sh | 2 ++
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git
Hi,
Acked-by: Simon Rozman
Best regards,
Simon
smime.p7s
Description: S/MIME cryptographic signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
From: Lev Stipakov
Implemented according to Wintun documentation
and reference client code.
Wintun uses ring buffers to communicate between
kernel driver and user process. Client allocates
send and receive ring buffers, creates events
and passes it to kernel driver under LocalSystem
privileges.
Your patch has been applied to the master branch.
(It needed a bit of manual massaging as the context in options.c:851
changed due to the merge of the VLAN patches)
I'm not totally happy with introducing a new function (parse_windows_driver())
to effectively map two constant strings to a boolan
When a client announces its support to support text based
challenge/response via IV_SOO=cr_text,the client needs to also
be able to reply to that response.
This adds the "cr-response" management function to be able to
do this. The answer should be base64 encoded.
Signed-off-by: Arne Schwabe
---
When signalling the client that it should do Challenge response
without reconnecting (IV_SSO=crtext/INFOPRE=CR_TEXT), the server
needs forward the response via the management console.
Signed-off-by: Arne Schwabe
---
doc/management-notes.txt | 26 +-
src/openvpn/forward.c
Signed-off-by: Arne Schwabe
---
src/openvpn/ssl.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 4455ebb8..cbb87e43 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -2355,7 +2355,9 @@ push_peer_info(struct buffer *buf,
This implements sending AUTH_PENDING and INFO_PRE messages to clients
that indicate that the clients should be continue authentication with
a second factor. This can currently be out of band (openurl) or a normal
challenge/response 2FA like TOTP (CR_TEXT).
Signed-off-by: Arne Schwabe
---
OpenVPN 3 implements these messages to send information during the
authentication to the UI, implement these message also in OpenVPN 2.x
Signed-off-by: Arne Schwabe
---
src/openvpn/forward.c | 8
src/openvpn/push.c| 33 +
src/openvpn/push.h| 3
Hi,
> -Original Message-
> From: Lev Stipakov [mailto:lstipa...@gmail.com]
> Sent: Thursday, November 7, 2019 6:45 PM
> To: openvpn-devel@lists.sourceforge.net
> Cc: Lev Stipakov
> Subject: [Openvpn-devel] [PATCH v2 7/7] wintun: clear adapter settings on
tun
> close
>
> }
> +
57623b4e introduced a print_sockaddr() call in socks.c to print an
openvpn_sockaddr object.
However, this is not correct because print_sockaddr() expects a sockaddr
object as argument instead of openvpn_sockaddr.
This error did not lead to any issue because the two objects are very
similar in
Acked-by: Simon Rozman
Best regards,
Simon
smime.p7s
Description: S/MIME cryptographic signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
This patch adds documentation for all the VLAN related knobs.
Signed-off-by: Fabian Knittel
Signed-off-by: Antonio Quartulli
---
Changes from v1:
- slight rewording of some sentences, as suggested by Arne
Changes from v2:
- slight rewording of some sentences, as suggested by Gert
Acked-by: Gert Doering
Documentation is good :-) and it matches observed behaviour, so that's
even better. Can the wording be improved? Surely, always, but this
is a continuous process by letting "untainted" people read the docs
and come up with questions that we find obvious...
Your patch
Acked-by: Gert Doering
Stared at code, ran full t_client/t_server tests.
In my test I had a "vlan 200" which was the native/untagged VLAN on the
tap interface now (so ipv4/v6 config goes to "tap9") and a "vlan 207"
which was tagged (-> tap9.207), and clients in "pvid 200" could nicely
talk to
Your patch has been applied to the master branch.
Since this introduces a new library requirement, I gave it a test run
on my Ubuntu 16 / MinGW linux build system. "Builds fine". Have not run
the result.
I have not done anything resembling proper code review. Just basic
"this is only
Am 09.11.19 um 17:37 schrieb Antonio Quartulli:
> 57623b4e introduced a print_sockaddr() call in socks.c to print an
> openvpn_sockaddr object.
>
> However, this is not correct because print_sockaddr() expects a sockaddr
> object as argument instead of openvpn_sockaddr.
>
> This error did not
Hi,
Feature-ack, and overall looks good. But some nits to tackle.
On 24-10-2018 12:06, Arne Schwabe wrote:
> This commit introduces the allow-compression option that allow
> changing the new default to the previous default or to a stricter
> version.
>
> Warning are not generated in the post
Hi,
This started exactly a year ago, so let's get over with it :)
By any chance is this an older version rebased to master? Saying this
because
most of the comments below are also in my previous remarks and were agreed
to
in your response...
See https://patchwork.openvpn.net/patch/587/#1157 and
Il 07/11/19 05:46, d tbsky ha scritto:
>
>> It would be interesting too what error message there is in setupapi.dev.log:
>>
>
> I found a win7 vm with openvpn 2.4.6. try to upgrade to 2.4.8 and get
> the same result.
> setupapi.dev.log attached. there are some international characters but
> I
Acked-by: Gert Doering
Stared at the code. Ran a full set of t_client/t_server tests with
disabled VLAN tagging (no change, no brokenness).
With enabled VLAN tagging and using "untagged mode" it now correctly
sorts out packets tap <-> client and client1 <-> client2 according
to PVID - if PVIDs
Acked-by: Gert Doering
Thanks for fixing my oversight (amazing we both did not see the
warning in the first patch...). socks.c compiles without warning
now, and still prints the right address.
Your patch has been applied to the master and release/2.4 branch (bugfix).
commit
Since these are examples, people might use them as a basis for their own
configs. In the non-push/pull configs, we should specify a decent cipher.
Further, I don't think we should recommend anyone to still use a static key
configuration, so remove the static key config examples.
Signed-off-by:
36 matches
Mail list logo