Acked-by: Gert Doering
Code is close enough to the master version, and it nicely does what it
says ("openvpn --providers legacy --show-ciphers" vs. "--show-ciphers").
While this fixes the "cipher loopback test", it now breaks
tls_crypt_testdriver, as that one expects BF-CBC to be universally
Acked-by: Gert Doering
This repairs the first part of "make check" for ossl 3.0 builds (... by
skipping the failing engine test). The cipher loopback still fails.
Moved the Changes.rst hunk to the 2.5.7 section I introduced with 2/7 :-)
Your patch has been applied to the release/2.5 branch.
Acked-by: Gert Doering
Trivial. Usually we wouldn't do refactoring in 2.5, but we decided we
want (must have, *sigh*) better OpenSSL support because Linux distributions
have started shipping "openvpn 2.5.x with openssl 3.0.x", and that is
not a good experience without this patchset.
"make
Acked-by: Gert Doering
This makes client tests using old certs (SHA1) or ciphers (BF-CBC) succeed
again, provided "--providers legacy default" and "tls-cert-profile insecure"
is added - where appropriate.
"make check" still fails (with 3.0.x), as "openvpn --show-ciphers" still shows
everything,
Acked-by: Gert Doering
Same patch as in master. No code changes, just adding github tests.
Your patch has been applied to the release/2.5 branch.
commit 0fb03c8c2333805eff9eda3cc10b2c82e617bee5
Author: Arne Schwabe
Date: Thu May 12 14:14:25 2022 +0200
Add ubuntu 22.04 to Github
Acked-by: Gert Doering
Same patch as in master. No code changes, just adding github tests.
Your patch has been applied to the release/2.5 branch.
commit dea694099ff223feb63199bd0ca7afd74504711d
Author: Arne Schwabe
Date: Thu May 12 14:14:26 2022 +0200
Add macos OpenSSL 3.0 and ASAN
Hi,
On Thu, May 12, 2022 at 02:14:29PM +0200, Arne Schwabe wrote:
> The test_check_ncp_ciphers_list test assumed that BF-CBC is always
> available, which is no longer the case with OpenSSL 3.0. Rewrite the
> test to not rely on BF-CBC to be available.
This should be a cherry-pick from
Am 13.05.2022 um 01:11 schrieb Heiko Hund:
Have clients set a bit in IV_PROTO, so that servers can make an informed
decision on whether to push --dns to the client. While unknown options
are ignored by clients when pushed, they generate a warning in the log.
That can be circumvented by server
Am 13.05.2022 um 09:14 schrieb Arne Schwabe:
Am 13.05.2022 um 01:11 schrieb Heiko Hund:
Have clients set a bit in IV_PROTO, so that servers can make an informed
decision on whether to push --dns to the client. While unknown options
are ignored by clients when pushed, they generate a warning
Am 13.05.22 um 12:15 schrieb Gert Doering:
commit 043c67f363429 enhances format_extended_socket_error() by
recognizing IPv6 extended socket errors, but neglected to change
the "sockaddr_in" buffer passed to recvmsg() to "sockaddr_storage".
According to documentation, recvmsg() should not have
Hi,
On Fri, May 13, 2022 at 01:40:07PM +0200, Arne Schwabe wrote:
> So this flag doesn't really do what I expected it to promose (This
> client will accept --dns and use them)
So you want something that goes hand in hand with code to actually
"do something with it", like
+#if
On 13/05/2022 11:37, Heiko Hund wrote:
Have clients set a bit in IV_PROTO, so that servers can make an informed
decision on whether to push --dns to the client. While unknown options
are ignored by clients when pushed, they generate a warning in the log.
That can be circumvented by server
Patch has been applied to the master branch.
commit c96249696cf6d6217443bc93f8208571f289623e
Author: Gert Doering
Date: Fri May 13 12:15:26 2022 +0200
Pass proper sockaddr_* structure for IPv6 socket errors.
Signed-off-by: Gert Doering
Acked-by: Arne Schwabe
Message-Id:
commit 043c67f363429 enhances format_extended_socket_error() by
recognizing IPv6 extended socket errors, but neglected to change
the "sockaddr_in" buffer passed to recvmsg() to "sockaddr_storage".
According to documentation, recvmsg() should not have overrun
that structure (we pass the size of
Am 13.05.22 um 13:22 schrieb David Sommerseth:
On 13/05/2022 11:37, Heiko Hund wrote:
Have clients set a bit in IV_PROTO, so that servers can make an informed
decision on whether to push --dns to the client. While unknown options
are ignored by clients when pushed, they generate a warning in
On Freitag, 13. Mai 2022 09:17:49 CEST Arne Schwabe wrote:
> Am 13.05.2022 um 09:14 schrieb Arne Schwabe:
> > Am 13.05.2022 um 01:11 schrieb Heiko Hund:
> >> Have clients set a bit in IV_PROTO, so that servers can make an informed
> >> decision on whether to push --dns to the client. While unknown
Have clients set a bit in IV_PROTO, so that servers can make an informed
decision on whether to push --dns to the client. While unknown options
are ignored by clients when pushed, they generate a warning in the log.
That can be circumvented by server backends by checking if bit 7 is set.
Acked-by: Gert Doering
Funny how "git cherry-pick" can sometimes do correct-looking-but-different
stuff... now the code matches what is in the master commit.
Plus, it passes "make check" with 3.0.x builds :-)
Your patch has been applied to the release/2.5 branch.
commit
Am 11.05.22 um 14:10 schrieb Heiko Hund:
Signed-off-by: Heiko Hund
---
doc/man-sections/tls-options.rst | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst
index c06ee335..d51aff77 100644
---
On Freitag, 13. Mai 2022 10:55:32 CEST Arne Schwabe wrote:
> Am 11.05.22 um 14:10 schrieb Heiko Hund:
> > + Valid syntax::
>
> I don't understand this to be honest. I don't have a good about rst but
> all other instances of Valid syntax use the form like what was before
> the patch, e.g.
>
>
The test_check_ncp_ciphers_list test assumed that BF-CBC is always
available, which is no longer the case with OpenSSL 3.0. Rewrite the
test to not rely on BF-CBC to be available.
This is a cherry-pick from c07f95f3
Patch V2: manually fix if condition. Somehow the git cherry-pick ended up
On 13/05/2022 13:40, Arne Schwabe wrote:
Am 13.05.22 um 13:22 schrieb David Sommerseth:
On 13/05/2022 11:37, Heiko Hund wrote:
Have clients set a bit in IV_PROTO, so that servers can make an informed
decision on whether to push --dns to the client. While unknown options
are ignored by clients
OpenSSL's implementation of ED448 and ED25519 has a few idiosyncrasies.
Instead of belonging to the eliptic curve type or to a common Edwards
curve type, ED448 and ED25519 have each their own type.
Also, OpenSSL expects signatures using these curves to be done with the
EVP_DigestSign API instead
23 matches
Mail list logo