[Openvpn-devel] [PATCH 2/2] Provide LZ4 sources in src/compat/ and use if no system lz4 library found.

Bundle lz4.c and lz4.h from http://code.google.com/p/lz4/ (r109) as src/compat/compat-lz4.[ch], and use that (via #define NEED_COMPAT_LZ4) if autoconf cannot find lz4.h or -llz4 in the system. Signed-off-by: Gert Doering --- configure.ac| 5 +-

[Openvpn-devel] [PATCH 1/2] Implement LZ4 compression.

Implement LZ4 compression, similar to the existing snappy / push-peer-info model: a LZ4 capable client will send IV_LZ4=1 to the server, and the algorithm is selected by pushing "compress lz4" back. LZ4 does not compress as well as LZO or Snappy, but needs far less CPU and is much faster, thus

[Openvpn-devel] [PATCH 4/6] Remove OpenSSL tmp_rsa_callback. Removes support for ephemeral RSA in TLS.

This code would not really generate ephemeral keys every time it is called, but a single key that would be reused during process lifetime and returned each time the function was called; probably not what users would expect. TLS allowes ephemeral keys to be used only when no other key exchange,

[Openvpn-devel] [PATCH 5/6] Make tls_ctx_restrict_ciphers accept NULL as char *cipher_list.

This diff look like a lot has changed, but this just adds some ifs to check for NULL in tls_ctx_restrict_ciphers() to prepare for disabling export ciphers by default in OpenVPN 2.4+. Signed-off-by: Steffan Karger --- src/openvpn/ssl.c | 5 +-

[Openvpn-devel] [PATCH 3/6] If --tls-cipher is supplied, make --show-tls parse the list.

This allows to check the available TLS ciphers for a specific configuration by supplying both --tls-cipher and --show-tls options. Signed-off-by: Steffan Karger --- src/openvpn/init.c | 2 +- src/openvpn/ssl_backend.h | 4 +++- src/openvpn/ssl_openssl.c | 15

[Openvpn-devel] TLS fixes, remove support for ephemeral RSA, disable export ciphers

Hi, This patch set is meant to remove ephemeral RSA support from the master branch, and disable (weak) export ciphers by default. While coding I came along some other stuff I fixed along the way: 1/6: Update two old calls to TSLv1*() functions to SSLv23*() function, matching the TLS

[Openvpn-devel] [PATCH 1/6] Also update TLSv1_method() calls in support code to SSLv23_method() calls.

Commit 4b67f98 changed calls to TLSv1_{sever,client}_method() to SSLv23_{client,server}_method() to enable TLS version negotiation. This commit does the same for two calls of TLSv1_method() from support code. Signed-off-by: Steffan Karger --- src/openvpn/ssl_openssl.c | 4

[Openvpn-devel] [PATCH 2/6] Update TLSv1 error messages to SSLv23 to reflect changes from commit 4b67f98

Commit 4b67f98 changed call to TLSv1_{client,server}_method() to SSLv23_{client,server}_method(), this commit updates the corresponding error messages to match the changes in the code. Signed-off-by: Steffan Karger --- src/openvpn/ssl_openssl.c | 4 ++-- 1 file changed, 2

[Openvpn-devel] [PATCH 6/6] Disable export ciphers by default for OpenSSL builds.

Export ciphers are deliberately weak ciphers, and not fully supported by OpenVPN since ephemeral RSA support has been removed a few commits ago. This commit removes them from the default cipher list to avoid confusion. PolarSSL does not support export ciphers, so no action required there.

Re: [Openvpn-devel] [PATCH] Use RSA_generate_key_ex() instead of deprecated, RSA_generate_key()

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, On 30-12-13 21:50, Gert Doering wrote: > Could I ask you to provide a patch to remove this for 2.4? Sure. I fixed some extra stuff along the way, I'll send a patch set in a minute. - -Steffan -BEGIN PGP SIGNATURE- Version: GnuPG