Re: [Openvpn-devel] [PATCH 1/4] Added "remote-override" config directive.

On 21/04/2014 05:33, Arne Schwabe wrote: On 21.04.2014 09:10, James Yonan wrote: remote-override -- replace the hostname in all remote directives with alt-remote. Just a question. How does remote-override differ from ip-remote-hint? Both options seem to have the same effect aside from very

Re: [Openvpn-devel] [PATCH 2/4] Added PIP_OPT_MASK for process_ip_header fast exit path.

On 21/04/2014 05:27, Arne Schwabe wrote: On 21.04.2014 09:10, James Yonan wrote: Define PIP_OPT_MASK to represent all flags of interest to process_ip_header, so that it can have a fast exit path if no flags are set. I haven't look at the code but if remember correctly, this method does not

Re: [Openvpn-devel] [PATCH 4/4] When tls-version-min is unspecified, revert to original versioning approach.

On 21/04/2014 05:49, Gert Doering wrote: Hi, On Mon, Apr 21, 2014 at 01:11:05PM +0200, Arne Schwabe wrote: Yes. But with this patch it is always turned off, keeping OpenVPN in 99% of installations in TLS 1.0. Is there any other known case where it breaks aside from the Tomato OpenVPN client?

[Openvpn-devel] [PATCH applied] Re: Minor t_client.sh cleanups

Patch has been applied to the master and release/2.3 branches. commit 1e3a1786a80e4afac37133ce5d6a1dcff779a4ce (master) commit 413f052937179c60cadf571933a3eb4b3058a7dc (release/2.3) Author: Gert Doering List-Post: openvpn-devel@lists.sourceforge.net Date: Sun Apr 20 20:41:01 2014 +0200

Re: [Openvpn-devel] [PATCH 4/4] When tls-version-min is unspecified, revert to original versioning approach.

Hi, On Mon, Apr 21, 2014 at 01:11:05PM +0200, Arne Schwabe wrote: > Yes. But with this patch it is always turned off, keeping OpenVPN in 99% > of installations in TLS 1.0. Is there any other known case where it > breaks aside from the Tomato OpenVPN client?

[Openvpn-devel] [PATCH] Fix build system to accept non-system crypto library locations for plugins.

Flags like {OPEN,POLAR}SSL_CFLAGS were used by the core build, but not by the plugins. However, all plugins include openvpn-plugin.h, which need crypto/ssl headers. Signed-off-by: Steffan Karger --- src/plugins/auth-pam/Makefile.am | 5 +++--

Re: [Openvpn-devel] [PATCH 2/4] Added PIP_OPT_MASK for process_ip_header fast exit path.

On 21.04.2014 09:10, James Yonan wrote: Define PIP_OPT_MASK to represent all flags of interest to process_ip_header, so that it can have a fast exit path if no flags are set. I haven't look at the code but if remember correctly, this method does not get passed the actual flags but the flags

[Openvpn-devel] [PATCH applied] Re: Use native strtoull() with MSVC 2013.

ACK (you're the one who builds most with MSVC anyway, so you know). Your patch has been applied to the master and release/23 branches. commit 6b8e2f4a8143a7260a06b6999dcb21c4c72fc620 (master) commit 040b306f58fa0cc175c66ed67f390c0a289ddd4e (release/2.3) Author: James Yonan List-Post:

Re: [Openvpn-devel] [PATCH 4/4] When tls-version-min is unspecified, revert to original versioning approach.

On 21.04.2014 12:42, Gert Doering wrote: Hi, On Mon, Apr 21, 2014 at 12:24:30PM +0200, Steffan Karger wrote: On 21-04-14 09:10, James Yonan wrote: For OpenSSL, this means to use TLSv1_(client|server)_method rather than SSLv23_(client|server)_method combined with SSL_OP_NO_x flags for specific

Re: [Openvpn-devel] [PATCH] Minor t_client.sh cleanups

On 20.04.2014 20:41, Gert Doering wrote: - remove built tests/t_client.sh script on "make clean" - ignore Linux iproute2 "ssthresh " output that sometimes shows up in "ip -6 route show" and breaks before/after comparison ACK. Arne

[Openvpn-devel] [PATCH applied] Re: Update openvpn-plugin.h for PolarSSL 1.3.

ACK (as in "fixes the build for me". None of the default plugins will actually *use* this, and any plugin using x509 stuff would have to be adapted to the 1.3 API - yes, this is the way it is) Your patch has been applied to the master branch. commit cc1cee74c683ce92e56bb6a6170988fb6520b803

Re: [Openvpn-devel] [PATCH 4/4] When tls-version-min is unspecified, revert to original versioning approach.

Hi, On Mon, Apr 21, 2014 at 12:24:30PM +0200, Steffan Karger wrote: > On 21-04-14 09:10, James Yonan wrote: > > For OpenSSL, this means to use TLSv1_(client|server)_method rather > > than SSLv23_(client|server)_method combined with SSL_OP_NO_x flags > > for specific TLS versions to disable. > >

Re: [Openvpn-devel] [PATCH 4/4] When tls-version-min is unspecified, revert to original versioning approach.

Hi, On 21-04-14 09:10, James Yonan wrote: > For OpenSSL, this means to use TLSv1_(client|server)_method rather > than SSLv23_(client|server)_method combined with SSL_OP_NO_x flags > for specific TLS versions to disable. I'm not sure I understand the rationale behind this. If I don't specify a

Re: [Openvpn-devel] [PATCH] PolarSSL 1.3

Hi, On 21-04-14 11:04, Gert Doering wrote: > When test-building, it seems that there is a patch missing to the plugin > API bits... Ah, right, I usually compile polar builds without the plugin api. Attached a patch that should fix this. It compiles and passes client_t tests, but I don't have

[Openvpn-devel] [PATCH applied] Re: Improve error reporting during key/cert loading with PolarSSL.

Your patch has been applied to the master branch. commit 5e0112d9c60c488d3951491052d1aec8ef793023 Author: Steffan Karger List-Post: openvpn-devel@lists.sourceforge.net Date: Tue Feb 4 13:58:05 2014 +0100 Improve error reporting during key/cert loading with PolarSSL. Signed-off-by:

Re: [Openvpn-devel] [PATCH] Keying Material Exporter [RFC 5705]

Updated patch. vpn_binding_key: - keying material derived by openvpn's crypto later (ssl.c:tls1_*) - life time across negotiations (works a bit like EKM) tls_ekm: Exported Keying Material [RFC 5705] - derived when crypto backend support ( currently openssl >= 1.0.2 ) diff --git

Re: [Openvpn-devel] [PATCH] PolarSSL 1.3

Hi, On Sat, Apr 19, 2014 at 04:33:39PM +0200, Steffan Karger wrote: > Ouch, James was totally right. This would always be true, but should > always be *false* for reasonable input; the check has to be the other > way around. Attached the same two patches, except for that single > character...

Re: [Openvpn-devel] [PATCH] PolarSSL 1.3

On 19/04/2014 08:33, Steffan Karger wrote: Hi, On 04/18/2014 02:49 PM, Steffan Karger wrote: On 04/17/2014 09:41 PM, James Yonan wrote: I'm not sure I understand the (SIZE_MAX - hashlen) > asn_len part. Wouldn't this always be true for reasonable values of hashlen and asn_len? This should

[Openvpn-devel] [PATCH 4/4] When tls-version-min is unspecified, revert to original versioning approach.

For OpenSSL, this means to use TLSv1_(client|server)_method rather than SSLv23_(client|server)_method combined with SSL_OP_NO_x flags for specific TLS versions to disable. For PolarSSL, this means to avoid calling ssl_set_min_version and instead implicitly control the TLS version via allowed

[Openvpn-devel] [PATCH 3/4] Use native strtoull() with MSVC 2013.

MSVC 2013 C library now defines strtoull() function, so use the native implementation when available. Signed-off-by: James Yonan --- config-msvc.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config-msvc.h b/config-msvc.h index 99c00f9..9a95ae6 100644 ---

[Openvpn-devel] [PATCH 2/4] Added PIP_OPT_MASK for process_ip_header fast exit path.

Define PIP_OPT_MASK to represent all flags of interest to process_ip_header, so that it can have a fast exit path if no flags are set. Merged from OpenVPN 2.1 Signed-off-by: James Yonan --- src/openvpn/forward.c | 6 +- src/openvpn/forward.h | 4 +++- 2 files changed, 4

[Openvpn-devel] [PATCH 1/4] Added "remote-override" config directive.

remote-override -- replace the hostname in all remote directives with alt-remote. Merged from OpenVPN 2.1 Signed-off-by: James Yonan --- src/openvpn/options.c | 7 ++- src/openvpn/options.h | 2 ++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git