[Openvpn-devel] [PATCH 2/2] Add an elliptic curve testing cert chain to the sample keys

Signed-off-by: Steffan Karger --- sample/sample-keys/README| 6 ++-- sample/sample-keys/ec-ca.crt | 13 + sample/sample-keys/ec-ca.key | 6 sample/sample-keys/ec-client.crt | 61

[Openvpn-devel] [PATCH 1/2] Add support for elliptic curve diffie-hellmann key exchange (ECDH)

This patch is based on Jan Just Keijser's patch from Feb 7, 2012. When OpenSSL 1.0.2+ or PolarSSL is used, lets the crypto library do the heavy lifting. For OpenSSL builds, if a user specifies a curve using --ecdh-curve, it first tries to override automatic selection using that curve. For older

[Openvpn-devel] [PATCH v2] ECDH support (both OpenSSL and PolarSSL now)

Hi, As discussed earlier today, updated patches for ECDH support. See http://article.gmane.org/gmane.network.openvpn.devel/8308 for the previous version. These patches comprise two changes: 1) Because the PolarSSL 1.3 patches have been merged, I updated the code and docs to reflect that

Re: [Openvpn-devel] [PATCH 2/4] Added PIP_OPT_MASK for process_ip_header fast exit path.

On 23/04/2014 04:17, Arne Schwabe wrote: Am 21.04.14 21:26, schrieb James Yonan: On 21/04/2014 05:27, Arne Schwabe wrote: On 21.04.2014 09:10, James Yonan wrote: Define PIP_OPT_MASK to represent all flags of interest to process_ip_header, so that it can have a fast exit path if no flags are

Re: [Openvpn-devel] Progress on Version negotiation

Hi, On 23-04-14 17:36, Timothe Litt wrote: > Just to confirm that the issue is 1.2, not the negotiation: > > I added an unconditional > sslopt |= SSL_OP_NO_TLSv1_2; > in tls_ctx_set_options. > > With this (and the context initialized to SSL_v23_*_method, so we > negotiate), the tunnel

Re: [Openvpn-devel] Progress on Version negotiation

Hi, On Wed, Apr 23, 2014 at 01:27:19PM -0400, Timothe Litt wrote: > >now - does that sound like it could be the problem? The initial handshake > >packet "under some conditions" (like: the local OpenSSL build having > >more available ciphers, depending on how it was built) being too big, >

Re: [Openvpn-devel] Progress on Version negotiation

Gert, while cycling home from $paidwork Cycling while thinking about TLS might be as bad as texting while driving... now - does that sound like it could be the problem? The initial handshake packet "under some conditions" (like: the local OpenSSL build having more available ciphers,

Re: [Openvpn-devel] Progress on Version negotiation

Hi, On Wed, Apr 23, 2014 at 11:36:28AM -0400, Timothe Litt wrote: > Just to confirm that the issue is 1.2, not the negotiation: > > I added an unconditional > sslopt |= SSL_OP_NO_TLSv1_2; > in tls_ctx_set_options. > > With this (and the context initialized to SSL_v23_*_method, so we >

Re: [Openvpn-devel] Progress on Version negotiation

On 23-Apr-14 06:56, Steffan Karger wrote: Hi, On 04/23/2014 10:10 AM, Gert Doering wrote: On Tue, Apr 22, 2014 at 10:58:22PM -0400, Timothe Litt wrote: It does not appear to be the negotiation, rather it's TLS1.2. This is quite cool, thank you. (I'm not enough of a crypto geek to make real

Re: [Openvpn-devel] Progress on Version negotiation

This is quite cool, thank you. You're welcome. I don't like unsolved mysteries, and since I have a solid reproducer, thought I should do what I can. Some more. I looked into building on Windows, but the doc says one needs commercial tools; I'm not going to buy them for this. However, I

Re: [Openvpn-devel] Progress on Version negotiation

Hi, On 04/23/2014 10:10 AM, Gert Doering wrote: > On Tue, Apr 22, 2014 at 10:58:22PM -0400, Timothe Litt wrote: >> It does not appear to be the negotiation, rather it's TLS1.2. > > This is quite cool, thank you. (I'm not enough of a crypto geek to > make real sense out of it, but it's quite

Re: [Openvpn-devel] [PATCH 2/2] Add an elliptic curve testing cert chain to the sample keys

Hi, On 04/23/2014 12:08 PM, Arne Schwabe wrote: > ACK. Thanks for reviewing. Yesterday evening I've been reworking these patches a bit however. I want to have three things resolved: 1) PolarSSL 1.3 is already in master, and supports elliptic curve crypto, so the --show-curves and --ecdh-curve

Re: [Openvpn-devel] [PATCH 2/4] Added PIP_OPT_MASK for process_ip_header fast exit path.

Am 21.04.14 21:26, schrieb James Yonan: > On 21/04/2014 05:27, Arne Schwabe wrote: >> On 21.04.2014 09:10, James Yonan wrote: >>> Define PIP_OPT_MASK to represent all flags of interest to >>> process_ip_header, so that it can have a fast exit path >>> if no flags are set. >> >> I haven't look at

Re: [Openvpn-devel] [PATCH 2/2] Add an elliptic curve testing cert chain to the sample keys

Am 26.02.14 00:28, schrieb Steffan Karger: > Signed-off-by: Steffan Karger > --- > sample/sample-keys/README| 6 ++-- > sample/sample-keys/ec-ca.crt | 13 + > sample/sample-keys/ec-ca.key | 6 > sample/sample-keys/ec-client.crt | 61 >

Re: [Openvpn-devel] [PATCH 1/2] Add support for elliptic curve diffie-hellmann key exchange (ECDH)

Am 26.02.14 00:27, schrieb Steffan Karger: > This patch is based on Jan Just Keijser's patch from Feb 7, 2012. > > When OpenSSL 1.0.2 or newer is used, lets OpenSSL do the heavy lifting. > > Otherwise, tries the following things (in order of preference): > * When supplied, use the ecdh curve

Re: [Openvpn-devel] Progress on Version negotiation

Hi, On Tue, Apr 22, 2014 at 10:58:22PM -0400, Timothe Litt wrote: > It does not appear to be the negotiation, rather it's TLS1.2. This is quite cool, thank you. (I'm not enough of a crypto geek to make real sense out of it, but it's quite useful to understand where it is failing, and I

[Openvpn-devel] Progress on Version negotiation

It does not appear to be the negotiation, rather it's TLS1.2. I debugged the client hello in OpenSSL - a bit tricky due to the timeouts, but I established that the server is picking TLS1.2. I then switched the tls_ctx_{client,server}_new to use TLSv1_2_{client,server}_method in the call to