Re: [Openvpn-devel] [PATCH 2/5] Add control channel encryption (--tls-crypt)

Am 13.11.16 um 14:14 schrieb Steffan Karger: > Hi, > > Thanks for reviewing! Replies inline. > > On 13-11-16 17:41, Arne Schwabe wrote: >> >>> This boils down to the following on-the-wire packet format: >>> >>>-opcode- || -session_id- || -packet_id- || auth_tag || * payload * >> >> I am

Re: [Openvpn-devel] [PATCH] tun: Fix compiler warnings

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/11/16 16:07, Gert Doering wrote: > Hi, > > On Fri, Nov 11, 2016 at 02:16:41PM +0100, David Sommerseth wrote: >> @@ -917,6 +915,12 @@ do_ifconfig (struct tuntap *tt, >> management_android_control (management, "IFCONFIG", >> buf_bptr()); >> >>

[Openvpn-devel] [PATCH v2] tun: Fix compiler warnings

Fixes two compiler warnings idetified by using CFLAGS=-O2 1) ifconfig_ipv6_remote is only used on Solaris, move the declaration and assignment of this variable into the TARGET_SOLARIS block. 2) Linux have it's own open_tun() function and does not depend on open_tun_generic() at all. So

[Openvpn-devel] [PATCH] file checks: Merge warn_if_group_others_accessible() into check_file_access()

Commit 825e2ec1f358f2e8 cleaned up the usage of warn_if_group_others_accessible() and moved it into options.c. At this point there is only one caller of this function, check_file_access(). This takes that clean-up one step further and merges everything into check_file_access(). In addition it

Re: [Openvpn-devel] [PATCH applied] Deprecate key-method 1

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ACK, but with a minor adjustment to the warning + Changes.rst file. The text now tries to encourage not setting --key-method at all, as that will default to --key-method 2. Your patch has been applied to the master branch commit

Re: [Openvpn-devel] [PATCH v2] Deprecate key-method 1

Hi, On 14 November 2016 at 22:35, David Sommerseth wrote: On 14/11/16 21:06, Steffan Karger wrote: >> Key method 2 has been the default since OpenVPN 2.0, and is both >> more functional and secure. Also, key method 1 was only ever >> supported for

Re: [Openvpn-devel] [PATCH applied] Move private file access checks to options_postprocess_filechecks()

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ACK, but I added a slight modification at commit time. I removed any reference to --tls-crypt, to get this nice clean-up into the current tree. When --tls-crypt is added, it needs to be slightly adjusted to add the proper check in

Re: [Openvpn-devel] [PATCH v2] Deprecate key-method 1

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 14/11/16 22:35, David Sommerseth wrote: > On 14/11/16 21:06, Steffan Karger wrote: >> Key method 2 has been the default since OpenVPN 2.0, and is both >> more functional and secure. Also, key method 1 was only ever >> supported for peer-to-peer

Re: [Openvpn-devel] [PATCH v2] Deprecate key-method 1

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 14/11/16 21:06, Steffan Karger wrote: > Key method 2 has been the default since OpenVPN 2.0, and is both > more functional and secure. Also, key method 1 was only ever > supported for peer-to-peer connections (i.e. not for > client-server). > >

[Openvpn-devel] Summary of the today's (Monday, 14th Nov 2016) community meeting

Hi, Here's the summary of today's IRC meeting. --- COMMUNITY MEETING Place: #openvpn-meeting on irc.freenode.net Date: Monday 14th November 2016 Time: 20:00 CET (19:00 UTC) Planned meeting topics for this meeting were here: The

Re: [Openvpn-devel] [PATCH v2] Replace WIN32 by _WIN32

Hi, On 13-11-16 20:52, Gert Doering wrote: > With c99, "WIN32" is no longer automatically defined when (cross-)building > for Windows, and proper compilation relies on including , > before checking the macro. "_WIN32" is the official define that is > guaranteed to be defined by the compiler

[Openvpn-devel] [PATCH v2] Deprecate key-method 1

Key method 2 has been the default since OpenVPN 2.0, and is both more functional and secure. Also, key method 1 was only ever supported for peer-to-peer connections (i.e. not for client-server). Let's get rid of some legacy and phase out key method 1. v2: add Changes.rst entry, and update man

[Openvpn-devel] [PATCH] Deprecate key-method 1

Key method 2 has been the default since OpenVPN 2.0, and is both more functional and secure. Also, key method 1 was only ever supported for peer-to-peer connections (i.e. not for client-server). Let's get rid of some legacy and phase out key method 1. Signed-off-by: Steffan Karger

[Openvpn-devel] [PATCH applied] Re: Factor out %sc handling from argv_printf()

Your patch has been applied to the master branch. commit 253609124459f8df96e059bba9c164299a32318e Author: Heiko Hund Date: Fri Oct 28 18:42:40 2016 +0200 Factor out %sc handling from argv_printf() Signed-off-by: Heiko Hund Acked-by: David Sommerseth

[Openvpn-devel] [PATCH applied] Re: Make argv unit tests obey {MBEDTLS, OPENSSL}_{LIBS, CFLAGS}

ACK. As discussed beforehand, forgot to apply. Your patch has been applied to the master branch. commit ac42df1a2e53e84c67397989df3f0650bed3ae7a Author: Steffan Karger Date: Mon Nov 14 20:43:23 2016 +0100 Make argv unit tests obey {MBEDTLS, OPENSSL}_{LIBS, CFLAGS} Signed-off-by:

[Openvpn-devel] [PATCH] Make argv unit tests obey {MBEDTLS, OPENSSL}_{LIBS, CFLAGS}

Fixes builds that use MBEDTLS_CFLAGS and friends to tell the build where the header files and libraries are. Also alphabetically orders some of the listed files in relates Makefile.am files. Signed-off-by: Steffan Karger --- configure.ac | 4 ++--

[Openvpn-devel] [PATCH applied] Re: remove unused system_str from struct argv

Your patch has been applied to the master branch. commit d6ab1dc49e5c8018f58e7c3c9fe64f4289ccc77b Author: Heiko Hund Date: Fri Oct 28 18:42:39 2016 +0200 remove unused system_str from struct argv Signed-off-by: Heiko Hund Acked-by: David Sommerseth

[Openvpn-devel] [PATCH applied] Re: Remove unused and unecessary argv interfaces

Your patch has been applied to the master branch. commit aed5ef40c47c58b3b7bc624113396a26e5e2cba5 Author: Heiko Hund Date: Fri Oct 28 18:42:38 2016 +0200 Remove unused and unecessary argv interfaces Signed-off-by: Heiko Hund Acked-by: David Sommerseth

[Openvpn-devel] [PATCH applied] Re: put argv_* functions into own file, add unit tests

Your patch has been applied to the master branch. commit 698e268afb53014614f8e90ac8ff0667ce5e555d Author: Heiko Hund Date: Fri Oct 28 18:42:37 2016 +0200 put argv_* functions into own file, add unit tests Signed-off-by: Heiko Hund Acked-by: David

[Openvpn-devel] [PATCH applied] Re: Add missing includes in error.h

Your patch has been applied to the master branch. (I had to massage it a bit because "someone" added an include to the context below this patch, and git am failed - not very hard to do, just pointing this out) commit b7e51b137929e325e2ac3c14f751c3f642063cd5 Author: Steffan Karger Date: Tue

[Openvpn-devel] [PATCH applied] Re: Refactor static/tls-auth key loading

Your patch has been applied to the master branch. commit 28c115e401636432b1da2365b8f144523d9d7c53 Author: Steffan Karger Date: Tue Nov 8 21:18:18 2016 +0100 Refactor static/tls-auth key loading Signed-off-by: Steffan Karger Acked-by: Arne Schwabe

Re: [Openvpn-devel] [PATCH 2/5] Add control channel encryption (--tls-crypt)

Hi, On Sun, Nov 13, 2016 at 08:14:05PM +0100, Steffan Karger wrote: > I have an automated test for this in the OpenVPN-NL test suite, that now > verifies this works in UDP and TCP modes, and also checks that the > authentication fails if the wrong keys are used. And then there are of > course

Re: [Openvpn-devel] [PATCH] systemd: Improve the systemd unit files

A User's perspective: We run OpenVPN on some 2500 systems in a (unmanned) client-server config (we're the ones hoping to someday see Gava's client-nat and ftp-nat patches included). Long ago we came up with a brute force workaround to the service restart issue -- a script that pings back to a

Re: [Openvpn-devel] [PATCH v2] systemd: Improve the systemd unit files

On 14/11/16 14:46, David Sommerseth wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 14/11/16 15:06, debbie10t wrote: >> >> >> On 14/11/16 11:02, David Sommerseth wrote: >>> On 12/11/16 14:48, debbie10t wrote: On 12/11/16 11:38, David Sommerseth wrote: >> >

Re: [Openvpn-devel] [PATCH v2] systemd: Improve the systemd unit files

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 14/11/16 15:06, debbie10t wrote: > > > On 14/11/16 11:02, David Sommerseth wrote: >> On 12/11/16 14:48, debbie10t wrote: >>> >>> >>> On 12/11/16 11:38, David Sommerseth wrote: > +ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind

Re: [Openvpn-devel] [PATCH v2] systemd: Improve the systemd unit files

On 14/11/16 11:02, David Sommerseth wrote: > On 12/11/16 14:48, debbie10t wrote: >> >> >> On 12/11/16 11:38, David Sommerseth wrote: >>> +ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config %i.conf >>> +ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log >>>

[Openvpn-devel] [PATCH v3] systemd: Improve the systemd unit files

There are several changes which allows systemd to take care of several aspects of hardening the execution of OpenVPN. - Let systemd take care of the process tracking directly, instead of doing that via PID files - Make systemd prepare proper runtime directories for the OpenVPN process. -

Re: [Openvpn-devel] [PATCH v2] systemd: Improve the systemd unit files

On 12/11/16 14:48, debbie10t wrote: > > > On 12/11/16 11:38, David Sommerseth wrote: >> There are several changes which allows systemd to take care of several >> aspects of hardening the execution of OpenVPN. >> >> - Let systemd take care of the process tracking directly, instead >> of doing

Re: [Openvpn-devel] [PATCH] systemd: Improve the systemd unit files

On 12/11/16 16:00, Gert Doering wrote: > Hi, > > On Fri, Nov 11, 2016 at 01:35:57PM +0100, David Sommerseth wrote: >> We can of course investigate if we should enable systemd to restart >> OpenVPN, at least the server profile, if it dies unexpectedly. >> Currently, I am not fully convinced we