Re: [Openvpn-devel] [PATCH] Textual fixes for Changes.rst

2016-12-26 Thread Steffan Karger
Hi, On 26 Dec 2016 9:36 p.m., "Selva Nair" wrote: Hi, Not a thorough proof read, but some comments: Support for providing IPv6 DNS servers > - A new DHCP sub-options ``DNS6`` is added alongside with the already > existing > - ``DNS`` sub-option. This is used

Re: [Openvpn-devel] [PATCH] Textual fixes for Changes.rst

2016-12-26 Thread Selva Nair
Hi, Not a thorough proof read, but some comments: Support for providing IPv6 DNS servers > - A new DHCP sub-options ``DNS6`` is added alongside with the already > existing > - ``DNS`` sub-option. This is used to provide DNS resolvers available > over > - IPv6. This will be pushed

[Openvpn-devel] [PATCH] Textual fixes for Changes.rst

2016-12-26 Thread Steffan Karger
We will likely refer many people to the Changes.rst file once we've released 2.4. This commits tries to polish the language a bit, and adds two real changes: * Remove duplicate mention of the changes --tls-cipher defaults * Move the 'redirect-gateway' behavioural change from 'features' to

Re: [Openvpn-devel] [PATCH 1/1] do not race on RuntimeDirectory

2016-12-26 Thread Christian Hesse
David Sommerseth on Mon, 2016/12/26 17:45: > On 26/12/16 17:12, Christian Hesse wrote: > > debbie10t on Sat, 2016/12/24 11:10: > >> On 16/12/16 22:00, Christian Hesse wrote: > >>> From: Christian Hesse > >>> > >>>

Re: [Openvpn-devel] [PATCH 1/1] do not race on RuntimeDirectory

2016-12-26 Thread David Sommerseth
On 26/12/16 17:12, Christian Hesse wrote: > debbie10t on Sat, 2016/12/24 11:10: >> On 16/12/16 22:00, Christian Hesse wrote: >>> From: Christian Hesse >>> >>> Different unit instances create and destroy the same RuntimeDirectory. >>> This leads to running

Re: [Openvpn-devel] [PATCH 1/1] do not race on RuntimeDirectory

2016-12-26 Thread Christian Hesse
debbie10t on Sat, 2016/12/24 11:10: > On 16/12/16 22:00, Christian Hesse wrote: > > From: Christian Hesse > > > > Different unit instances create and destroy the same RuntimeDirectory. > > This leads to running instances where the status file (and possibly > >

Re: [Openvpn-devel] [PATCH applied] man: Remove references to no longer present IV_RGI6 peer-info

2016-12-26 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Your patch has been applied to the following branches commit 4ba943b02aa728aa077a0b3be79626b0f20ea8a7 (master) commit febeb485a2e9c5ca67705c95b088f70e3e5d5fdc (release/2.4) Author: David Sommerseth Date: Mon Dec 26 13:26:43 2016 +0100 man:

Re: [Openvpn-devel] [PATCH] man: Remove references to no longer present IV_RGI6 peer-info

2016-12-26 Thread Arne Schwabe
Am 26.12.16 um 12:26 schrieb David Sommerseth: > Commit 554504c5e2692c3e6cfd3f removed the IV_RGI6 peer-info singaling > but forgot to update the man page. Removing this reference as well. > > Signed-off-by: David Sommerseth > --- > doc/openvpn.8 | 4 > 1 file changed,

[Openvpn-devel] [PATCH] man: Remove references to no longer present IV_RGI6 peer-info

2016-12-26 Thread David Sommerseth
Commit 554504c5e2692c3e6cfd3f removed the IV_RGI6 peer-info singaling but forgot to update the man page. Removing this reference as well. Signed-off-by: David Sommerseth --- doc/openvpn.8 | 4 1 file changed, 4 deletions(-) diff --git a/doc/openvpn.8 b/doc/openvpn.8

Re: [Openvpn-devel] [PATCH applied] Remove IV_RGI6=1 peer-info signalling.

2016-12-26 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm adding an ACK as well. I can confirm that the IV_RGI6 peer-info signalling have only been available git master/v2.4. The first commit introducing IV_RGI6 is 3ddb56433b1fa0f2. This commit is only present in the following tags: $ git tag

Re: [Openvpn-devel] [PATCH applied] man: encourage user to read on about --tls-crypt

2016-12-26 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ACK. Looks good and I agree this is a good idea. Your patch has been applied to the following branches commit 403dfe1bfdbdf6e5f8abac3401a96852562aec54 (master) commit ebd24617f97c63fbe40a07e855ae3469f96474d7 (release/2.4) Author: Steffan Karger

Re: [Openvpn-devel] [PATCH applied] Document that RSA_SIGN can also request TLS 1.2 signatures

2016-12-26 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Your patch has been applied to the following branches commit 1e36b814073c0f56c77e4922cc105f00b8558e7e (master) commit 9b42853eea285ad54aed8b466e7f5a789a943933 (release/2.4) Author: Steffan Karger Date: Sun Dec 25 23:38:25 2016 +0100

Re: [Openvpn-devel] [PATCH] Use SHA256 for the internal digest, instead of MD5

2016-12-26 Thread David Sommerseth
On 26/12/16 00:20, Steffan Karger wrote: > Hi, > > On 18-12-16 22:26, Gert Doering wrote: >> On Sun, Dec 18, 2016 at 05:40:55PM +0100, Steffan Karger wrote: >>> Our internal options digest uses MD5 hashes to store the state, instead of >>> storing the full options string. There's nothing wrong

Re: [Openvpn-devel] [PATCH] Use SHA256 for the internal digest, instead of MD5

2016-12-26 Thread Arne Schwabe
Am 26.12.16 um 08:05 schrieb Gert Doering: > Hi, > > On Mon, Dec 26, 2016 at 12:20:53AM +0100, Steffan Karger wrote: >> The oldest OpenSSL we support in release/2.4 and master is 0.9.8, and >> has SHA256 support (was introduced in 2004). Also, the --tls-crypt >> feature already unconditionally

Re: [Openvpn-devel] [PATCH] Use SHA256 for the internal digest, instead of MD5

2016-12-26 Thread Arne Schwabe
Am 26.12.16 um 09:14 schrieb Steffan Karger: > openssl dgst -sha256 works for me [9:37]{SIGINT}arne@styx:~% openssl version OpenSSL 0.9.8zh 14 Jan 2016 [9:37]arne@styx:~% openssl dgst -sha256 abcd^D fc4b5fd6816f75a7c81fc8eaa9499d6a299bd803397166e8c4cf9280b801d62c [9:37]arne@styx:~% But anyway.

Re: [Openvpn-devel] [PATCH] Document that RSA_SIGN can also request TLS 1.2 signatures

2016-12-26 Thread Arne Schwabe
Am 25.12.16 um 22:38 schrieb Steffan Karger: > Ever since we support TLS 1.2 (OpenVPN 2.3.3+), the RSA_SIGN might not > only request MD5-SHA1 'TLS signatures', but also other variants. > Document this by updating the implementation hints, and explicitly > stating that we expect a PKCS#1 1.5

Re: [Openvpn-devel] [PATCH] Use SHA256 for the internal digest, instead of MD5

2016-12-26 Thread Steffan Karger
On 26 December 2016 at 04:18, Jonathan K. Bullard wrote: > The OpenSSL included in macOS (was OS X) 10.11 and 10.12 (the two > most recent versions) is 0.9.8zh (an Apple-patched version) and as far > as I can tell, it does not seem to include SHA256 (i.e., "openssl sha1 >

Re: [Openvpn-devel] [PATCH] Use SHA256 for the internal digest, instead of MD5

2016-12-26 Thread Gert Doering
Hi, On Mon, Dec 26, 2016 at 12:20:53AM +0100, Steffan Karger wrote: > The oldest OpenSSL we support in release/2.4 and master is 0.9.8, and > has SHA256 support (was introduced in 2004). Also, the --tls-crypt > feature already unconditionally requires SHA256 to be available. Good enough for me.