Re: [Openvpn-devel] build against openssl 1.1.0

2017-02-23 Thread Илья Шипицин
2017-02-19 9:48 GMT+05:00 Илья Шипицин : > > > 2017-02-19 4:16 GMT+05:00 David Sommerseth topphemmelig.net>: > >> On 18/02/17 08:34, Илья Шипицин wrote: >> > I added openssl-1.0.1e to test matrix (do not pay attention to >> > commit title, it

Re: [Openvpn-devel] Should we use mbedTLS certificate profiles?

2017-02-23 Thread James Yonan
On 23/02/2017 01:22, Steffan Karger wrote: > Hi James, > > On 22-02-17 19:48, James Yonan wrote: >> mbedTLS 2 has a new feature that allows rejection of certificates if the >> key size is too small or the signing hash is weak. >> >> The feature is controlled via struct mbedtls_x509_crt_profile.

Re: [Openvpn-devel] [PATCH v3 00/15] Add support for OpenSSL 1.1.x

2017-02-23 Thread Christian Hesse
Emmanuel Deloget on Thu, 2017/02/23 15:35: > This is v3 of the remaining patches for the "Add support for OpenSSL > 1.1.x" series. This series is partial: only the modified patches are > sent to the ML -- the other have not changed. The stats are a bit off > so I don't include

[Openvpn-devel] [PATCH] travis-ci: add "make distcheck" to test scenario

2017-02-23 Thread Ilya Shipitsin
in rare cases openvpn is built from tarball, it happens during "installer build" process. "make distcheck" helps to prevent problems during such builds. Signed-off-by: Ilya Shipitsin --- .travis.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.travis.yml

[Openvpn-devel] [PATCH v3 00/15] Add support for OpenSSL 1.1.x

2017-02-23 Thread Emmanuel Deloget
This is v3 of the remaining patches for the "Add support for OpenSSL 1.1.x" series. This series is partial: only the modified patches are sent to the ML -- the other have not changed. The stats are a bit off so I don't include them in this mail. They have been generated after a rebase from the

[Openvpn-devel] [PATCH v3 04/15] OpenSSL: don't use direct access to the internal of RSA_METHOD

2017-02-23 Thread Emmanuel Deloget
OpenSSL 1.1 does not allow us to directly access the internal of any data type, including RSA_METHOD. We have to use the defined functions to do so. Compatibility with OpenSSL 1.0 is kept by defining the corresponding functions when they are not found in the library. Signed-off-by: Emmanuel

[Openvpn-devel] [PATCH applied] Re: OpenSSL: 1.1 fallout - fix configure on old autoconf

2017-02-23 Thread Gert Doering
ACK, thanks. Your patch has been applied to the master and release/2.4 branch. commit 07372a0fdeb3638204d197d0614f776a0eb73ab9 (master) commit b97a5cc044dc6db3f0e1f9f06a6f5da522f0a33a (release/2.4) Author: Steffan Karger Date: Thu Feb 23 11:35:38 2017 +0100 OpenSSL: 1.1 fallout - fix

Re: [Openvpn-devel] [RFC PATCH v1 04/15] OpenSSL: don't use direct access to the internal of RSA_METHOD

2017-02-23 Thread Emmanuel Deloget
Hi Steffan, On Wed, Feb 22, 2017 at 11:13 PM, Steffan Karger wrote: > Hi, > > On 17-02-17 23:00, log...@free.fr wrote: >> From: Emmanuel Deloget >> >> OpenSSL 1.1 does not allow us to directly access the internal of >> any data type, including RSA_METHOD. We

Re: [Openvpn-devel] [RFC PATCH v1 01/15] OpenSSL: don't use direct access to the internal of SSL_CTX

2017-02-23 Thread Steffan Karger
On 23-02-17 10:31, Emmanuel Deloget wrote: >>> - configure.ac does something to CentOS 6 / RHEL 6 which makes configure >>>explode: >>> >>> ... >>> checking for linux/if_tun.h... yes >>> checking tap-windows.h usability... no >>> checking tap-windows.h presence... no >>> checking for

Re: [Openvpn-devel] [RFC PATCH v1 01/15] OpenSSL: don't use direct access to the internal of SSL_CTX

2017-02-23 Thread Emmanuel Deloget
Hello, On Thu, Feb 23, 2017 at 10:23 AM, Gert Doering wrote: > Hi, > > On Thu, Feb 23, 2017 at 09:03:47AM +0100, Gert Doering wrote: >> This patch brings two problems outside the "OpenSSL functionality" >> part. >> >> - openssl_compat.h is not included in the built

Re: [Openvpn-devel] [RFC PATCH v1 01/15] OpenSSL: don't use direct access to the internal of SSL_CTX

2017-02-23 Thread Gert Doering
Hi, On Thu, Feb 23, 2017 at 09:03:47AM +0100, Gert Doering wrote: > This patch brings two problems outside the "OpenSSL functionality" > part. > > - openssl_compat.h is not included in the built tarballs, so mingw builds >fail (and "builds for anyone building from tarballs" would break) ->

[Openvpn-devel] [PATCH applied] Re: Fix segfault when using crypto lib without AES-256-CTR or SHA256

2017-02-23 Thread Gert Doering
Thanks. Your patch has been applied to the master and release/2.4 branches. commit 2fe5547c1df854d41611633ea533649fe88e3031 (master) commit c9b4313eae6fc59f7d075edf23a7f59b137ba11f (release/2.4) Author: Simon Matter Date: Tue Feb 21 20:34:15 2017 +0100 Fix segfault when using crypto lib

[Openvpn-devel] [PATCH applied] Re: Add openssl_compat.h to openvpn_SOURCES

2017-02-23 Thread Gert Doering
Patch has been applied to the master and release/2.4 branch. commit 827c05732b0414dbf3cc05bf4ae6bfda042eadd3 (master) commit bbc671c2fdf6287605ef5057b1d44811bcd81785 (release/2.4) Author: Gert Doering Date: Thu Feb 23 09:49:54 2017 +0100 Add openssl_compat.h to openvpn_SOURCES

Re: [Openvpn-devel] [PATCH] Add openssl_compat.h to openvpn_SOURCES

2017-02-23 Thread Steffan Karger
On 23-02-17 09:49, Gert Doering wrote: > Commit b936ddfb63 introduced a new header file but forgot to include > it in the list of openvpn_SOURCES, so it did not get bundled in the > generated tarballs. > > Signed-off-by: Gert Doering > --- > src/openvpn/Makefile.am | 1 + >

Re: [Openvpn-devel] Should we use mbedTLS certificate profiles?

2017-02-23 Thread Steffan Karger
Hi James, On 22-02-17 19:48, James Yonan wrote: > mbedTLS 2 has a new feature that allows rejection of certificates if the > key size is too small or the signing hash is weak. > > The feature is controlled via struct mbedtls_x509_crt_profile. > > For example, you could specify that

Re: [Openvpn-devel] [RFC PATCH v1 01/15] OpenSSL: don't use direct access to the internal of SSL_CTX

2017-02-23 Thread Gert Doering
Good morning, On Fri, Feb 17, 2017 at 11:00:40PM +0100, log...@free.fr wrote: > From: Emmanuel Deloget > > OpenSSL 1.1 does not allow us to directly access the internal of > any data type, including SSL_CTX. We have to use the defined functions > to do so. > > Compatibility