Re: [Openvpn-devel] Should we use mbedTLS certificate profiles?

2017-02-24 Thread James Yonan
On 24/02/2017 16:10, Steffan Karger wrote: > Hi, > > On 24-02-17 22:28, James Yonan wrote: >> On 24/02/2017 02:40, Steffan Karger wrote: >>> On 23-02-17 22:41, James Yonan wrote: On 23/02/2017 01:22, Steffan Karger wrote: > On 22-02-17 19:48, James Yonan wrote: >> mbedTLS 2 has a new

[Openvpn-devel] [PATCH] cleanup: Remove faulty env processing functions

2017-02-24 Thread David Sommerseth
The env_set_add_to_environmenti() and env_set_remove_from_environment() functions where not used in the code at all and they would cause an ASSERT() in setenv_str_ex() later on, as it would not allow the struct env_set *es pointer to be NULL (misc.c:807). Signed-off-by: David Sommerseth

[Openvpn-devel] [PATCH] Ignore auth-nocache for auth-user-pass if auth-token is pushed

2017-02-24 Thread Antonio Quartulli
When the auth-token option is pushed from the server to the client, the latter has to ignore the auth-nocache directive (if specified). The password will now be substituted by the unique token, therefore it can't be wiped out, otherwise the next renegotiation will fail. Trac: #840 Cc: David

Re: [Openvpn-devel] Should we use mbedTLS certificate profiles?

2017-02-24 Thread Steffan Karger
Hi, On 24-02-17 22:28, James Yonan wrote: > On 24/02/2017 02:40, Steffan Karger wrote: >> On 23-02-17 22:41, James Yonan wrote: >>> On 23/02/2017 01:22, Steffan Karger wrote: On 22-02-17 19:48, James Yonan wrote: > mbedTLS 2 has a new feature that allows rejection of certificates if the

Re: [Openvpn-devel] [PATCH v3 00/15] Add support for OpenSSL 1.1.x

2017-02-24 Thread Christian Hesse
Christian Hesse on Fri, 2017/02/24 13:13: > Christian Hesse on Thu, 2017/02/23 21:57: > > Built v3 against openssl 1.0.2k without issues, tests succeed and two > > instanced successfully established vpn connection (with server version > > 2.3.12 and 2.4.0). > >

Re: [Openvpn-devel] Should we use mbedTLS certificate profiles?

2017-02-24 Thread James Yonan
On 24/02/2017 02:40, Steffan Karger wrote: > On 23-02-17 22:41, James Yonan wrote: >> On 23/02/2017 01:22, Steffan Karger wrote: >>> On 22-02-17 19:48, James Yonan wrote: mbedTLS 2 has a new feature that allows rejection of certificates if the key size is too small or the signing hash

[Openvpn-devel] [PATCH applied] Re: Fix '--dev null'

2017-02-24 Thread Gert Doering
Patch has been applied to the master and release/2.4 branch. As ordered, '||' have been moved to pos_arith=lead, and the tab has been extabinated. commit 22c5381b71710ad0e1dbbccc1d5680fccb602311 (master) commit 2085c1f3875b9c96ac739941712247b805677efa (release/2.4) Author: Gert Doering Date:

Re: [Openvpn-devel] [PATCH] Fix "--dev null"

2017-02-24 Thread Steffan Karger
Hi, On 24-02-17 14:52, Gert Doering wrote: > To test whether a server is reachable and all the key handling is > right, openvpn can connect with "--dev null --ifconfig-noexec" to > avoid needing to the client with elevated privileges. > > This was erroring out for no good reason (because the

Re: [Openvpn-devel] [PATCH] Fix "--dev null"

2017-02-24 Thread Gert Doering
Hi, On Fri, Feb 24, 2017 at 04:32:14PM +0200, Samuli Seppänen wrote: > On 24/02/2017 15:52, Gert Doering wrote: > > To test whether a server is reachable and all the key handling is > > right, openvpn can connect with "--dev null --ifconfig-noexec" to > > avoid needing to the client with elevated

Re: [Openvpn-devel] [PATCH] Fix "--dev null"

2017-02-24 Thread Samuli Seppänen
Hi, On 24/02/2017 15:52, Gert Doering wrote: > To test whether a server is reachable and all the key handling is > right, openvpn can connect with "--dev null --ifconfig-noexec" to > avoid needing to the client with elevated privileges. There seems to be a typo here. Did you mean "to avoid

[Openvpn-devel] [PATCH] Fix "--dev null"

2017-02-24 Thread Gert Doering
To test whether a server is reachable and all the key handling is right, openvpn can connect with "--dev null --ifconfig-noexec" to avoid needing to the client with elevated privileges. This was erroring out for no good reason (because the "set environment variables appropriately" code didn't

[Openvpn-devel] [PATCH applied] Re: fix typo in notification message

2017-02-24 Thread Gert Doering
ACK. See, I'm totally pro-systemd (today)!! Your patch has been applied to the master and release/2.4 branch. commit b13bc6c9570e00d12e26bb3b8e5bf9bdb0b16eff (master) commit 4c241acc67c1d6b42dbe1f6199c75d9f7f228ac2 (release/2.4) Author: Christian Hesse Date: Fri Feb 24 13:22:52 2017 +0100

[Openvpn-devel] [PATCH 1/1] fix typo in notification message

2017-02-24 Thread Christian Hesse
From: Christian Hesse Signed-off-by: Christian Hesse --- src/openvpn/init.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index ff1551e..7da0061 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c

Re: [Openvpn-devel] [PATCH v3 00/15] Add support for OpenSSL 1.1.x

2017-02-24 Thread Christian Hesse
Christian Hesse on Thu, 2017/02/23 21:57: > Built v3 against openssl 1.0.2k without issues, tests succeed and two > instanced successfully established vpn connection (with server version > 2.3.12 and 2.4.0). Just tested a server instance with ancient client (version 2.1.4). Works

Re: [Openvpn-devel] Should we use mbedTLS certificate profiles?

2017-02-24 Thread Steffan Karger
On 23-02-17 22:41, James Yonan wrote: > On 23/02/2017 01:22, Steffan Karger wrote: >> On 22-02-17 19:48, James Yonan wrote: >>> mbedTLS 2 has a new feature that allows rejection of certificates if the >>> key size is too small or the signing hash is weak. >>> >>> The feature is controlled via