Re: [Openvpn-devel] [OpenVPN/openvpn-gui] better handling of interactive service failure (#168)

[Selva Nair]

Hi,

Copying openvpn-devel:
As this is related to openvpn best to have this discussion in the devel
list, I suppose.
(see also:
https://github.com/OpenVPN/openvpn-gui/issues/168#issuecomment-305250704)

On Wed, May 31, 2017 at 12:58 PM, Gert Doering 
wrote:

> On Wed, May 31, 2017 at 09:43:21AM -0700, Selva Nair wrote:
> > As I said, get openvpn to report route errors in the status and then we
> can
> > add a warning to the status popup, turn the icon red etc instead of the
> > current misleading "successfully connected" behaviour.
>
> This is actually a discussion I was trying to have a long time ago
> (a few years) - "why do we ignore route addition errors?".
>
> The IPv6 code doesn't (because I think that errors are errors, not
> warnings...) and that was always some sort of weird asymmetry...
>
> I still don't know the reasoning here, but I suspect it's something along
> "you push a route that is identical to the local subnet" (192.168.1.0/24,
> for example, because the user happens to be in a bad NAT network) and
> "all of a sudden it fails"... so this might need more discussion, and
> also some code cleanups to gracefully handle situations where an error
> is "tolerated".
>

That and some route addition errors like "route already exists" are often
benign. So a fatal error is not appropriate. But, IIRC,
 openvpn_execve_check only allows printing of errors as FATAL or WARN.
Currently we do not parse the log message flags (error vs warning etc.) in
the Windows GUI, but that could be improved if openvpn can log route errors
like access denied as such.

In any case, the status reported to the management when connected with
errors should be something other than "CONNECTED,SUCCESS" -- say
"CONNECTED,ROUTE-FAILED" etc. so that  UI can intimate the user.

Selva
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH release/2.4] configure.ac: fix building against static openssl

[Simon Matter]

> On 31/05/17 15:51, Simon Matter wrote:
>>> Hi,
>>>
>>> On Wed, May 31, 2017 at 11:14:33AM +0200, David Sommerseth wrote:
 On 31/05/17 09:02, Gert Doering wrote:
> Hi,
>
> On Wed, May 31, 2017 at 02:31:40AM +0200, David Sommerseth wrote:
>> If we really do care for supporting 0.9.8, in release/2.4 - I can
 give
>> this an ACK.  Otherwise, I think it might be better to backport
>> 039a89c331e9b7998d804 + 79ea67f77ca3afe91222f.
>
> You are the one that objects most violently if we break users'
 expectations

 Yes and no.  In regards to end users, I am very careful.  In regards
 to
 package maintainers, I am less weary as they won't distribute failing
 builds to end users.  This change hits package building, not the end
 user.
>>>
>>> Well, this is a somewhat simplistic world view, with "package builders"
>>> and "package installers".
>>>
>>> People are stuck on older enterprise distributions, for whatever
>>> reasons,
>>> but want a newer openvpn version - so they get the source bundle, and
>>> compile.  Which is a perfectly fine deployment model - and we should
>>> not
>>> break things in 2.4.3 that worked just fine in 2.4.2 for them (unless
>>> there is a strong reason, like "we have a vulnerability here that we
>>> cannot fix unless we abandon an older API").
>>
>> I strongly support your view, Gert. I really hope we do not see such
>> breakage in minor stable releases.
>
> Do you depend on building against OpenSSL 0.9.8?  If so, which
> OS/distribution do you use?

Yes, I have a case with very customized CentOS 5 systems where we also
backport security related patches. Of course the same could be done for
openvpn but it's easier to just follow the current 2.4 stream. That's why
my suggestion to keep all the compat hacks in 2.4.x and kick them out only
in the main devel branch. I guess that's what most package maintainers
expect to happen and it keep mailing lists quiet.

Regards,
Simon


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH release/2.4] configure.ac: fix building against static openssl

[David Sommerseth]

On 31/05/17 15:51, Simon Matter wrote:
>> Hi,
>>
>> On Wed, May 31, 2017 at 11:14:33AM +0200, David Sommerseth wrote:
>>> On 31/05/17 09:02, Gert Doering wrote:
 Hi,

 On Wed, May 31, 2017 at 02:31:40AM +0200, David Sommerseth wrote:
> If we really do care for supporting 0.9.8, in release/2.4 - I can
>>> give
> this an ACK.  Otherwise, I think it might be better to backport
> 039a89c331e9b7998d804 + 79ea67f77ca3afe91222f.

 You are the one that objects most violently if we break users'
>>> expectations
>>>
>>> Yes and no.  In regards to end users, I am very careful.  In regards to
>>> package maintainers, I am less weary as they won't distribute failing
>>> builds to end users.  This change hits package building, not the end
>>> user.
>>
>> Well, this is a somewhat simplistic world view, with "package builders"
>> and "package installers".
>>
>> People are stuck on older enterprise distributions, for whatever reasons,
>> but want a newer openvpn version - so they get the source bundle, and
>> compile.  Which is a perfectly fine deployment model - and we should not
>> break things in 2.4.3 that worked just fine in 2.4.2 for them (unless
>> there is a strong reason, like "we have a vulnerability here that we
>> cannot fix unless we abandon an older API").
> 
> I strongly support your view, Gert. I really hope we do not see such
> breakage in minor stable releases.

Do you depend on building against OpenSSL 0.9.8?  If so, which
OS/distribution do you use?


-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH release/2.4] configure.ac: fix building against static openssl

[Simon Matter]

> Hi,
>
> On Wed, May 31, 2017 at 11:14:33AM +0200, David Sommerseth wrote:
>> On 31/05/17 09:02, Gert Doering wrote:
>> > Hi,
>> >
>> > On Wed, May 31, 2017 at 02:31:40AM +0200, David Sommerseth wrote:
>> >> If we really do care for supporting 0.9.8, in release/2.4 - I can
>> give
>> >> this an ACK.  Otherwise, I think it might be better to backport
>> >> 039a89c331e9b7998d804 + 79ea67f77ca3afe91222f.
>> >
>> > You are the one that objects most violently if we break users'
>> expectations
>>
>> Yes and no.  In regards to end users, I am very careful.  In regards to
>> package maintainers, I am less weary as they won't distribute failing
>> builds to end users.  This change hits package building, not the end
>> user.
>
> Well, this is a somewhat simplistic world view, with "package builders"
> and "package installers".
>
> People are stuck on older enterprise distributions, for whatever reasons,
> but want a newer openvpn version - so they get the source bundle, and
> compile.  Which is a perfectly fine deployment model - and we should not
> break things in 2.4.3 that worked just fine in 2.4.2 for them (unless
> there is a strong reason, like "we have a vulnerability here that we
> cannot fix unless we abandon an older API").

I strongly support your view, Gert. I really hope we do not see such
breakage in minor stable releases.

Regards,
Simon


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH release/2.4] configure.ac: fix building against static openssl

[David Sommerseth]

On 31/05/17 09:02, Gert Doering wrote:
> Hi,
> 
> On Wed, May 31, 2017 at 02:31:40AM +0200, David Sommerseth wrote:
>> If we really do care for supporting 0.9.8, in release/2.4 - I can give
>> this an ACK.  Otherwise, I think it might be better to backport
>> 039a89c331e9b7998d804 + 79ea67f77ca3afe91222f.
> 
> You are the one that objects most violently if we break users' expectations

Yes and no.  In regards to end users, I am very careful.  In regards to
package maintainers, I am less weary as they won't distribute failing
builds to end users.  This change hits package building, not the end user.

And when we have had the policy (at least on the Linux side) that the
oldest supported library and build dependencies are what the oldest
officially supported RHEL release carries, then moving to OpenSSL 1.0.1
should not break anything.

When also considering that any releases older than OpenSSL 1.0.2 is not
supported by OpenSSL upstream [1], and OpenSSL 1.0.1 is supported by at
least Red Hat in RHEL for the lifetime of RHEL ... Then ditching 0.9.8
support makes even more sense.

[1] 

If there are other OS/distros actively supporting, fixing and
backporting security fixes to 0.9.8, then I have no issues keeping 0.9.8
support.  But unless there are someone having this requirement, cleaning
up all the various OpenSSL hacks for unsupported version is fairly
sensible to me.


-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH release/2.4] configure.ac: fix building against static openssl

[Gert Doering]

Hi,

On Wed, May 31, 2017 at 02:31:40AM +0200, David Sommerseth wrote:
> If we really do care for supporting 0.9.8, in release/2.4 - I can give
> this an ACK.  Otherwise, I think it might be better to backport
> 039a89c331e9b7998d804 + 79ea67f77ca3afe91222f.

You are the one that objects most violently if we break users' expectations
- and I think "changing library *requirements* right in the middle of a 
release train" is a good way to do that...  even if all *supported by the
maintainers* OS version have recent-enough OpenSSL libraries, I expect people
to happily use 2.4.2 on "something", and if 2.4.3 stops compiling there,
this is not a good thing to do.

So I'd just fix the library order (= go with Steffan's patch) and not 
backport the larger changes.

gert


-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel