Re: [Openvpn-devel] [PATCH v2] Allow management to kill client instances by CN wildcard

Hi On Fri, Aug 14, 2020 at 3:06 PM Vladislav Grishenko wrote: > > Hi, > > Yes, killing a client with cn ending in * will also lead to killing all the > clients whose cn starts with that prefix. > Use other char would no-intuitive (ex. +). > What about optional "prefix" mode word for explicit

[Openvpn-devel] OpenVPN 2.5-beta1 released

The OpenVPN community project team is proud to release OpenVPN 2.5-beta1. Source code and Windows installers can be downloaded from Debian and Ubuntu packages are available in the official apt repositories:

Re: [Openvpn-devel] [PATCH v2] Allow management to kill client instances by CN wildcard

Hi, Yes, killing a client with cn ending in * will also lead to killing all the clients whose cn starts with that prefix. Use other char would no-intuitive (ex. +). What about optional "prefix" mode word for explicit mode (can be also enhanced one day with suffix/regexp/etc). kill cn

Re: [Openvpn-devel] [PATCH] Fix client's poor man NCP fallback

Hi, I tested this patch and it does make --data-ciphers and --data-ciphers-fallback behave in their intended "fashion". Unfortunately, the commit message is grammatically incorrect and also logically misleading. The intended fashion is for --data-ciphers to recognise that the correct

Re: [Openvpn-devel] [PATCH v2] Allow management to kill client instances by CN wildcard

Hi On Fri, Aug 14, 2020 at 1:36 PM Arne Schwabe wrote: > > Am 14.08.20 um 19:12 schrieb Vladislav Grishenko: > > In case of some permanent part of common name (ex. domain) and/or > > long complex common name consisting of multiple x509 fields, it's > > handly to kill client instances via

Re: [Openvpn-devel] [PATCH v2] Allow management to kill client instances by CN wildcard

Am 14.08.20 um 19:12 schrieb Vladislav Grishenko: > In case of some permanent part of common name (ex. domain) and/or > long complex common name consisting of multiple x509 fields, it's > handly to kill client instances via management interface with just > prefix of common name, not by exact match

[Openvpn-devel] [PATCH v2] Allow management to kill client instances by CN wildcard

In case of some permanent part of common name (ex. domain) and/or long complex common name consisting of multiple x509 fields, it's handly to kill client instances via management interface with just prefix of common name, not by exact match only. Patch allows to use asterisk as wildcard

[Openvpn-devel] [PATCH v3 3/3] Implement generating data channel keys via EKM/RFC 5705

OpenVPN currently uses its own (based on TLS 1.0) key derivation mechanism to generate the 256 bytes key data in key2 struct that are then used used to generate encryption/hmac/iv vectors. While this mechanism is still secure, it is not state of the art. Instead of modernising our own approach,

[Openvpn-devel] [PATCH v3 1/3] Refactor key_state_export_keying_material functions

This refactors the common code between mbed SSL and OpenSSL into export_user_keying_material and also prepares the backend functions to export more than one key. Also fix checking the return value of SSL_export_keying_material only 1 is a sucess, -1 is also an error. Signed-off-by: Arne Schwabe

Re: [Openvpn-devel] [PATCH 1/2] Support multiple x509 field list to be username

Am 28.07.20 um 00:13 schrieb Vladislav Grishenko: > OpenVPN has the ability to choose different x509 field in case "CN" > can't be use used to be unique connected username since commit > 935c62be9c0c8a256112df818bfb8470586a23b6. > Unfortunately it's not enough in case client has multiple and valid

[Openvpn-devel] [PATCH applied] Re: Fix stack overflow in OpenSolaris NEXTADDR()

Patch has been applied to the master, 2.5 and 2.4 branch (bugfix). commit 7e65483d1227adfb855844467e4d30894ffc355d (master) commit 7b9dd9b091a3cad126642314ea945bafa4e91481 (release/2.5) commit 5f88c077de8da4a4c5369ae67f5815e4abc50edc (release/2.4) Author: Gert Doering Date: Thu Aug 13 12:13:01

Re: [Openvpn-devel] [PATCH 2/2] Allow killing of client instances by cn with wildcards

> int count = 0; > > +/* Allow trailing wildcard */ > +int len = strlen(del_cn); > +len += (len > 1 && del_cn[len-1] == '*') ? -1 : 1; This is very compact and not very readable A comment that says why you are adding +1 would be good. I first thought it was incorrect and

Re: [Openvpn-devel] [PATCH] Fix stack overflow in OpenSolaris NEXTADDR()

Am 13.08.20 um 12:13 schrieb Gert Doering: > Commit 5fde831c5807 fixed NEXTADDR() for all *BSDs and MacOS. > > OpenSolaris has to use a slightly different macro due to lack of > sockaddr->sa_len - but it has the same problem, first rounding up, > then memmove()'ing. Switch order. > >

[Openvpn-devel] [PATCH] Fix client's poor man NCP fallback

OpenVPN 2.5 clients do not correctly do a fallback to the server server. This commit fixes that logic and also fixes --data-ciphers-fallback to be used in situations other than no OCC cipher. To reproduce the error use a client with only --data-ciphers set against a server without NCP.