Re: [Openvpn-devel] [PATCH] Support --inactive option for DCO

[Heiko Hund]

On Mittwoch, 15. März 2023 14:38:08 CET Lev Stipakov wrote:
> Change-Id: Ib417b965bc4a2c17b51935b43c9627b106716526
> Signed-off-by: Lev Stipakov 

Acked-by: Heiko Hund 




___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] dns option: allow up to two addresses per family

[Gert Doering]

Hi,

On Tue, Feb 28, 2023 at 05:26:45AM +0100, Heiko Hund wrote:
> Signed-off-by: Heiko Hund 
> ---
>  doc/man-sections/client-options.rst |  7 +--
>  src/openvpn/dns.c   | 70 -
>  src/openvpn/dns.h   | 19 +---
>  src/openvpn/options.c   | 30 +++--
>  4 files changed, 72 insertions(+), 54 deletions(-)

For the sake of the archivers: this has been superseded by the new
patchset "dns option: allow up to eight addresses per server".

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] OpenVPN 2.6.1 released

[Frank Lichtenheld]

The OpenVPN community project team is proud to release OpenVPN 2.6.1.

This is mostly a bugfix release with some improvements. 

Feature changes:

* Dynamic TLS Crypt:
  When both peers are OpenVPN 2.6.1+, OpenVPN will dynamically create a 
tls-crypt
  key that is used for renegotiation. This ensure that only the previously
  authenticated peer can do trigger renegotiation and complete renegotiations.
* CryptoAPI (Windows): support issuer name as a selector.
  Certificate selection string can now specify a partial issuer name string as
  "--cryptoapicert ISSUER:" where  is matched as a substring of
  the issuer (CA) name in the certificate. 

Note: configure now enables DCO build by default on FreeBSD and Linux. On Linux
this brings in a new default dependency for libnl-genl (for Linux distributions
that are too old to have a suitable version of the library, use
"configure --disable-dco")

Windows MSI changes since 2.6.0:

* Update included ovpn-dco-win driver to 0.9.2 

More details can be found in the Changes document:



(The Changes document also contains a section with work-arounds for
common problems encountered when using OpenVPN with OpenSSL 3)

Source code and Windows installers can be downloaded from our download page:



Debian and Ubuntu packages are available in the official apt repositories:



On Red Hat derivatives we recommend using the Fedora Copr repository.



Kind regards,
-- 
  Frank Lichtenheld


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH applied] Re: Import some sample certificates into Windows store for testing

[Gert Doering]

Hi,

On Thu, Mar 16, 2023 at 07:59:42AM -0400, Selva Nair wrote:
> > I have tried testing this on a "real" Win10 VM, but I am missing some
> > intricacies with the cert store - I wanted to see if certs are properly
> > cleaned up, but I can't even see my own .p12 I have imported, so I am
> > doing something wrong...
> 
> This works for me:
> Run "certmgr" from a user command prompt. The UI that opens up will show
> the "Certificates - Current User" snapin. Under it select
> "Personal->Certificates", and a list of all imported certificates will open
> up. This will not include any Root certificates that may have been
> imported. Those go to "Trusted Root Certificates" listed below "Personal".

THAT was the clue I needed.  When you type "certificates" into the
search box, you are presented the same snap-in, but it will only do 
"Certificates / Local Computer" (after an UAC confirmation).

So, cmd -> certmgr -> "current user \ personal certificates \ certificates"
will show what I imported from .p12

(And it does *not* show any of the test certificates, so I assume that
cleanup() worked correctly.  I might try a test run that skips cleanup()
("core dumped"), just to see what happens, but as far as I understand
the code, the *next* run will run the cleanup, so this is not of major
importance)

thanks,

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH applied] Re: Import some sample certificates into Windows store for testing

[Selva Nair]

>
>
> I have tried testing this on a "real" Win10 VM, but I am missing some
> intricacies with the cert store - I wanted to see if certs are properly
> cleaned up, but I can't even see my own .p12 I have imported, so I am
> doing something wrong...


This works for me:
Run "certmgr" from a user command prompt. The UI that opens up will show
the "Certificates - Current User" snapin. Under it select
"Personal->Certificates", and a list of all imported certificates will open
up. This will not include any Root certificates that may have been
imported. Those go to "Trusted Root Certificates" listed below "Personal".

I'm not entirely sure whether it's possible to select a wrong destination
during import, causing client certificates to go into root certificates.
During import I only select the store (user or machine) and let it decide
the appropriate location within the store.

Selva
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: Add a test for signing with certificates in Windows store

[Gert Doering]

Acked-by: Gert Doering 

More tests are always welcome :-) - stared at the code (looks good),
tested on MinGW->W10 and GHA.

[==] Running 6 test(s).
[ RUN  ] test_parse_hexstring
[   OK ] test_parse_hexstring
[ RUN  ] import_certs
[   OK ] import_certs
[ RUN  ] test_find_cert_bythumb
[   OK ] test_find_cert_bythumb
[ RUN  ] test_find_cert_byname
[   OK ] test_find_cert_byname
[ RUN  ] test_find_cert_byissuer
[   OK ] test_find_cert_byissuer
[ RUN  ] test_cryptoapi_sign
[   OK ] test_cryptoapi_sign
[==] 6 test(s) run.
[  PASSED  ] 6 test(s).

Your patch has been applied to the master and release/2.6 branch.

commit 0267649a21a2af1b60fbddcb78b0ed642080d6fd (master)
commit f970ad99a1a1f30d091853b111e678dbdc3dede9 (release/2.6)
Author: Selva Nair
Date:   Tue Mar 14 21:35:16 2023 -0400

 Add a test for signing with certificates in Windows store

 Signed-off-by: Selva Nair 
 Acked-by: Gert Doering 
 Message-Id: <20230315013516.1256700-5-selva.n...@gmail.com>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26416.html
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: Refactor SSL_CTX_use_CryptoAPI_certificate()

[Gert Doering]

Acked-by: Gert Doering 

Stared-at-code, looks all reasonable.

Tested on local MinGW->W10 build (of cryptoapi_testdriver.exe) and GHA
(to get all 32/64 bit and OpenSSL 1/3 combinations built), everything
passes.

Your patch has been applied to the master and release/2.6 branch.

commit 0ad5f4d6c44daedca00dc399a5f914ac5850caa0 (master)
commit 5c2154ca49a591afd8faa8e535a67b149ddbd354 (release/2.6)
Author: Selva Nair
Date:   Tue Mar 14 21:35:15 2023 -0400

 Refactor SSL_CTX_use_CryptoAPI_certificate()

 Signed-off-by: Selva Nair 
 Acked-by: Gert Doering 
 Message-Id: <20230315013516.1256700-4-selva.n...@gmail.com>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26414.html
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: Add tests for finding certificates in Windows cert store

[Gert Doering]

Acked-by: Gert Doering 

Code looks reasonable and tests what we want tested.  Tested with
a local MinGW build -> copied to windows10, and with GHA.

[==] Running 5 test(s).
[ RUN  ] test_parse_hexstring
[   OK ] test_parse_hexstring
[ RUN  ] import_certs
[   OK ] import_certs
[ RUN  ] test_find_cert_bythumb
[   OK ] test_find_cert_bythumb
[ RUN  ] test_find_cert_byname
[   OK ] test_find_cert_byname
[ RUN  ] test_find_cert_byissuer
[   OK ] test_find_cert_byissuer
[==] 5 test(s) run.
[  PASSED  ] 5 test(s).

Your patch has been applied to the master and release/2.6 branch.

commit b538a334284716757c48026bf6ace95e33258943 (master)
commit a08d0c770d0c0cd2534a0a900bba358b1c44056f (release/2.6)
Author: Selva Nair
Date:   Tue Mar 14 21:35:14 2023 -0400

 Add tests for finding certificates in Windows cert store

 Signed-off-by: Selva Nair 
 Acked-by: Gert Doering 
 Message-Id: <20230315013516.1256700-3-selva.n...@gmail.com>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26415.html
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: Import some sample certificates into Windows store for testing

[Gert Doering]

Acked-by: Gert Doering 

This is a welcome addition so we can have actual cryptoapi unit 
tests.  The code looks reasonable, and GHA says "it passes"...

Run ./unittests/cryptoapi_testdriver.exe
[==] Running 2 test(s).
[ RUN  ] test_parse_hexstring
[   OK ] test_parse_hexstring
[ RUN  ] import_certs
[  PASSED  ] 2 test(s).
[   OK ] import_certs
[==] 2 test(s) run.


I have tried testing this on a "real" Win10 VM, but I am missing some
intricacies with the cert store - I wanted to see if certs are properly
cleaned up, but I can't even see my own .p12 I have imported, so I am
doing something wrong... 

Your patch has been applied to the master and release/2.6 branch.

commit d6cf0239e835d98b66c71d701e70128db9ca7e9a (master)
commit e6011868c40aaf91d30d084b1b454f7709c855fd (release/2.6)
Author: Selva Nair
Date:   Tue Mar 14 21:35:13 2023 -0400

 Import some sample certificates into Windows store for testing

 Signed-off-by: Selva Nair 
 Acked-by: Gert Doering 
 Message-Id: <20230315013516.1256700-2-selva.n...@gmail.com>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26417.html
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel