ation plus related discussion is here:
>
> <https://patchwork.openvpn.net/patch/1040/>
>
> Further discussion of the issue is available here:
>
> <https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12835.html>
>
Selva
_
file given in auth-user-pass
and prompt both username and password from management. I think its
only logical for a later option (in this case the one set by the GUI)
to override a previous one. Anyway we do already ignore it if the file
is "stdin".
Selva
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Hi,
On Sat, Feb 29, 2020 at 7:36 AM Lev Stipakov wrote:
>
> From: Lev Stipakov
>
> Function ReturnOpenvpnOutput was used to read
> openvpn process output and write it to openvpn-gui.
>
> Commit 852f1e4 has directed stdout/stderr streams of openvpn
> process to NUL, after which
From: Selva Nair
Currently this prompt is only output once, not re-written to the
management interface when the management client connects. It is thus
not seen by a client that connects after the prompt is output or one that
disconnects and reconnects. This leads to a deadlock: the daemon
Hi
On Thu, Feb 20, 2020 at 1:20 PM David Sommerseth wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> Your patch has been applied to the master branch
>
> commit 32723d29b2775d63d3fe329d017e7a08e0cdcb72
> Author: Selva Nair
> Date: Wed Feb 19 2
w it but -O2 or higher does. Some older versions of gcc
seem to show it only with require -O3 or higher!
But the potential for attempting to close wrong handles looks real.
Thanks,
Selva
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourcefor
From: Selva Nair
Compile time warning for openvpnserv.exe
interactive.c: In function ‘RunOpenvpn’:
interactive.c:160:27: warning: ‘svc_pipe’ may be used uninitialized in
this function [-Wmaybe-uninitialized]
When RunOpenvpn exits early due to errors, uninitialized svc_pipe and
ovpn_pipe vars
From: Selva Nair
Compile time warning for openvpnserv.exe
common.c:90:11: warning: ‘error’ may be used uninitialized in this
function [-Wmaybe-uninitialized];
Uninitialized value gets returned if install-path is not found
in the registry. Fix by setting it to the return value of
GetRegString
From: Selva Nair
Check the config file location and command line options first
and membership in OpenVPNAdministrators group after that as
the latter could be a slow process for active directory users.
When connection to domain controllers is poor or unavailable, checking
the group membership
_CTX_get0_pkey(ctx);
> if (pkey)
Yeah, technically it may be "undefined behaviour" to pass an
uninitialized var to a function even when its not used there.
Acked-by: Selva Nair
Selva
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
From: Selva Nair
Currently when the certificate is specified as "SUBJ:foo", the
string foo is assumed to be ascii. Change that and interpret
it as utf-8, convert to a wide string, and flag it as unicode
in CertFindCertifcateInStore().
Signed-off-by: Selva Nair
---
v4: matched to
From: Selva Nair
Have the cryptoapicert option find the first matching certificate
in store that is valid at the present time. Currently the first
found item, even if expired, is returned.
This makes it possible to update certifiates in store without having
to delete old ones. As a side effect
lob;
>
>
> Why did you move "hash" and "blob" to the outer scope? I think those
> variables should stay where they have been, since they're not used outside of
> "if".
The actual certificate search is now done outside (in the while loop)
and i
From: Selva Nair
Have the cryptoapicert option find the first matching certificate
in store that is valid at the present time. Currently the first
found item, even if expired, is returned.
This makes it possible to update certifiates in store without having
to delete old ones. As a side effect
From: Selva Nair
Currently when the certificate is specified as "SUBJ:foo", the
string foo is assumed to be ascii. Change that and interpret
it as utf-8, convert to a wide string, and flag it as unicode
in CertFindCertifcateInStore().
Signed-off-by: Selva Nair
---
v3: nud
From: Selva Nair
Check the config file location and command line options first
and membership in OpenVPNAdministrators group after that as
the latter could be a slow process for active directory users.
When connection to domain controllers is poor or unavailable, checking
the group membership
We explicitly added validate=no for IPv6 in
commit 786e06ade9f5dfad8ac360499187fa8e536d15cb
for the same reason as in this patch. The ipv4 DNS code belongs to an
era when this
option was not available.
ACK from me too.
Selva
>
> Acked-by: Lev Stipakov
> ___
>
-- Forwarded message -
From: Selva Nair
Date: Wed, Feb 5, 2020 at 10:16 AM
Subject: Re: [Openvpn-devel] [PATCH 2/2] Fix linking issues on MinGW
To: Domagoj Pensa
Cc: Gert Doering
Hi,
On Wed, Feb 5, 2020 at 8:31 AM Domagoj Pensa wrote:
>
> Hi!
>
> On Wed, Feb 05
useful to return this message in case some other client decides
to use the service. I'll move it out of ValidateOptions and add code
to return it only when appropriate.
Selva
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
From: Selva Nair
Check the config file location and command line options first
and membership in OpenVPNAdministrators group after that as
the latter could be a slow process for active directory users.
When connection to domain controllers is poor or unavailable, checking
the group membership
me
whitelisted options or a config installed by an admin in the global config
directory. They are not allowed to run arbitrary configs
that they can edit. Unless an admin explicitly gives them permission to do
so --- checked by membership in "OpenVPNAdministrators" group. Users
who have admin
From: Selva Nair
Check the config file location and command line options first
and membership in OpenVPNAdministrators group after that as
the latter could be a slow process for active directory users.
When connection to domain controllers is poor or unavailable, checking
the group membership
ss_service(false, AF_INET, tt);
> -do_dns_service(false, AF_INET, tt);
> +if (tt->options.msg_channel)
> +{
> +do_route_ipv4_service_tun(false, tt);
> +do_address_service(false, AF_INET, tt);
> +do_dns_service(false, AF_INET, tt);
> +}
> +else
> +{
> +netsh_delete_address_dns(tt, false, );
> +}
> }
> -else
> -if (tt->ipapi_context_defined)
> +else if (tt->ipapi_context_defined)
> {
> DWORD status;
> if ((status = DeleteIPAddress(tt->ipapi_context)) != NO_ERROR)
Acked by: selva.n...@gmail.com
Selva
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
sign
> choices we should pursue in the future. I believe patches are mature enough
> to ack them. They should be merged into master to provide wider testing and
> easier development progress.
I agree. And, if we wont release official binaries with the system
hack, the patch look
Hi Simon,
A quick reply:
> > IMO, the right approach on Windows is to run a bare minimal code as a
> > service to get SYSTEM rights and the rest with limited privileges.
>
> Selva, those are two different use-cases. And none is "right" or "wrong".
> Ope
.
This should also allow to run the automatic service as LocalService or a
special service user as many services do.
Selva
>
> --
> -Lev
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
rompt as system (e.g., psexec). That also makes
>> it explicit that SYSTEM privilege is required.
>>
>> In the longer run, we could provide a script to launch
>> openvpn.exe using the interactive service. Modifying the
>> automatic service to use interactive servic
> +}
> +CloseHandle(duplicated_token);
> +
> +return true;
> +}
> +
> +bool
> +register_ring_buffers(HANDLE device,
> + struct tun_ring* send_ring,
> + struct tun_ring* receive_ring,
> + HANDLE send_tail_moved,
> +
build.
I have tried and failed to lobby for this earlier, but one more try
can't hurt, I suppose :)
That said, it seems clang has fixed this some time after clang-7.
I don't get this warning anymore after upgrading to clang-9.
Selva
___
O
a single config,
but, for that to work well, we need to improve --management-remote option
to provide a friendly UI for remote selection.
Selva
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Hi,
Thanks for the updates.
In spite of several nits below, I'm ACKing this.
All remarks are typos or grammar, important only for docs
and some comments. I suggest to handle these as a minor follow
up patch.
I'm also ignoring most typos in commit message except a few that
could be corrected
Hi,
On Fri, Nov 22, 2019 at 9:34 AM Arne Schwabe wrote:
> Before OpenSSL 1.1.1 there could be no mismatch between
> compiled and actual OpenSSL version. With OpenSSL 1.1.1 we need
> runtime detection to detect the actual best TLS version supported.
>
> Allowing this runtime detection also
Hi,
On Tue, Nov 19, 2019 at 9:09 AM David Sommerseth <
open...@sf.lists.topphemmelig.net> wrote:
> On 14/11/2019 22:58, Selva Nair wrote:
> > Hi David
> >
> > Thanks for the comments
> >
> > My idea was just to add -Werror ri
nice to use the
same API/method in iservice and the core. Can we figure out why IP helper
API is not working for setting IP? Unfortunately there is no API for
setting DNS (not that I know of) so there the use of netsh is unavoidable.
Anyway, wintun + dhcp-option in client config is bro
ances
> with wintun), just tested that wg and openvpn could co-exist without
> problems on the same machine.
>
Hmm.. if multiple openvpn instances are not tested this is not ready for
review yet, is it?
Again, a quick test shows that, with multiple openvpn instances, it does
o
");
> + msg(M_FATAL, "All %s adapters on this system are
> currently in use.", tt->wintun ? "wintun" : "TAP - Windows");
>
If I'm not mistaken wintun device can be opened multiple times, so we'll
never get the
"All wintun adapters on this system" error. Instead, open will succeed
here and
something else may fail later. FILE_SHARE_READ = 0 will not save us when
the driver
does not enforce it.
Selva
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
uch options are specified.
I think we should set this to adaptive here, and then handle it in tun.c
Although there is no dhcp when wintun is used, we'll still support
dhcp-options such as DNS etc using netsh or service, right?
Selva
___
Ope
uild with dist: bionic. For results see
https://travis-ci.org/selvanair/openvpn/jobs/612099524
Selva
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
any other error is encountered during the build. As other errors
are anyway a show-stopper, I think we can live with that.
Selva
[*] I think their reasoning is that -Wno-xx-yy can be thus used to suppress
warnings added to newer versions without breaking builds with older ones.
But
From: Selva Nair
Some compilers (e.g., clang) only issue a warning for
unsupported options unless additional flags such
as -Werror are used to convert the warning to an error.
Add support for extra flags in ACL_CHECK_ADD_COMPILE_FLAGS.
Note: a similar approach is used in AX_CHECK_COMPILE_FLAG
Forgot to hit send on this, and probably this is only partially relevant
now, but here goes.
Hi
On Sun, Nov 10, 2019 at 12:03 PM Gert Doering wrote:
> Hi,
>
> On Sun, Nov 10, 2019 at 11:48:16AM -0500, Selva Nair wrote:
> > But it seems it may also affect mingw builds on travis.
easily. Often the only option is to hide the
warning (e.g, by adding a cast) which imo is not always a good strategy.
-Werror just forces one's hand to use tricks that hide warnings.
Selva
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
(management, in_b64);
> +out_b64 = management_query_pk_sig(management, in_b64,
> + get_sig_padding_name(padding));
> }
> if (out_b64)
> {
> @@ -1156,18 +1180,19 @@ get_sig_from_man(const unsigned char *dgst,
> unsigned int dgstlen,
>
> /* sign arbitrary data */
> static int
> -rsa_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA
> *rsa, int padding)
> +rsa_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA
> *rsa,
> + int padding)
> {
> unsigned int len = RSA_size(rsa);
> int ret = -1;
>
> -if (padding != RSA_PKCS1_PADDING)
> +if (padding != RSA_PKCS1_PADDING && padding != RSA_NO_PADDING)
> {
> RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT,
> RSA_R_UNKNOWN_PADDING_TYPE);
> return -1;
> }
>
> -ret = get_sig_from_man(from, flen, to, len);
> +ret = get_sig_from_man(from, flen, to, len, padding);
>
> return (ret == len) ? ret : -1;
> }
> @@ -1263,7 +1288,13 @@ ecdsa_sign(int type, const unsigned char *dgst, int
> dgstlen, unsigned char *sig,
> unsigned int *siglen, const BIGNUM *kinv, const BIGNUM *r,
> EC_KEY *ec)
> {
> int capacity = ECDSA_size(ec);
> -int len = get_sig_from_man(dgst, dgstlen, sig, capacity);
> +/*
> + * ECDSA does not seem to have proper constants for paddings since
> + * there are only signatures without padding at the moment, reuse
> + * RSA_NO_PADDING for now as it will trigger querying for "NOPADDING"
> in the
> + * management interface
> + */
> +int len = get_sig_from_man(dgst, dgstlen, sig, capacity,
> RSA_NO_PADDING);
>
> if (len > 0)
> {
> --
>
Thanks,
Selva
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
e Makefile.ac" and done
>> (including mingw builds), and then MSVC is broken again, and this will
>> happen again and again.
>
>
>> Is there no reasonable way to build these project files from Makefile.ac?
>>
>
> I see no reasonable way. Selva, Simon - opinions?
>
Per
+115,7 @@ struct user_pass {
> char password[128];
> char common_name[128];
> char response[128];
> +char remote[40];
Textual ipv6 address buffer is usually defined to be at least 46 bytes
including NUL (not 40) to handle all cases.
(cf. INET6_ADDRSTRLEN = 46 in )
S
g Windows release with 1.1.1 unless
we can get https://patchwork.openvpn.net/patch/587/ finalized by then.
Selva
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
of "wifi switches off when tun comes up" issue:
https://github.com/OpenVPN/openvpn-gui/issues/316
Selva
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
d you please take care of that, so to make the review easier for who
> is not deep into those lines of code you have changed?
>
Aha, I missed the previous thread. Looks like this one is the same
patch as the previous one.
Paolo: please improve on t
ad error on
> command channel: code=%d, exiting\n",
> command);
> @@ -853,6 +865,7 @@ pam_server(int fd, const char *service, int verb,
> const struct name_value_list *
> up.usern
Forgot copy this to the list -- sending again
On Mon, Sep 23, 2019 at 6:19 AM Arne Schwabe wrote:
>
> Am 20.09.19 um 22:55 schrieb Selva Nair:
> > Hi,
> >
> > Reviving this thread/patch as now users are running into this padding
> > issue (trac 1216 <https://com
Hi,
On Sun, Jul 28, 2019 at 4:34 PM wrote:
>
> From: Selva Nair
>
> For PSS padding, CNG requires the digest to be signed
> and the digest algorithm in use, which are not accessible
> via the rsa_sign and rsa_priv_enc callbacks of OpenSSL.
> This patch uses the EVP_
at
cannot sign with PSS padding.
Selva
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Then the pacthed openvpn
could open it.
How does one install the driver in the zip file you posted -- using
devcon with the hardware id of wintun?
Selva
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
From: Selva Nair
For PSS padding, CNG requires the digest to be signed
and the digest algorithm in use, which are not accessible
via the rsa_sign and rsa_priv_enc callbacks of OpenSSL.
This patch uses the EVP_KEY interface to hook to
evp_pkey_sign callback if OpenSSL version is > 1.1.0.
Mapp
From: Selva Nair
Fixes the wrong check on siglen instead of *siglen for
signing failures.
Bug reported by: lilulo
Signed-off-by: Selva Nair
---
src/openvpn/cryptoapi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c
index
From: Selva Nair
Fixes the wrong check on siglen instead of *siglen for
signing failures.
Bug reported by: lilulo
Signed-off-by: Selva Nair
---
2.4 will need a separate patch
src/openvpn/cryptoapi.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/openvpn
{
> +err = ERROR_OUTOFMEMORY;
> +goto out;
> +}
> +
> +/* validate device guid */
> +const size_t guid_len = wcslen(wguid);
> +if (guid_len != 38 || wcsspn(wguid, L"0123456789ABCDEFabcdef-{}") !=
> guid_len)
> + {
> +
!= L'-') && (ch != L'{') && (ch !=
> L'}'))
> +{
> +err = ERROR_MESSAGE_DATA;
> +MsgToEventLog(MSG_FLAGS_ERROR, TEXT("Invalid device guild
> (%s)"), wguid);
> +goto out;
> +
tra code. Otherwise a thorough sanitization of the path is required as
there could be obscure ways of breaking out using "..\" or otherwise,
though I'm not sure. Things like \\.\C:\..\D:\ works on Windows so I won't
take any chances.
Selva
PS. Just noticed you've already p
n.exe is upgraded but service stays at an old
version -- such a service will respond with ack and
error_number=ERROR_MESSAGE_TYPE.
Selva
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
river sets it as all
access for SYSTEM, RWX for everyone else when AllowNonAdmin
is on. Not sure whether that matters in practice.
Selva
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
{
> + if (parm->ParameterType == NdisParameterInteger)
> + {
> + if (parm->ParameterData.IntegerData)
> + {
> + enable_non_admin = TRUE;
> + }
> + }
> +
Hi,
On Fri, Jun 28, 2019 at 5:03 PM Gert Doering wrote:
>
> Hi,
>
> On Fri, Jun 28, 2019 at 04:51:47PM -0400, Selva Nair wrote:
> > Would that mean we can assume that always allowing all users access to
> > the tap (say, using the service to open it) w
On Fri, Jun 28, 2019 at 4:51 PM Selva Nair wrote:
>
> Hi,
>
> While testing a patch, I failed to toggle AllowNonAdmin access to the
> tap-adapter.
> Looking at the sources it seems we do not respect that setting.
>
> From adapter.c ~line
The quoted code was from tap-wind
the service to open it) would not be a regression?
Or are there folks who use local builds of the driver and expect
openvpn.exe to respect that setting?
Thanks,
Selva
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sou
s
> }
> break;
>
> +case msg_open_tun_device:
> +if (msg.header.size == sizeof(msg.open_tun))
> +{
> +open_tun_device_result_message_t res = {
> +.header = {
> +
Hi,
What I have in mind would also require editing all calls
to send_msg_iservice() which is essentially what Gert is objecting to.
So ignore me -- a separate send_msg_iservice_ex may be the
best option.
Selva
On Tue, Jun 25, 2019 at 5:00 PM Selva Nair wrote:
>
> Hi,
>
> On Tue,
version which accepts arbitrary response
> type and size.
My point is that, this is not in the spirit of the rest of iservice code. See
HandleMessage in interactive.c where the data is and then interpreted
using the header type and size.
For what max-size to pass to ReadFile, we know it from the
Hi
On Tue, Jun 25, 2019 at 4:34 PM Gert Doering wrote:
>
> Hi,
>
> On Tue, Jun 25, 2019 at 03:57:18PM -0400, Selva Nair wrote:
> > The way interactive service structures are coded should not require
> > this at all, does it? The size and message type are already in the
ice (%s)"),
> device_path_wchar);
> +free(device_path_wchar);
> +return err;
> +}
>
Also this one -- I think we should just use the wide version of
CreateFile -- all strings in OpenVPN.exe are supposed to be in utf8,
so convert to widechar and call CreateFileW.
Selva
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
ge as many do right now.
The current dynamic response implementation is a bad hack -- fail the auth
with challenge embedded in the reason text and then send the response as a
"password" during the next round. So is this about making a clean
the date on my calendar
> and waiting for Antonio to send the accommodation recommendation.
>
>
>
> Best regards,
>
> Simon
>
>
>
> From: Lev Stipakov
> Date: Tuesday, 11 June 2019 at 19:26
> To: Jason Donenfeld , Simon Rozman , Selva
> Nair
>
Ref: https://patchwork.openvpn.net/project/openvpn2/list/?series=201
Hi,
These patches were meant to help implement choosing the remote through
the GUI. I may not find time for that but the patches by themselves
are still relevant.
If there is some interest I'll rebase to master.
Selva
cluded here
requires some logic in the installer to create the new config_dir location
if missing, and move contents from the old location.
See also this PR:
https://github.com/OpenVPN/openvpn-build/pull/141/commits/9c2774ca3841763ada64986b18d1df7634c59a20
Selva
__
c message
"An error occurred" and nothing in setupapi logs.
On further tests, one issue is that tapinstall.exe now depends on
VCRUNTIME140.dll which is not present in stock Windows. Probably
that's what causes the failure.
Selva
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
; ourselves?
>
> I agree with Selva that it should go upstream - since this is not about
> windows, we do not provide our own pkcs11-helper builds anywhere, so
> either we get the distribution maintainers involved (lots...) or
> upstream.
>
> (On *windows* we could just patch wha
Hi,
On Fri, Apr 19, 2019 at 9:13 AM Jan Just Keijser wrote:
> Hi Selva,I had not written a patch when I wrote my earlier email, but your
> patch is exactly what I had in mind; getting it all to compile and run with
> OpenSSL 1.1.1b + OpenVPN 2.4.7 was a bit of a challenge, but
PHANDLE events,
> undo_lists_t *lists)
> {
> @@ -1210,6 +1233,7 @@ HandleMessage(HANDLE pipe, DWORD bytes, DWORD count,
> LPHANDLE events, undo_lists
> block_dns_message_t block_dns;
> dns_cfg_message_t dns;
> enable_dhcp_message_t dhcp;
> +set_mtu_m
Hi JJK,
On Wed, Apr 17, 2019 at 10:50 AM Jan Just Keijser wrote:
> Hi Selva,
>
> On 10/04/19 19:09, Selva Nair wrote:
>
>
>
> On Wed, Apr 10, 2019 at 12:59 PM Jan Just Keijser
> wrote:
>
>
snipped...
> patching pkcs11-helper does not seem too difficult for
Hi,
On Wed, Apr 10, 2019 at 6:00 PM David Sommerseth <
open...@sf.lists.topphemmelig.net> wrote:
> On 10/04/2019 17:58, Selva Nair wrote:
> >
> > As I replied to the openssl-users list[*], pkcs11-helper only supports
> PKCS1
> > signatures, not raw signature needed
On Wed, Apr 10, 2019 at 12:59 PM Jan Just Keijser wrote:
> On 10/04/19 17:58, Selva Nair wrote:
>
> Hi,
>
> This is more relevant to OpenVPN than OpenSSL, so copying to the
> openvpn-devel list.
>
> On Wed, Apr 10, 2019 at 10:11 AM Francois Gelis
> wrote:
>
>
gt; unexpected padding. Any ideas on what might be the cause of this?
>
>
As I replied to the openssl-users list[*], pkcs11-helper only supports
PKCS1 signatures, not raw signature needed in this case.
We have to either patch pkcs11-helper or switch to something else.
Selva
[*] htt
edit unrelated parts of the code -- if it does, do not include
such changes in the patch.
Thanks
Selva
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
erface \"%d\" mtu=
> %d";
> - }
> -
> - /* max cmdline length in wchars -- include room for if index:
> -* 20 chars for two 32 bit int in decimal and +1 for NUL
> -*/
> - size_t ncmdline = wcslen
Hi,
On Fri, Mar 29, 2019 at 6:25 AM Christopher Schenk
wrote:
>
> Hi,
>
> On 28/03/2019 16:00, Selva Nair wrote:
> > I would go a step further to say we should not add new features that
> > do not work when started using the interactive service.
> >
> > Sec
doing this?
>
> Patch looks okay enough to ACK but:
>
> In general, this patch adds a missing feature (setting MTU) with one
> windows interface only (netsh). And more commonly used interface
> (interactive service)would be different then leading to harder to debug
> probl
On Wed, Mar 20, 2019 at 10:52 AM tincanteksup
wrote:
>
>
>
> On 20/03/2019 13:25, Selva Nair wrote:
> > Hi,
> >
> > On Wed, Mar 20, 2019 at 4:02 AM Antonio Quartulli wrote:
> >>
> >> Hi,
> >>
> >> On 18/03/2019 22:30, tincant
Hi,
On Wed, Mar 20, 2019 at 9:45 AM Arne Schwabe wrote:
>
> Am 20.03.19 um 14:25 schrieb Selva Nair:
> > Hi,
> >
> > On Wed, Mar 20, 2019 at 4:02 AM Antonio Quartulli wrote:
> >>
> >> Hi,
> >>
> >> On 18/03/2019 22:30, tincanteksup
WARNING in the log when parsing a
> dhcp-option without any script configured (on non-windows platform) may
> also be beneficial.
This would catch some obvious cases but not when a script is being
used for some other purpose. Still, sounds useful.
Selva
_
From: Selva Nair
Make clear that --dhcp-option is not processed on
non-Windows clients and the user is expected to handle
it using an --up script.
Signed-off-by: Selva Nair
---
doc/openvpn.8 | 18 +-
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/doc/openvpn.8
From: Selva Nair
- Add a new return value (-2) for openvpn_execve() when external
program execution is not allowed due to a low script-security
setting.
- Add a corresponding error message
Errors and warnings in such cases will now display as
"WARNING: failed running command () :"
same as this --
i.e with switch(stat) in misc.c and and preprocessor macros in misc.h
or a simpler, return code = -2 and error message as in version 1?
Selva
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
From: Selva Nair
- Add a new return value (-2) for openvpn_execve() when external
program execution is not allowed due to a low script-security
setting.
- Add a corresponding error message
Errors and warnings in such cases will now display as
"WARNING: failed running command () :"
Hi,
Thanks for the review.
On Tue, Feb 19, 2019 at 12:39 PM David Sommerseth <
open...@sf.lists.topphemmelig.net> wrote:
> On 17/02/2019 02:55, selva.n...@gmail.com wrote:
> > From: Selva Nair
> >
> > - Add a new return value (-2) for openvpn_execve() when ext
Hi
On Mon, Feb 18, 2019 at 9:24 AM Gert Doering wrote:
> Hi,
>
> On Sat, Feb 16, 2019 at 08:55:41PM -0500, selva.n...@gmail.com wrote:
> > From: Selva Nair
> >
> > - Add a new return value (-2) for openvpn_execve() when external
> > program execution is not all
From: Selva Nair
- Add a new return value (-2) for openvpn_execve() when external
program execution is not allowed due to a low script-security
setting.
- Add a corresponding error message
Errors and warnings in such cases will now display as
"WARNING: failed running command () :"
Hi,
On Sat, Feb 16, 2019 at 8:19 AM David Sommerseth <
open...@sf.lists.topphemmelig.net> wrote:
> On 15/02/2019 21:31, Selva Nair wrote:
> > Hi
> >
> > On Fri, Feb 15, 2019 at 3:26 PM David Sommerseth
> > open...@sf.lists.topphemmelig.net>>
> > wr
From: Selva Nair
Currently this raises a warning only. A fatal error is triggered
later with a confusing message that script failed to execute.
This helps the Windows GUI to show a relevant error message when
script-security is over-ridden as a security measure.
Signed-off-by: Selva Nair
Hi
On Thu, Jan 31, 2019 at 11:40 AM Gert Doering wrote:
> Hi,
>
> I have changed the Subject: and started a new thread, so that this
> isn't lost in the discussion specific to commit ce1c1beef1eb.
>
> On Thu, Jan 31, 2019 at 11:28:52AM -0500, Selva Nair wrote:
> > So n
Thanks.
So now the question -- do we want to support Windows builds with OpenSSL
1.1.1 in 2.4?
Selva
On Thu, Jan 31, 2019 at 11:22 AM Gert Doering wrote:
> Your patch has been applied to the master branch.
>
> (Test built on ubuntu 16.04 / mingw, not really tested as such)
&
501 - 600 of 1409 matches
Mail list logo
