Hi,
On 06-02-17 20:18, Olivier W wrote:
> Should be compatible with all versions of OpenSSL and LibreSSL.
> Similar to what is done in curl:
> https://github.com/curl/curl/blob/028391df5d84d9fae3433afdee9261d565900355/lib/vtls/openssl.c#L603-L619
>
> Error while compiling was:
>
Hi,
On 07-02-17 09:45, Илья Шипицин wrote:
> I have a question (sorry if I couldn't check myself): did you check that
> SSL_get_privatekey() and SSL_free() won't crash when ssl is NULL ?
>
> what if we involve clang static analyzer for such things ? can we count
> on it ?
>
> it is
Hi,
On 20 January 2017 at 22:04, David Sommerseth wrote:
> We already track a lot of files over the whole directory structure
> in the main .gitignore file. But a few additional ones had been
> added into some of the subdirectories.
>
> This unifies all these files into a
Hi,
One more real comment and two nitpicks:
On 15-01-17 15:43, Antonio Quartulli wrote:
> @@ -3233,39 +3258,63 @@ options_postprocess_filechecks(struct options
> *options)
>
> [...]
>
> +errs |= check_file_access_inline(options->cert_file_inline, CHKACC_FILE,
> +
found".
Signed-off-by: Steffan Karger <stef...@karger.me>
---
v2: fix rebase error that erroneously reverted commit ec4dff3b
src/openvpn/crypto.h | 6 +++---
src/openvpn/crypto_mbedtls.h | 1 +
src/openvpn/crypto_openssl.h | 1 +
src/openvpn/init.c | 10 +--
to
use for poor man's NCP.
This patch allows working around that issue by allowing the 'cipher'
directive to be used in --client-config-dir files. That way, a server
admin can add ccd files to specify per-client which cipher to use.
Signed-off-by: Steffan Karger <stef...@karger.me>
---
src/openv
Hi,
On 20-01-17 23:01, David Sommerseth wrote:
> This actually tries to revert commit ec4dff3bbdcc9fedf7844 ... which is
> quite surprising.
>
> [...snip...]
>
> And this too is also a revert of the same commit as above.
>
> Had it been just a simple rebase, I'd be willing to tackle that
>
On 22-02-17 08:39, Gert Doering wrote:
> On Wed, Feb 22, 2017 at 02:21:35AM +0100, David Sommerseth wrote:
>From d97f526a2ddbf2abe60a64260601ebd742fc00cc Mon Sep 17 00:00:00 2001
From: "Simon (simix)"
>>>
>>> Do we have a policy how to handle patches with missing author info?
>>
>> I
Hi,
The attached patch from trac #825 fixes a silly bug in my --tls-crypt
code. I already confirmed this in trac, but now also on the list:
ACK to the attached patch.
-Steffan
>From d97f526a2ddbf2abe60a64260601ebd742fc00cc Mon Sep 17 00:00:00 2001
From: "Simon (simix)"
Date: Tue, 21 Feb 2017
On 22 February 2017 at 15:47, Christian Hesse <l...@eworm.de> wrote:
> Steffan Karger <stef...@karger.me> on Tue, 2017/02/21 22:30:
>> ACK. Changes look good and tested against OpenSSL 0.9.8, 1.0.0, 1.0.1
>> and 1.0.2.
>
> You answered to a patch in the middle
Hi,
On 17-02-17 23:00, log...@free.fr wrote:
> From: Emmanuel Deloget
>
> OpenSSL 1.1 changed the SSLv3 API and removed many SSL_L_SSL3_*
> constants. Moreover, new code might use different function
> code for the same error.
>
> Thus, we extract the error reason from the error
On 19-02-17 15:58, David Sommerseth wrote:
> On 19/02/17 13:03, Steffan Karger wrote:
>
>> As discussed in other threads, we do want to support building on RHEL6,
>> which is why we would prefer to be compatible with (patched) OpenSSL
>> 0.9.8. I haven't tested a
Hi Emmanuel,
On 17-02-17 23:00, log...@free.fr wrote:
> From: Emmanuel Deloget
>
> The purpose of this RFC series is to make the latest master of OpenVPN
> (2.5-git) linkable with OpenSSL v1.1.x. It may not be complete (I may
> have missed something due to my work environment,
e keys,
this patch delays key generation for non-NCP p2mp servers until after
reading the ccd file.
Trac: #845
Signed-off-by: Steffan Karger <stef...@karger.me>
---
v2: postpone p2mp non-NCP key generation, such that setting cipher in
a ccd file for a non-NCP client actually works.
src/ope
On 17-02-17 23:00, log...@free.fr wrote:
> From: Emmanuel Deloget
>
> OpenSSL 1.1 does not allow us to directly access the internal of
> any data type, including X509_STORE. We have to use the defined functions
> to do so.
>
> Compatibility with OpenSSL 1.0 is kept by defining
Hi,
On 17-02-17 23:00, log...@free.fr wrote:
> From: Emmanuel Deloget
>
> OpenSSL 1.1 does not allow us to directly access the internal of
> any data type, including RSA_METHOD. We have to use the defined
> functions to do so.
>
> Compatibility with OpenSSL 1.0 is kept by
On 23-02-17 22:41, James Yonan wrote:
> On 23/02/2017 01:22, Steffan Karger wrote:
>> On 22-02-17 19:48, James Yonan wrote:
>>> mbedTLS 2 has a new feature that allows rejection of certificates if the
>>> key size is too small or the signing hash is weak.
>>&g
Hi,
On 24-02-17 14:52, Gert Doering wrote:
> To test whether a server is reachable and all the key handling is
> right, openvpn can connect with "--dev null --ifconfig-noexec" to
> avoid needing to the client with elevated privileges.
>
> This was erroring out for no good reason (because the
Hi,
On 23-02-17 19:22, Ilya Shipitsin wrote:
> in rare cases openvpn is built from tarball, it happens during "installer
> build"
> process. "make distcheck" helps to prevent problems during such builds.
>
> Signed-off-by: Ilya Shipitsin
> ---
> .travis.yml | 1 +
> 1
On 25-02-17 07:04, James Yonan wrote:
> On 24/02/2017 16:10, Steffan Karger wrote:
>> On 24-02-17 22:28, James Yonan wrote:
>>> On 24/02/2017 02:40, Steffan Karger wrote:
>>>> On 23-02-17 22:41, James Yonan wrote:
>>>>> On 23/02/2017 01:22, Steffan
Hi,
On 24-02-17 22:28, James Yonan wrote:
> On 24/02/2017 02:40, Steffan Karger wrote:
>> On 23-02-17 22:41, James Yonan wrote:
>>> On 23/02/2017 01:22, Steffan Karger wrote:
>>>> On 22-02-17 19:48, James Yonan wrote:
>>>>> mbedTLS 2 has a new
On 23-02-17 10:31, Emmanuel Deloget wrote:
>>> - configure.ac does something to CentOS 6 / RHEL 6 which makes configure
>>>explode:
>>>
>>> ...
>>> checking for linux/if_tun.h... yes
>>> checking tap-windows.h usability... no
>>> checking tap-windows.h presence... no
>>> checking for
Hi,
On 21-02-17 22:12, Gert Doering wrote:
> On Tue, Feb 21, 2017 at 08:42:57PM +0100, Steffan Karger wrote:
>> ACK to the attached patch.
>
>> >From d97f526a2ddbf2abe60a64260601ebd742fc00cc Mon Sep 17 00:00:00 2001
>> From: "Simon (simix)"
>
> All pr
Hi,
On 17-02-17 23:00, log...@free.fr wrote:
> From: Emmanuel Deloget
>
> OpenSSL 1.1 does not allow us to directly access the internal of
> any data type, including X509_STORE_CTX. We have to use the defined
> functions to do so.
>
> Fortunately, these functions have existed
Hi James,
On 22-02-17 19:48, James Yonan wrote:
> mbedTLS 2 has a new feature that allows rejection of certificates if the
> key size is too small or the signing hash is weak.
>
> The feature is controlled via struct mbedtls_x509_crt_profile.
>
> For example, you could specify that
On 17-02-17 23:00, log...@free.fr wrote:
> From: Emmanuel Deloget
>
> OpenSSL 1.1 does not allow us to directly access the internal of
> any data type, including SSL_CTX. We have to use the defined functions
> to do so.
>
> Compatibility with OpenSSL 1.0 is kept by defining the
On 23-02-17 09:49, Gert Doering wrote:
> Commit b936ddfb63 introduced a new header file but forgot to include
> it in the list of openvpn_SOURCES, so it did not get bundled in the
> generated tarballs.
>
> Signed-off-by: Gert Doering
> ---
> src/openvpn/Makefile.am | 1 +
>
Hi,
On 09-02-17 21:04, Olivier W wrote:
> Hello,
> Please find the new version of the patch.
>
> So, I added back the comment I had removed and new versions of OpenSSL
> will use SSL_CTX_get0_privatekey() instead of SSL_new() +
> SSL_get_privatekey() + SSL_free().
>
> It successfully compile
Hi,
On 13-02-17 19:38, O2 Graphics wrote:
> Use SSL_CTX_get0_privatekey() for OpenSSL >= 1.0.2
>
> Signed-off-by: Olivier Wahrenberger
> ---
> src/openvpn/ssl_openssl.c | 14 +++---
> 1 file changed, 11 insertions(+), 3 deletions(-)
>
> diff --git
Hi,
Thanks, I like each version better. Even though it adds more lines than
it removes, quite some of it is because of correcting wrapping and
adding useful comments. I think it really improves the readability of
the code. Some (hopefully final) minor comments still though:
On 14-01-17 17:30,
On 22 August 2016 at 21:22, Gert Doering wrote:
> NCP only works with --pull or --mode server, leading to breakage
> in --inetd mode (because that has --tls-server, but not --mode server,
> but clients can still ask for PUSH_REQUEST).
>
> Fix by turning off o->ncp_enable
On 25-02-17 19:00, Ilya Shipitsin wrote:
> in rare cases openvpn is built from tarball, it happens during "installer
> build"
> process. "make distcheck" helps to prevent problems during such builds.
>
> V2: limit "make distcheck" to one build configuration
> Signed-off-by: Ilya Shipitsin
On 28-02-17 06:09, James Yonan wrote:
> On 27/02/2017 18:18, David Sommerseth wrote:
>
>> On 27/02/17 23:06, James Yonan wrote:
>>> On 25/02/2017 08:40, Steffan Karger wrote:
>> [...snip...]
>>>> I'd say so. Something like:
>>>>
>>>&
As reported in trac #716, cipher negotiation (NCP) broke --mssfix. This
patch now also restores the mssfix value after the crypto negotiation.
Signed-off-by: Steffan Karger <stef...@karger.me>
---
src/openvpn/init.c | 15 +--
src/openvpn/mtu.c | 10 ++
src/openvpn
On 10 September 2016 at 08:11, Steffan Karger <stef...@karger.me> wrote:
> [PATCH 1/2]
... oops. The 1/2 is a historical artefact. There is no 2/2.
-Steffan
--
__
have to
update the text to reflect that.
Signed-off-by: Steffan Karger <stef...@karger.me>
---
doc/openvpn.8 | 36 +---
1 file changed, 25 insertions(+), 11 deletions(-)
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 163bdf4..f86851c 100644
--- a/doc/openvpn.8
have to
update the text to reflect that.
Signed-off-by: Steffan Karger <stef...@karger.me>
---
doc/openvpn.8 | 14 +++---
1 file changed, 3 insertions(+), 11 deletions(-)
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index d9bb77c..fd23f8b 100644
--- a/doc/openvpn.8
+++ b/doc/ope
until a sighup restart. We might
want to change this behaviour in general, but for now let's just fix the
issue at hand.
Signed-off-by: Steffan Karger <stef...@karger.me>
---
src/openvpn/init.c | 4
1 file changed, 4 insertions(+)
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
i
until a sighup restart. We might
want to change this behaviour in general, but for now let's just fix the
issue at hand.
v2: also cache and restore keysize, as that parameter is relevant too.
Signed-off-by: Steffan Karger <stef...@karger.me>
---
src/openvpn/init.c| 6 ++
src/openv
Hi,
OpenVPN (2.x) currently caches pushed options across sigusr1 restarts.
This 'allowes' a server admin to push some options that the code can't
really handle, until the client times out and performs a sigusr1
restart. The client will then execute a number of initialisation
routines that might
nly set -std=gnu89 if no -std flag is present in $CFLAGS
Signed-off-by: Steffan Karger <stef...@karger.me>
---
configure.ac | 6 ++
1 file changed, 6 insertions(+)
diff --git a/configure.ac b/configure.ac
index 62b389e..af24392 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1069,6
Add scopes for the conditional code, remove local scope that's only needed
for c89 support (which we dropped).
This patch should be applied after the SHA256 fingerprint support patch.
Signed-off-by: Steffan Karger <stef...@karger.me>
---
src/openvpn/ssl_verify.c | 17 ++---
Hi,
On 17 September 2016 at 14:53, Lev Stipakov wrote:
> From: Lev Stipakov
>
> v3:
> * move assert outside of loop
> * add max-clients value check to options
>
> [...]
>
> --- a/src/openvpn/options.c
> +++ b/src/openvpn/options.c
> @@ -5893,6
Hi,
On 18 September 2016 at 08:51, Lev Stipakov wrote:
> From: Lev Stipakov
>
> v5:
> * Few more nickpicks
>
> v4:
> * replace magic number with define
> * show user a decimal value instead of hex
>
> v3:
> * move assert outside of loop
> * add
Hi,
On 27 July 2016 at 16:42, Steffan Karger <steffan.kar...@fox-it.com> wrote:
> Our customers, as well as community users, have asked for encryption of
> control channel packets to hide their certificate (containing perhaps
> the users' name or organisation), or to provide
Hi,
On 22-09-16 12:04, David Sommerseth wrote:
> If running an OpenVPN client with --enable-pkcs11 and a server without
> and having a username and/or password with more than 128 characters,
> the authentication will fail as the server truncates the password
> to 128 bytes.
>
> This makes things
Hi,
On 18 September 2016 at 22:07, Selva Nair wrote:
> Does this mean that --tls-crypt will imply --tls-auth with the same key-file
> (or make the latter redudnant?). The man-page description in the patch
> appears to imply so, but not very clear..
--tls-crypt also
essage just before the push:
>
>
> it would be easiest, but it is not required.
> as Steffan Karger wrote "Could you please include such descriptions in
> future patches?"
>
> ---
>
> Enable "--disable-crypto" build configuration
>
Ensuring that
options->ciphername is never null prevents us from having to write null
checks everywhere.
Signed-off-by: Steffan Karger <stef...@karger.me>
---
src/openvpn/crypto.c | 7 +--
src/openvpn/init.c| 2 +-
src/openvpn/options.c | 8
3 files changed, 6 inser
Fixes compiler warnings (undefined behavior) by making the copy explicit
to comply to strict aliasing rules. With newer GCC the old code could
actually lead to undefined behaviour.
See e.g. http://blog.regehr.org/archives/959.
Signed-off-by: Steffan Karger <stef...@karger.me>
---
src/o
On 28 September 2016 at 13:09, Gert Doering wrote:
> Your patch has been applied to master. Due to differences in surrounding
> code (which do not affect this change) I had to do it manually - code change
> is the same, patch looks different. Please verify that it's all as
Hi,
On 24-09-16 17:54, Lev Stipakov wrote:
> Peer-id might change on restart and this should not trigger reopening
> tun.
>
> Trac #649
Feature-ACK.
The same holds for ncp stuff though, so I think we should do the same
for cipher, auth and keysize. Unless those change the tun-mtu, hmm...
That
On 04-10-16 22:20, Lev Stipakov wrote:
> v2:
> - Move digest update to separate method
>
> Peer-id might change on restart and this should not trigger reopening
> tun.
>
> Trac #649
> ---
> src/openvpn/push.c | 45 ++---
> 1 file changed, 30
Hi,
Shouldn't the return type be size_t or at least unsigned int, as mbuf->len is
also of type unsigned int?
-Steffan
-Original Message-
From: Arne Schwabe [mailto:a...@rfc2549.org]
Sent: maandag 11 maart 2013 22:35
To: g...@greenie.muc.de; openvpn-devel@lists.sourceforge.net
Subject:
this afternoon.
-Steffan
-Original Message-
From: Heiko Hund [mailto:heiko.h...@sophos.com]
Sent: dinsdag 19 maart 2013 11:27
To: openvpn-devel@lists.sourceforge.net
Cc: Steffan Karger
Subject: Re: [Openvpn-devel] [PATCH 1/5] PolarSSL-1.2 support
On Monday 18 March 2013 17:37:28 steffan.kar
Wow, 32 bit. I clearly did not put enough effort in testing polar's newly
supported ciphers. I'll take a good look at this.
-Steffan
-Original Message-
From: Gert Doering [mailto:g...@greenie.muc.de]
Sent: woensdag 20 maart 2013 9:53
To: Steffan Karger
Cc: openvpn-devel
on that one.
Regards,
-Steffan
-Original Message-
From: Gert Doering [mailto:g...@greenie.muc.de]
Sent: dinsdag 19 maart 2013 15:27
To: Steffan Karger
Cc: openvpn-devel@lists.sourceforge.net
Subject: Re: [Openvpn-devel] [PATCH 1/5] PolarSSL-1.2 support
Hi,
On Mon, Mar 18, 2013 at 05:37
.
-Steffan
-Original Message-
From: Gert Doering [mailto:g...@greenie.muc.de]
Sent: dinsdag 19 maart 2013 15:27
To: Steffan Karger
Cc: openvpn-devel@lists.sourceforge.net
Subject: Re: [Openvpn-devel] [PATCH 1/5] PolarSSL-1.2 support
Hi,
On Mon, Mar 18, 2013 at 05:37:28PM +0100, steffan.kar
Hi,
Attached an updated version of the patch, which should resolve the issue. It
passes t_client tests.
-Steffan
-Original Message-
From: Gert Doering [mailto:g...@greenie.muc.de]
Sent: woensdag 20 maart 2013 9:53
To: Steffan Karger
Cc: openvpn-devel@lists.sourceforge.net
Subject: Re
Hi,
Attached an updated patch, which removes the stale 0 from %0x in the printf
format string.
-Steffan
-Original Message-
From: Steffan Karger
Sent: maandag 18 maart 2013 17:38
To: openvpn-devel@lists.sourceforge.net
Cc: Steffan Karger
Subject: [PATCH 3/5] Improve verify_callback
Hi,
Attached an updated version, which will not fail when polarssl is not installed
in some system library path.
Sorry for the spam!
-Steffan
-Original Message-
From: Steffan Karger [mailto:steffan.kar...@fox-it.com]
Sent: woensdag 20 maart 2013 19:53
To: Gert Doering
Cc: openvpn
Hi,
Gert has already covered the first part of your mail, but I too would like to
thank you for your efforts.
> To the PolarSSL-1.2 support itself: I must confess I didn't test it
> but I believe the new implementation of verify_callback in
> ssl_verify_callback.c is incorrect
>
Hi,
Attached a patch to fix a bug in the TLS-cipher translation introduced (by me)
in commit 030c7b0. The previous version would not parse tls-cipher strings with
more than two ciphers specified correctly.
The patch has been tested by the user that reported the bug.
-Steffan
BLE_SSL.
>
> Please check and send patch :-)
Yes sir ;) I attached the patch.
-Steffan
>From a4d045dd3acd78999371db8d87c320aa0d0669e5 Mon Sep 17 00:00:00 2001
From: Steffan Karger <steffan.kar...@fox-it.com>
List-Post: openvpn-devel@lists.sourceforge.net
Date: Mon, 15 Apr 2013 10:
Hi Arne,
For the context, this ROUTE_BEFORE_TUN is required for the Android VPN
API, right? Might be useful to put in the commit message. Furthermore
two comments on the patch, which I've put inline:
On 04/21/2013 01:26 PM, Arne Schwabe wrote:
> ---
> src/openvpn/init.c | 11 +--
>
Hi JJK,
> -Original Message-
> From: Jan Just Keijser [mailto:janj...@nikhef.nl]
> Sent: maandag 22 april 2013 12:48
> To: openvpn-devel@lists.sourceforge.net; Adriaan de Jong
> Subject: [Openvpn-devel] forum topic12703: cross compile problem with
> crypto-library=polarssl
>
> hi *,
On 06/08/2013 07:33 AM, Tamas TEVESZ wrote:
>
> hi,
>
> the attached patch adds support for --client-cert-not-required with
> polarssl. please apply.
>
> thanks,
>
>
ACK
-Steffan
On 06/14/2013 09:53 PM, James Yonan wrote:
> To get the adaptive versioning behavior in OpenSSL, you have to use
> SSLv23_server_method() or SSLv23_client_method() and then explicitly
> disable the versions you don't want to consider, i.e. SSL_OP_NO_SSLv2,
> SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1,
On 07/09/2013 11:09 AM, p.j.bak...@polarssl.org wrote:
> Yeah!
>
> -82 is: POLARSSL_ERR_NET_WANT_READ
>
> It means that somewhere in the code, OpenVPN calls a read() or a write() and
> seems to not handle the return value properly.
I've peaked into the code, but in all cases where ssl_read() or
Hi,
On 11/12/2013 04:12 PM, Jan Just Keijser wrote:
> correct , although you can currently use EC certs with SHA1 signing -
> just not with SHA2 signing.
>
> JJK
Which means adding SHA2 hashing is at least a nice addition. I've taken
a quick peak at the code, applied the patches to master
Hi David,
This solution looks good. I did not test, but I do have one minor comment
after glancing at the code:
@@ -2662,7 +2700,14 @@ check_cmd_access(const char *command, const char
> *opt)
> * only requires X_OK to function on Unix - a scenario not unlikely to
> * be seen on suid
Argh, this must have slipped in while rewriting my git history to extract
these patches from my own try. Sorry!
ACK to Arne's quick fix, thanks for acting quickly.
-Steffan
On Sat, Nov 23, 2013 at 1:40 PM, Arne Schwabe wrote:
> ---
> src/openvpn/ssl_openssl.c | 4 ++--
> 1
Sorry for the late response, but better late then never. So, ACK to this
patch!
-Steffan
On 25-11-13 13:32, David Sommerseth wrote:
> From: David Sommerseth
>
> Commit 0f2bc0dd92f43c9 started to introduce some file sanity
> checking before OpenVPN started to avoid harder to
ACK. Code looks good, compiles and passes my local pkcs11-test.
-Steffan
On 11-11-13 23:36, Alon Bar-Lev wrote:
> Enables DSA, ECDSA key usages with newer pkcs11-helper.
>
> Signed-off-by: Alon Bar-Lev
> Tested-By: Sanaullah
> ---
> configure.ac
rom 6d7d536ea52713fe230264f7798c509f37dd40c9 Mon Sep 17 00:00:00 2001
From: Steffan Karger <stef...@karger.me>
List-Post: openvpn-devel@lists.sourceforge.net
Date: Sun, 15 Dec 2013 17:58:04 +0100
Subject: [PATCH] Use RSA_generate_key_ex() instead of deprecated
RSA_generate_key()
Code has been tested usin
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi,
On 30-12-13 21:50, Gert Doering wrote:
> Could I ask you to provide a patch to remove this for 2.4?
Sure. I fixed some extra stuff along the way, I'll send a patch set in
a minute.
- -Steffan
-BEGIN PGP SIGNATURE-
Version: GnuPG
-off-by: Steffan Karger <stef...@karger.me>
---
src/openvpn/ssl_openssl.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 5f6c270..9dced72 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_ope
Commit 4b67f98 changed call to TLSv1_{client,server}_method() to
SSLv23_{client,server}_method(), this commit updates the corresponding
error messages to match the changes in the code.
Signed-off-by: Steffan Karger <stef...@karger.me>
---
src/openvpn/ssl_openssl.c | 4 ++--
1 file chan
Commit 4b67f98 changed calls to TLSv1_{sever,client}_method() to
SSLv23_{client,server}_method() to enable TLS version negotiation. This
commit does the same for two calls of TLSv1_method() from support code.
Signed-off-by: Steffan Karger <stef...@karger.me>
---
src/openvpn/ssl_openssl
Hi,
This patch set is meant to remove ephemeral RSA support from the master branch,
and disable (weak) export ciphers by default. While coding I came along some
other stuff I fixed along the way:
1/6: Update two old calls to TSLv1*() functions to SSLv23*() function, matching
the TLS
This allows to check the available TLS ciphers for a specific configuration
by supplying both --tls-cipher and --show-tls options.
Signed-off-by: Steffan Karger <stef...@karger.me>
---
src/openvpn/init.c | 2 +-
src/openvpn/ssl_backend.h | 4 +++-
src/openvpn/ssl_openssl.c
This diff look like a lot has changed, but this just adds some ifs to check
for NULL in tls_ctx_restrict_ciphers() to prepare for disabling export
ciphers by default in OpenVPN 2.4+.
Signed-off-by: Steffan Karger <stef...@karger.me>
---
src/openvpn/ssl.c | 5 +-
src/o
are available in TLS.
Signed-off-by: Steffan Karger <stef...@karger.me>
---
src/openvpn/ssl_openssl.c | 18 --
1 file changed, 18 deletions(-)
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 1c6291f..08327a1 100644
--- a/src/openvpn/ssl_openssl.c
+++
Hi,
Attached a v2 of the patch below, that removes the else to make the diff
a lot smaller and changes a //-style comment to /* */-style.
-Steffan
On 01-01-14 21:10, Steffan Karger wrote:
> This diff look like a lot has changed, but this just adds some ifs to check
> fo
Hi,
Attached a v3 of the patch. This one also makes sure
tls_ctx_restrict_ciphers is always called, to prepare for the defaults
settings of 6/6 to always apply. In the previous version of the patch
--show-tls would ignore the default settings.
-Steffan
On 03-01-14 21:12, Steffan Karger wrote
Hi Piotr,
On 18-02-14 01:35, pietrek -- wrote:
> It's my first contribution, so I could make some mistakes ;)
Thank you!
> In attached patch I added ECDH support to openvpn with openssl.
> Eliptic Curves generation is, in contrast to Diffie-Hellman very fast,
> so I do it on every server
Hi Piotr,
On 24-02-14 01:28, pietrek -- wrote:
> Hi Steffan,
> I modified my patch again. And thanks for your code - it helped me.
Good to hear it helped you. But your new patch basically is my code now,
except that it accepts a configuration without a DH-file.
> 1) In such case server will set
Hi,
On Tue, Feb 25, 2014 at 9:22 AM, Gert Doering wrote:
> > Although there is apparently more work to do to get more cipher suites
> > working, this does give us a start on working with EC-crypto. Maybe this
> > part can go in (once ACK'ed) as 'the start of EC-support', so
Hi,
On 25-02-14 22:49, Jan Just Keijser wrote:
> read up on the original ticket too:
> https://forums.openvpn.net/topic8404-30.html
>
> there's some useful commands/description in there on how to generate
> ECDSA certificates.
Thanks. I've added support for ECDSA to EasyRSA 3 a little while
Hi,
Thanks to Piotr's contributions on the mailing list I picked up my earlier
ECDH work again. I believe they are ready to be reviewed and find their way
into master.
The following patches add support for ECDH(E) in OpenSSL builds, which in
practice means that people are able to use ECDSA
Signed-off-by: Steffan Karger <stef...@karger.me>
---
sample/sample-keys/README| 6 ++--
sample/sample-keys/ec-ca.crt | 13 +
sample/sample-keys/ec-ca.key | 6
sample/sample-keys/ec-client.crt | 61
sample/sample-k
older version do not have all the functions used and would require
adding (more) #ifdefs.
Signed-off-by: Steffan Karger <stef...@karger.me>
---
README.ec | 37
configure.ac | 4 +-
doc/openvpn.8 | 14 ++
src/openvpn/
Hi,
On 26-02-14 21:04, pietrek -- wrote:
> I tested what would happen if any key exchange protocol will be specified.
> It works as I expected: connection failed with error: 'no such cipher'.
> So session cannot work without ECDH and DH.
> Also, if OpenSSL would accept it, it would be an
This adds a number of commonly used cipher list names to ssl.c, which makes
OpenVPN not give a "translation not found" warning when using these.
Signed-off-by: Steffan Karger <stef...@karger.me>
---
src/openvpn/ssl.c | 13 +
1 file changed, 13 insertions(+)
diff --g
Hi,
The following two (small) patches are usability improvements.
1/2 removes some of the warnings OpenVPN-with-OpenSSL issue when a user
specifies valid OpenSSL TLS cipher group names with --tls-cipher. PolarSSL does
not support group names, so these are not applicable for PolarSSL.
2/2
This explicitly disables a number of tls ciphers that OpenVPN has currently
no support for. OpenSSL will automatically detect this during negotiation,
but --show-tls would erroneously show a number of unsupported ciphers.
Signed-off-by: Steffan Karger <stef...@karger.me>
---
src/o
Hi,
On 01-03-14 16:34, Gert Doering wrote:
> On Sat, Mar 01, 2014 at 03:36:13PM +0100, Steffan Karger wrote:
>> The following two (small) patches are usability improvements.
>
> is this master-only, or does it make sense for 2.3 as well?
Good point, I forgot to mention:
1/2 Make
Hi,
On 03/13/2014 10:37 PM, Abdullah Alshalan wrote:
> Hi,
> I have a few questions about OpenVPN and I would appreciate if you can
answer whatever you can.
I'll give it a try. I assume these questions relate to the 'Triple
Handshake'-attack (https://secure-resumption.com/). I do not understand
Hi,
> -Original Message-
> From: Gert Doering [mailto:g...@greenie.muc.de]
> Sent: maandag 17 maart 2014 9:34
> Subject: Re: [Openvpn-devel] [PATCH] Set SSL_OP_NO_TICKET flag in SSL
> context for OpenSSL builds, to disable TLS stateless session
> resumption.
>
> Hi,
>
> On Sun, Mar 16,
ion.
>
> On 17/03/14 11:08, Steffan Karger wrote:
> > I think this should go into all releases we'll do from now on.
> >
> > Also, ACK on the patch. Together with SSL_SESS_CACHE_OFF, this seems
> > to fully disable TLS session renegotiation and resumption.
>
> T
1 - 100 of 1291 matches
Mail list logo