Re: [Openvpn-devel] [PATCH] Fix building with LibreSSL 2.5.1 by cleaning a hack.

Hi, On 06-02-17 20:18, Olivier W wrote: > Should be compatible with all versions of OpenSSL and LibreSSL. > Similar to what is done in curl: > https://github.com/curl/curl/blob/028391df5d84d9fae3433afdee9261d565900355/lib/vtls/openssl.c#L603-L619 > > Error while compiling was: >

Re: [Openvpn-devel] [PATCH] Fix building with LibreSSL 2.5.1 by cleaning a hack.

Hi, On 07-02-17 09:45, Илья Шипицин wrote: > I have a question (sorry if I couldn't check myself): did you check that > SSL_get_privatekey() and SSL_free() won't crash when ssl is NULL ? > > what if we involve clang static analyzer for such things ? can we count > on it ? > > it is

Re: [Openvpn-devel] [PATCH] git: Merge .gitignore files into a single file

Hi, On 20 January 2017 at 22:04, David Sommerseth wrote: > We already track a lot of files over the whole directory structure > in the main .gitignore file. But a few additional ones had been > added into some of the subdirectories. > > This unifies all these files into a

Re: [Openvpn-devel] [PATCH v5] convert *_inline attributes to bool

Hi, One more real comment and two nitpicks: On 15-01-17 15:43, Antonio Quartulli wrote: > @@ -3233,39 +3258,63 @@ options_postprocess_filechecks(struct options > *options) > > [...] > > +errs |= check_file_access_inline(options->cert_file_inline, CHKACC_FILE, > +

[Openvpn-devel] [PATCH v2] Use SHA256 for the internal digest, instead of MD5

found". Signed-off-by: Steffan Karger <stef...@karger.me> --- v2: fix rebase error that erroneously reverted commit ec4dff3b src/openvpn/crypto.h | 6 +++--- src/openvpn/crypto_mbedtls.h | 1 + src/openvpn/crypto_openssl.h | 1 + src/openvpn/init.c | 10 +--

[Openvpn-devel] [PATCH] Allow changing cipher from a ccd file

to use for poor man's NCP. This patch allows working around that issue by allowing the 'cipher' directive to be used in --client-config-dir files. That way, a server admin can add ccd files to specify per-client which cipher to use. Signed-off-by: Steffan Karger <stef...@karger.me> --- src/openv

Re: [Openvpn-devel] [PATCH] Use SHA256 for the internal digest, instead of MD5

Hi, On 20-01-17 23:01, David Sommerseth wrote: > This actually tries to revert commit ec4dff3bbdcc9fedf7844 ... which is > quite surprising. > > [...snip...] > > And this too is also a revert of the same commit as above. > > Had it been just a simple rebase, I'd be willing to tackle that >

Re: [Openvpn-devel] [PATCH] Fix segfault when using crypto lib without AES-256-CTR or SHA256

On 22-02-17 08:39, Gert Doering wrote: > On Wed, Feb 22, 2017 at 02:21:35AM +0100, David Sommerseth wrote: >From d97f526a2ddbf2abe60a64260601ebd742fc00cc Mon Sep 17 00:00:00 2001 From: "Simon (simix)" >>> >>> Do we have a policy how to handle patches with missing author info? >> >> I

[Openvpn-devel] [PATCH] Fix segfault when using crypto lib without AES-256-CTR or SHA256

Hi, The attached patch from trac #825 fixes a silly bug in my --tls-crypt code. I already confirmed this in trac, but now also on the list: ACK to the attached patch. -Steffan >From d97f526a2ddbf2abe60a64260601ebd742fc00cc Mon Sep 17 00:00:00 2001 From: "Simon (simix)" Date: Tue, 21 Feb 2017

Re: [Openvpn-devel] [RFC PATCH v1 09/15] OpenSSL: don't use direct access to the internal of X509_STORE_CTX

On 22 February 2017 at 15:47, Christian Hesse <l...@eworm.de> wrote: > Steffan Karger <stef...@karger.me> on Tue, 2017/02/21 22:30: >> ACK. Changes look good and tested against OpenSSL 0.9.8, 1.0.0, 1.0.1 >> and 1.0.2. > > You answered to a patch in the middle

Re: [Openvpn-devel] [RFC PATCH v1 14/15] OpenSSL: check for the SSL reason, not the full error

Hi, On 17-02-17 23:00, log...@free.fr wrote: > From: Emmanuel Deloget > > OpenSSL 1.1 changed the SSLv3 API and removed many SSL_L_SSL3_* > constants. Moreover, new code might use different function > code for the same error. > > Thus, we extract the error reason from the error

Re: [Openvpn-devel] [RFC PATCH v1 00/15] Add support for OpenSSL 1.1.x

On 19-02-17 15:58, David Sommerseth wrote: > On 19/02/17 13:03, Steffan Karger wrote: > >> As discussed in other threads, we do want to support building on RHEL6, >> which is why we would prefer to be compatible with (patched) OpenSSL >> 0.9.8. I haven't tested a

Re: [Openvpn-devel] [RFC PATCH v1 00/15] Add support for OpenSSL 1.1.x

Hi Emmanuel, On 17-02-17 23:00, log...@free.fr wrote: > From: Emmanuel Deloget > > The purpose of this RFC series is to make the latest master of OpenVPN > (2.5-git) linkable with OpenSSL v1.1.x. It may not be complete (I may > have missed something due to my work environment,

[Openvpn-devel] [PATCH v2] Allow changing cipher from a ccd file

e keys, this patch delays key generation for non-NCP p2mp servers until after reading the ccd file. Trac: #845 Signed-off-by: Steffan Karger <stef...@karger.me> --- v2: postpone p2mp non-NCP key generation, such that setting cipher in a ccd file for a non-NCP client actually works. src/ope

Re: [Openvpn-devel] [RFC PATCH v1 02/15] OpenSSL: don't use direct access to the internal of X509_STORE

On 17-02-17 23:00, log...@free.fr wrote: > From: Emmanuel Deloget > > OpenSSL 1.1 does not allow us to directly access the internal of > any data type, including X509_STORE. We have to use the defined functions > to do so. > > Compatibility with OpenSSL 1.0 is kept by defining

Re: [Openvpn-devel] [RFC PATCH v1 04/15] OpenSSL: don't use direct access to the internal of RSA_METHOD

Hi, On 17-02-17 23:00, log...@free.fr wrote: > From: Emmanuel Deloget > > OpenSSL 1.1 does not allow us to directly access the internal of > any data type, including RSA_METHOD. We have to use the defined > functions to do so. > > Compatibility with OpenSSL 1.0 is kept by

Re: [Openvpn-devel] Should we use mbedTLS certificate profiles?

On 23-02-17 22:41, James Yonan wrote: > On 23/02/2017 01:22, Steffan Karger wrote: >> On 22-02-17 19:48, James Yonan wrote: >>> mbedTLS 2 has a new feature that allows rejection of certificates if the >>> key size is too small or the signing hash is weak. >>&g

Re: [Openvpn-devel] [PATCH] Fix "--dev null"

Hi, On 24-02-17 14:52, Gert Doering wrote: > To test whether a server is reachable and all the key handling is > right, openvpn can connect with "--dev null --ifconfig-noexec" to > avoid needing to the client with elevated privileges. > > This was erroring out for no good reason (because the

Re: [Openvpn-devel] [PATCH] travis-ci: add "make distcheck" to test scenario

Hi, On 23-02-17 19:22, Ilya Shipitsin wrote: > in rare cases openvpn is built from tarball, it happens during "installer > build" > process. "make distcheck" helps to prevent problems during such builds. > > Signed-off-by: Ilya Shipitsin > --- > .travis.yml | 1 + > 1

Re: [Openvpn-devel] Should we use mbedTLS certificate profiles?

On 25-02-17 07:04, James Yonan wrote: > On 24/02/2017 16:10, Steffan Karger wrote: >> On 24-02-17 22:28, James Yonan wrote: >>> On 24/02/2017 02:40, Steffan Karger wrote: >>>> On 23-02-17 22:41, James Yonan wrote: >>>>> On 23/02/2017 01:22, Steffan

Re: [Openvpn-devel] Should we use mbedTLS certificate profiles?

Hi, On 24-02-17 22:28, James Yonan wrote: > On 24/02/2017 02:40, Steffan Karger wrote: >> On 23-02-17 22:41, James Yonan wrote: >>> On 23/02/2017 01:22, Steffan Karger wrote: >>>> On 22-02-17 19:48, James Yonan wrote: >>>>> mbedTLS 2 has a new

Re: [Openvpn-devel] [RFC PATCH v1 01/15] OpenSSL: don't use direct access to the internal of SSL_CTX

On 23-02-17 10:31, Emmanuel Deloget wrote: >>> - configure.ac does something to CentOS 6 / RHEL 6 which makes configure >>>explode: >>> >>> ... >>> checking for linux/if_tun.h... yes >>> checking tap-windows.h usability... no >>> checking tap-windows.h presence... no >>> checking for

Re: [Openvpn-devel] [PATCH] Fix segfault when using crypto lib without AES-256-CTR or SHA256

Hi, On 21-02-17 22:12, Gert Doering wrote: > On Tue, Feb 21, 2017 at 08:42:57PM +0100, Steffan Karger wrote: >> ACK to the attached patch. > >> >From d97f526a2ddbf2abe60a64260601ebd742fc00cc Mon Sep 17 00:00:00 2001 >> From: "Simon (simix)" > > All pr

Re: [Openvpn-devel] [RFC PATCH v1 09/15] OpenSSL: don't use direct access to the internal of X509_STORE_CTX

Hi, On 17-02-17 23:00, log...@free.fr wrote: > From: Emmanuel Deloget > > OpenSSL 1.1 does not allow us to directly access the internal of > any data type, including X509_STORE_CTX. We have to use the defined > functions to do so. > > Fortunately, these functions have existed

Re: [Openvpn-devel] Should we use mbedTLS certificate profiles?

Hi James, On 22-02-17 19:48, James Yonan wrote: > mbedTLS 2 has a new feature that allows rejection of certificates if the > key size is too small or the signing hash is weak. > > The feature is controlled via struct mbedtls_x509_crt_profile. > > For example, you could specify that

Re: [Openvpn-devel] [RFC PATCH v1 01/15] OpenSSL: don't use direct access to the internal of SSL_CTX

On 17-02-17 23:00, log...@free.fr wrote: > From: Emmanuel Deloget > > OpenSSL 1.1 does not allow us to directly access the internal of > any data type, including SSL_CTX. We have to use the defined functions > to do so. > > Compatibility with OpenSSL 1.0 is kept by defining the

Re: [Openvpn-devel] [PATCH] Add openssl_compat.h to openvpn_SOURCES

On 23-02-17 09:49, Gert Doering wrote: > Commit b936ddfb63 introduced a new header file but forgot to include > it in the list of openvpn_SOURCES, so it did not get bundled in the > generated tarballs. > > Signed-off-by: Gert Doering > --- > src/openvpn/Makefile.am | 1 + >

Re: [Openvpn-devel] [PATCH] Fix building with LibreSSL 2.5.1 by cleaning a hack.

Hi, On 09-02-17 21:04, Olivier W wrote: > Hello, > Please find the new version of the patch. > > So, I added back the comment I had removed and new versions of OpenSSL > will use SSL_CTX_get0_privatekey() instead of SSL_new() + > SSL_get_privatekey() + SSL_free(). > > It successfully compile

Re: [Openvpn-devel] [PATCH] Fix building with LibreSSL 2.5.1 by cleaning a hack. Similar to what is done in curl: https://github.com/curl/curl/blob/028391df5d84d9fae3433afdee9261d565900355/lib/vtls/op

Hi, On 13-02-17 19:38, O2 Graphics wrote: > Use SSL_CTX_get0_privatekey() for OpenSSL >= 1.0.2 > > Signed-off-by: Olivier Wahrenberger > --- > src/openvpn/ssl_openssl.c | 14 +++--- > 1 file changed, 11 insertions(+), 3 deletions(-) > > diff --git

Re: [Openvpn-devel] [PATCH v3] convert *_inline attributes to bool

Hi, Thanks, I like each version better. Even though it adds more lines than it removes, quite some of it is because of correcting wrapping and adding useful comments. I think it really improves the readability of the code. Some (hopefully final) minor comments still though: On 14-01-17 17:30,

Re: [Openvpn-devel] [PATCH] Fix problems with NCP and --inetd.

On 22 August 2016 at 21:22, Gert Doering wrote: > NCP only works with --pull or --mode server, leading to breakage > in --inetd mode (because that has --tls-server, but not --mode server, > but clients can still ask for PUSH_REQUEST). > > Fix by turning off o->ncp_enable

Re: [Openvpn-devel] [PATCH] travis-ci: add "make distcheck" to test scenario, V2

On 25-02-17 19:00, Ilya Shipitsin wrote: > in rare cases openvpn is built from tarball, it happens during "installer > build" > process. "make distcheck" helps to prevent problems during such builds. > > V2: limit "make distcheck" to one build configuration > Signed-off-by: Ilya Shipitsin

Re: [Openvpn-devel] Should we use mbedTLS certificate profiles?

On 28-02-17 06:09, James Yonan wrote: > On 27/02/2017 18:18, David Sommerseth wrote: > >> On 27/02/17 23:06, James Yonan wrote: >>> On 25/02/2017 08:40, Steffan Karger wrote: >> [...snip...] >>>> I'd say so. Something like: >>>> >>>&

[Openvpn-devel] [PATCH 1/2] Fix --mssfix when using NCP

As reported in trac #716, cipher negotiation (NCP) broke --mssfix. This patch now also restores the mssfix value after the crypto negotiation. Signed-off-by: Steffan Karger <stef...@karger.me> --- src/openvpn/init.c | 15 +-- src/openvpn/mtu.c | 10 ++ src/openvpn

Re: [Openvpn-devel] [PATCH 1/2] Fix --mssfix when using NCP

On 10 September 2016 at 08:11, Steffan Karger <stef...@karger.me> wrote: > [PATCH 1/2] ... oops. The 1/2 is a historical artefact. There is no 2/2. -Steffan -- __

[Openvpn-devel] [PATCH (master)] Update cipher-related man page text

have to update the text to reflect that. Signed-off-by: Steffan Karger <stef...@karger.me> --- doc/openvpn.8 | 36 +--- 1 file changed, 25 insertions(+), 11 deletions(-) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 163bdf4..f86851c 100644 --- a/doc/openvpn.8

[Openvpn-devel] [PATCH (2.3)] Update cipher-related man page text

have to update the text to reflect that. Signed-off-by: Steffan Karger <stef...@karger.me> --- doc/openvpn.8 | 14 +++--- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index d9bb77c..fd23f8b 100644 --- a/doc/openvpn.8 +++ b/doc/ope

[Openvpn-devel] [PATCH] Restore pre-NCP cipher options on SIGUSR1

until a sighup restart. We might want to change this behaviour in general, but for now let's just fix the issue at hand. Signed-off-by: Steffan Karger <stef...@karger.me> --- src/openvpn/init.c | 4 1 file changed, 4 insertions(+) diff --git a/src/openvpn/init.c b/src/openvpn/init.c i

[Openvpn-devel] [PATCH v2] Restore pre-NCP cipher options on SIGUSR1

until a sighup restart. We might want to change this behaviour in general, but for now let's just fix the issue at hand. v2: also cache and restore keysize, as that parameter is relevant too. Signed-off-by: Steffan Karger <stef...@karger.me> --- src/openvpn/init.c| 6 ++ src/openv

[Openvpn-devel] RFC: Pushable options and sigusr1 restarts

Hi, OpenVPN (2.x) currently caches pushed options across sigusr1 restarts. This 'allowes' a server admin to push some options that the code can't really handle, until the client times out and performs a sigusr1 restart. The client will then execute a number of initialisation routines that might

[Openvpn-devel] [PATCH 2.3 v2] Make gnu89 support explicit

nly set -std=gnu89 if no -std flag is present in $CFLAGS Signed-off-by: Steffan Karger <stef...@karger.me> --- configure.ac | 6 ++ 1 file changed, 6 insertions(+) diff --git a/configure.ac b/configure.ac index 62b389e..af24392 100644 --- a/configure.ac +++ b/configure.ac @@ -1069,6

[Openvpn-devel] [PATCH] cleanup cert_hash_remember scoping

Add scopes for the conditional code, remove local scope that's only needed for c89 support (which we dropped). This patch should be applied after the SHA256 fingerprint support patch. Signed-off-by: Steffan Karger <stef...@karger.me> --- src/openvpn/ssl_verify.c | 17 ++---

Re: [Openvpn-devel] [PATCH v3] Support for disabled peer-id

Hi, On 17 September 2016 at 14:53, Lev Stipakov wrote: > From: Lev Stipakov > > v3: > * move assert outside of loop > * add max-clients value check to options > > [...] > > --- a/src/openvpn/options.c > +++ b/src/openvpn/options.c > @@ -5893,6

Re: [Openvpn-devel] [PATCH v5] Support for disabled peer-id

Hi, On 18 September 2016 at 08:51, Lev Stipakov wrote: > From: Lev Stipakov > > v5: > * Few more nickpicks > > v4: > * replace magic number with define > * show user a decimal value instead of hex > > v3: > * move assert outside of loop > * add

Re: [Openvpn-devel] Feature proposal: tls-crypt

Hi, On 27 July 2016 at 16:42, Steffan Karger <steffan.kar...@fox-it.com> wrote: > Our customers, as well as community users, have asked for encryption of > control channel packets to hide their certificate (containing perhaps > the users' name or organisation), or to provide

Re: [Openvpn-devel] [PATCH] Have the same username/password length regardless of PKCS#11 enablement

Hi, On 22-09-16 12:04, David Sommerseth wrote: > If running an OpenVPN client with --enable-pkcs11 and a server without > and having a username and/or password with more than 128 characters, > the authentication will fail as the server truncates the password > to 128 bytes. > > This makes things

Re: [Openvpn-devel] Feature proposal: tls-crypt

Hi, On 18 September 2016 at 22:07, Selva Nair wrote: > Does this mean that --tls-crypt will imply --tls-auth with the same key-file > (or make the latter redudnant?). The man-page description in the patch > appears to imply so, but not very clear.. --tls-crypt also

Re: [Openvpn-devel] [PATCH] enable "--disable-crypto" build configuration

essage just before the push: > > > it would be easiest, but it is not required. > as Steffan Karger wrote "Could you please include such descriptions in > future patches?" > > --- > > Enable "--disable-crypto" build configuration >

[Openvpn-devel] [PATCH] Make sure options->ciphername and options->authname are always defined

Ensuring that options->ciphername is never null prevents us from having to write null checks everywhere. Signed-off-by: Steffan Karger <stef...@karger.me> --- src/openvpn/crypto.c | 7 +-- src/openvpn/init.c| 2 +- src/openvpn/options.c | 8 3 files changed, 6 inser

[Openvpn-devel] [PATCH] Don't deference type-punned pointers

Fixes compiler warnings (undefined behavior) by making the copy explicit to comply to strict aliasing rules. With newer GCC the old code could actually lead to undefined behaviour. See e.g. http://blog.regehr.org/archives/959. Signed-off-by: Steffan Karger <stef...@karger.me> --- src/o

Re: [Openvpn-devel] [PATCH] Make sure options->ciphername and options->authname are always defined

On 28 September 2016 at 13:09, Gert Doering wrote: > Your patch has been applied to master. Due to differences in surrounding > code (which do not affect this change) I had to do it manually - code change > is the same, patch looks different. Please verify that it's all as

Re: [Openvpn-devel] [PATCH master] Exclude peer-id from pulled options digest

Hi, On 24-09-16 17:54, Lev Stipakov wrote: > Peer-id might change on restart and this should not trigger reopening > tun. > > Trac #649 Feature-ACK. The same holds for ncp stuff though, so I think we should do the same for cipher, auth and keysize. Unless those change the tun-mtu, hmm... That

Re: [Openvpn-devel] [PATCH v2] Exclude peer-id from pulled options digest

On 04-10-16 22:20, Lev Stipakov wrote: > v2: > - Move digest update to separate method > > Peer-id might change on restart and this should not trigger reopening > tun. > > Trac #649 > --- > src/openvpn/push.c | 45 ++--- > 1 file changed, 30

Re: [Openvpn-devel] [PATCH] Repair "tcp server queue overflow" brokenness, more fallout.

Hi, Shouldn't the return type be size_t or at least unsigned int, as mbuf->len is also of type unsigned int? -Steffan -Original Message- From: Arne Schwabe [mailto:a...@rfc2549.org] Sent: maandag 11 maart 2013 22:35 To: g...@greenie.muc.de; openvpn-devel@lists.sourceforge.net Subject:

Re: [Openvpn-devel] [PATCH 1/5] PolarSSL-1.2 support

this afternoon. -Steffan -Original Message- From: Heiko Hund [mailto:heiko.h...@sophos.com] Sent: dinsdag 19 maart 2013 11:27 To: openvpn-devel@lists.sourceforge.net Cc: Steffan Karger Subject: Re: [Openvpn-devel] [PATCH 1/5] PolarSSL-1.2 support On Monday 18 March 2013 17:37:28 steffan.kar

Re: [Openvpn-devel] [PATCH 4/5] Config compatibility patch. Added translate_cipher_name.

Wow, 32 bit. I clearly did not put enough effort in testing polar's newly supported ciphers. I'll take a good look at this. -Steffan -Original Message- From: Gert Doering [mailto:g...@greenie.muc.de] Sent: woensdag 20 maart 2013 9:53 To: Steffan Karger Cc: openvpn-devel

Re: [Openvpn-devel] [PATCH 1/5] PolarSSL-1.2 support

on that one. Regards, -Steffan -Original Message- From: Gert Doering [mailto:g...@greenie.muc.de] Sent: dinsdag 19 maart 2013 15:27 To: Steffan Karger Cc: openvpn-devel@lists.sourceforge.net Subject: Re: [Openvpn-devel] [PATCH 1/5] PolarSSL-1.2 support Hi, On Mon, Mar 18, 2013 at 05:37

Re: [Openvpn-devel] [PATCH 1/5] PolarSSL-1.2 support

. -Steffan -Original Message- From: Gert Doering [mailto:g...@greenie.muc.de] Sent: dinsdag 19 maart 2013 15:27 To: Steffan Karger Cc: openvpn-devel@lists.sourceforge.net Subject: Re: [Openvpn-devel] [PATCH 1/5] PolarSSL-1.2 support Hi, On Mon, Mar 18, 2013 at 05:37:28PM +0100, steffan.kar

Re: [Openvpn-devel] [PATCH 4/5] Config compatibility patch. Added translate_cipher_name.

Hi, Attached an updated version of the patch, which should resolve the issue. It passes t_client tests. -Steffan -Original Message- From: Gert Doering [mailto:g...@greenie.muc.de] Sent: woensdag 20 maart 2013 9:53 To: Steffan Karger Cc: openvpn-devel@lists.sourceforge.net Subject: Re

Re: [Openvpn-devel] [PATCH 3/5] Improve verify_callback messages

Hi, Attached an updated patch, which removes the stale 0 from %0x in the printf format string. -Steffan -Original Message- From: Steffan Karger Sent: maandag 18 maart 2013 17:38 To: openvpn-devel@lists.sourceforge.net Cc: Steffan Karger Subject: [PATCH 3/5] Improve verify_callback

Re: [Openvpn-devel] [PATCH 1/5] PolarSSL-1.2 support

Hi, Attached an updated version, which will not fail when polarssl is not installed in some system library path. Sorry for the spam! -Steffan -Original Message- From: Steffan Karger [mailto:steffan.kar...@fox-it.com] Sent: woensdag 20 maart 2013 19:53 To: Gert Doering Cc: openvpn

Re: [Openvpn-devel] PolarSSL-1.2 support

Hi, Gert has already covered the first part of your mail, but I too would like to thank you for your efforts. > To the PolarSSL-1.2 support itself: I must confess I didn't test it > but I believe the new implementation of verify_callback in > ssl_verify_callback.c is incorrect >

[Openvpn-devel] [PATCH] Fixed tls-cipher translation bug in openssl-build

Hi, Attached a patch to fix a bug in the TLS-cipher translation introduced (by me) in commit 030c7b0. The previous version would not parse tls-cipher strings with more than two ciphers specified correctly. The patch has been tested by the user that reported the bug. -Steffan

Re: [Openvpn-devel] stray USE_SSL in crypto_openssl.c

BLE_SSL. > > Please check and send patch :-) Yes sir ;) I attached the patch. -Steffan >From a4d045dd3acd78999371db8d87c320aa0d0669e5 Mon Sep 17 00:00:00 2001 From: Steffan Karger <steffan.kar...@fox-it.com> List-Post: openvpn-devel@lists.sourceforge.net Date: Mon, 15 Apr 2013 10:

Re: [Openvpn-devel] [PATCH] Allow routes to be set before opening tun, similar to ifconfig before opening tun

Hi Arne, For the context, this ROUTE_BEFORE_TUN is required for the Android VPN API, right? Might be useful to put in the commit message. Furthermore two comments on the patch, which I've put inline: On 04/21/2013 01:26 PM, Arne Schwabe wrote: > --- > src/openvpn/init.c | 11 +-- >

Re: [Openvpn-devel] forum topic12703: cross compile problem with crypto-library=polarssl

Hi JJK, > -Original Message- > From: Jan Just Keijser [mailto:janj...@nikhef.nl] > Sent: maandag 22 april 2013 12:48 > To: openvpn-devel@lists.sourceforge.net; Adriaan de Jong > Subject: [Openvpn-devel] forum topic12703: cross compile problem with > crypto-library=polarssl > > hi *,

Re: [Openvpn-devel] support client-cert-not-required with polarssl

On 06/08/2013 07:33 AM, Tamas TEVESZ wrote: > > hi, > > the attached patch adds support for --client-cert-not-required with > polarssl. please apply. > > thanks, > > ACK -Steffan

Re: [Openvpn-devel] OpenVPN Versioning

On 06/14/2013 09:53 PM, James Yonan wrote: > To get the adaptive versioning behavior in OpenSSL, you have to use > SSLv23_server_method() or SSLv23_client_method() and then explicitly > disable the versions you don't want to consider, i.e. SSL_OP_NO_SSLv2, > SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1,

Re: [Openvpn-devel] OpenVPN Connect on Android fails to connect

On 07/09/2013 11:09 AM, p.j.bak...@polarssl.org wrote: > Yeah! > > -82 is: POLARSSL_ERR_NET_WANT_READ > > It means that somewhere in the code, OpenVPN calls a read() or a write() and > seems to not handle the return value properly. I've peaked into the code, but in all cases where ssl_read() or

Re: [Openvpn-devel] [PATCH] ssl: enable basic ecdsa

Hi, On 11/12/2013 04:12 PM, Jan Just Keijser wrote: > correct , although you can currently use EC certs with SHA1 signing - > just not with SHA2 signing. > > JJK Which means adding SHA2 hashing is at least a nice addition. I've taken a quick peak at the code, applied the patches to master

Re: [Openvpn-devel] [PATCH] Fix file checks when --chroot is being used

Hi David, This solution looks good. I did not test, but I do have one minor comment after glancing at the code: @@ -2662,7 +2700,14 @@ check_cmd_access(const char *command, const char > *opt) > * only requires X_OK to function on Unix - a scenario not unlikely to > * be seen on suid

Re: [Openvpn-devel] [PATCH] Fix compile error in ssl_openssl introduced by polar external-management patch

Argh, this must have slipped in while rewriting my git history to extract these patches from my own try. Sorry! ACK to Arne's quick fix, thanks for acting quickly. -Steffan On Sat, Nov 23, 2013 at 1:40 PM, Arne Schwabe wrote: > --- > src/openvpn/ssl_openssl.c | 4 ++-- > 1

Re: [Openvpn-devel] [PATCH] Fix file checks when --chroot is being used

Sorry for the late response, but better late then never. So, ACK to this patch! -Steffan On 25-11-13 13:32, David Sommerseth wrote: > From: David Sommerseth > > Commit 0f2bc0dd92f43c9 started to introduce some file sanity > checking before OpenVPN started to avoid harder to

Re: [Openvpn-devel] [PATCH] pkcs11: use generic evp key instead of rsa

ACK. Code looks good, compiles and passes my local pkcs11-test. -Steffan On 11-11-13 23:36, Alon Bar-Lev wrote: > Enables DSA, ECDSA key usages with newer pkcs11-helper. > > Signed-off-by: Alon Bar-Lev > Tested-By: Sanaullah > --- > configure.ac

[Openvpn-devel] [PATCH] Use RSA_generate_key_ex() instead of deprecated, RSA_generate_key()

rom 6d7d536ea52713fe230264f7798c509f37dd40c9 Mon Sep 17 00:00:00 2001 From: Steffan Karger <stef...@karger.me> List-Post: openvpn-devel@lists.sourceforge.net Date: Sun, 15 Dec 2013 17:58:04 +0100 Subject: [PATCH] Use RSA_generate_key_ex() instead of deprecated RSA_generate_key() Code has been tested usin

Re: [Openvpn-devel] [PATCH] Use RSA_generate_key_ex() instead of deprecated, RSA_generate_key()

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, On 30-12-13 21:50, Gert Doering wrote: > Could I ask you to provide a patch to remove this for 2.4? Sure. I fixed some extra stuff along the way, I'll send a patch set in a minute. - -Steffan -BEGIN PGP SIGNATURE- Version: GnuPG

[Openvpn-devel] [PATCH 6/6] Disable export ciphers by default for OpenSSL builds.

-off-by: Steffan Karger <stef...@karger.me> --- src/openvpn/ssl_openssl.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 5f6c270..9dced72 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_ope

[Openvpn-devel] [PATCH 2/6] Update TLSv1 error messages to SSLv23 to reflect changes from commit 4b67f98

Commit 4b67f98 changed call to TLSv1_{client,server}_method() to SSLv23_{client,server}_method(), this commit updates the corresponding error messages to match the changes in the code. Signed-off-by: Steffan Karger <stef...@karger.me> --- src/openvpn/ssl_openssl.c | 4 ++-- 1 file chan

[Openvpn-devel] [PATCH 1/6] Also update TLSv1_method() calls in support code to SSLv23_method() calls.

Commit 4b67f98 changed calls to TLSv1_{sever,client}_method() to SSLv23_{client,server}_method() to enable TLS version negotiation. This commit does the same for two calls of TLSv1_method() from support code. Signed-off-by: Steffan Karger <stef...@karger.me> --- src/openvpn/ssl_openssl

[Openvpn-devel] TLS fixes, remove support for ephemeral RSA, disable export ciphers

Hi, This patch set is meant to remove ephemeral RSA support from the master branch, and disable (weak) export ciphers by default. While coding I came along some other stuff I fixed along the way: 1/6: Update two old calls to TSLv1*() functions to SSLv23*() function, matching the TLS

[Openvpn-devel] [PATCH 3/6] If --tls-cipher is supplied, make --show-tls parse the list.

This allows to check the available TLS ciphers for a specific configuration by supplying both --tls-cipher and --show-tls options. Signed-off-by: Steffan Karger <stef...@karger.me> --- src/openvpn/init.c | 2 +- src/openvpn/ssl_backend.h | 4 +++- src/openvpn/ssl_openssl.c

[Openvpn-devel] [PATCH 5/6] Make tls_ctx_restrict_ciphers accept NULL as char *cipher_list.

This diff look like a lot has changed, but this just adds some ifs to check for NULL in tls_ctx_restrict_ciphers() to prepare for disabling export ciphers by default in OpenVPN 2.4+. Signed-off-by: Steffan Karger <stef...@karger.me> --- src/openvpn/ssl.c | 5 +- src/o

[Openvpn-devel] [PATCH 4/6] Remove OpenSSL tmp_rsa_callback. Removes support for ephemeral RSA in TLS.

are available in TLS. Signed-off-by: Steffan Karger <stef...@karger.me> --- src/openvpn/ssl_openssl.c | 18 -- 1 file changed, 18 deletions(-) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 1c6291f..08327a1 100644 --- a/src/openvpn/ssl_openssl.c +++

Re: [Openvpn-devel] [PATCH 5/6] Make tls_ctx_restrict_ciphers accept NULL as char *cipher_list.

Hi, Attached a v2 of the patch below, that removes the else to make the diff a lot smaller and changes a //-style comment to /* */-style. -Steffan On 01-01-14 21:10, Steffan Karger wrote: > This diff look like a lot has changed, but this just adds some ifs to check > fo

Re: [Openvpn-devel] [PATCH 5/6] Make tls_ctx_restrict_ciphers accept NULL as char *cipher_list.

Hi, Attached a v3 of the patch. This one also makes sure tls_ctx_restrict_ciphers is always called, to prepare for the defaults settings of 6/6 to always apply. In the previous version of the patch --show-tls would ignore the default settings. -Steffan On 03-01-14 21:12, Steffan Karger wrote

Re: [Openvpn-devel] ECDH support

Hi Piotr, On 18-02-14 01:35, pietrek -- wrote: > It's my first contribution, so I could make some mistakes ;) Thank you! > In attached patch I added ECDH support to openvpn with openssl. > Eliptic Curves generation is, in contrast to Diffie-Hellman very fast, > so I do it on every server

Re: [Openvpn-devel] [Patch] ECDH support

Hi Piotr, On 24-02-14 01:28, pietrek -- wrote: > Hi Steffan, > I modified my patch again. And thanks for your code - it helped me. Good to hear it helped you. But your new patch basically is my code now, except that it accepts a configuration without a DH-file. > 1) In such case server will set

Re: [Openvpn-devel] [Patch] ECDH support

Hi, On Tue, Feb 25, 2014 at 9:22 AM, Gert Doering wrote: > > Although there is apparently more work to do to get more cipher suites > > working, this does give us a start on working with EC-crypto. Maybe this > > part can go in (once ACK'ed) as 'the start of EC-support', so

Re: [Openvpn-devel] [Patch] ECDH support

Hi, On 25-02-14 22:49, Jan Just Keijser wrote: > read up on the original ticket too: > https://forums.openvpn.net/topic8404-30.html > > there's some useful commands/description in there on how to generate > ECDSA certificates. Thanks. I've added support for ECDSA to EasyRSA 3 a little while

[Openvpn-devel] [PATCH] Add ECDH support for OpenSSL builds of OpenVPN

Hi, Thanks to Piotr's contributions on the mailing list I picked up my earlier ECDH work again. I believe they are ready to be reviewed and find their way into master. The following patches add support for ECDH(E) in OpenSSL builds, which in practice means that people are able to use ECDSA

[Openvpn-devel] [PATCH 2/2] Add an elliptic curve testing cert chain to the sample keys

Signed-off-by: Steffan Karger <stef...@karger.me> --- sample/sample-keys/README| 6 ++-- sample/sample-keys/ec-ca.crt | 13 + sample/sample-keys/ec-ca.key | 6 sample/sample-keys/ec-client.crt | 61 sample/sample-k

[Openvpn-devel] [PATCH 1/2] Add support for elliptic curve diffie-hellmann key exchange (ECDH)

older version do not have all the functions used and would require adding (more) #ifdefs. Signed-off-by: Steffan Karger <stef...@karger.me> --- README.ec | 37 configure.ac | 4 +- doc/openvpn.8 | 14 ++ src/openvpn/

Re: [Openvpn-devel] [Patch] ECDH support

Hi, On 26-02-14 21:04, pietrek -- wrote: > I tested what would happen if any key exchange protocol will be specified. > It works as I expected: connection failed with error: 'no such cipher'. > So session cannot work without ECDH and DH. > Also, if OpenSSL would accept it, it would be an

[Openvpn-devel] [PATCH 1/2] Add openssl-specific common cipher list names to ssl.c.

This adds a number of commonly used cipher list names to ssl.c, which makes OpenVPN not give a "translation not found" warning when using these. Signed-off-by: Steffan Karger <stef...@karger.me> --- src/openvpn/ssl.c | 13 + 1 file changed, 13 insertions(+) diff --g

[Openvpn-devel] [PATCH] Clean up --show-tls output for OpenSSL builds

Hi, The following two (small) patches are usability improvements. 1/2 removes some of the warnings OpenVPN-with-OpenSSL issue when a user specifies valid OpenSSL TLS cipher group names with --tls-cipher. PolarSSL does not support group names, so these are not applicable for PolarSSL. 2/2

[Openvpn-devel] [PATCH 2/2] Disable unsupported TLS cipher modes by default, cleans --show-tls output.

This explicitly disables a number of tls ciphers that OpenVPN has currently no support for. OpenSSL will automatically detect this during negotiation, but --show-tls would erroneously show a number of unsupported ciphers. Signed-off-by: Steffan Karger <stef...@karger.me> --- src/o

Re: [Openvpn-devel] [PATCH] Clean up --show-tls output for OpenSSL builds

Hi, On 01-03-14 16:34, Gert Doering wrote: > On Sat, Mar 01, 2014 at 03:36:13PM +0100, Steffan Karger wrote: >> The following two (small) patches are usability improvements. > > is this master-only, or does it make sense for 2.3 as well? Good point, I forgot to mention: 1/2 Make

Re: [Openvpn-devel] TLS (SSL) handshake upon reconnecting

Hi, On 03/13/2014 10:37 PM, Abdullah Alshalan wrote: > Hi, > I have a few questions about OpenVPN and I would appreciate if you can answer whatever you can. I'll give it a try. I assume these questions relate to the 'Triple Handshake'-attack (https://secure-resumption.com/). I do not understand

Re: [Openvpn-devel] [PATCH] Set SSL_OP_NO_TICKET flag in SSL context for OpenSSL builds, to disable TLS stateless session resumption.

Hi, > -Original Message- > From: Gert Doering [mailto:g...@greenie.muc.de] > Sent: maandag 17 maart 2014 9:34 > Subject: Re: [Openvpn-devel] [PATCH] Set SSL_OP_NO_TICKET flag in SSL > context for OpenSSL builds, to disable TLS stateless session > resumption. > > Hi, > > On Sun, Mar 16,

Re: [Openvpn-devel] [PATCH] Set SSL_OP_NO_TICKET flag in SSL context for OpenSSL builds, to disable TLS stateless session resumption.

ion. > > On 17/03/14 11:08, Steffan Karger wrote: > > I think this should go into all releases we'll do from now on. > > > > Also, ACK on the patch. Together with SSL_SESS_CACHE_OFF, this seems > > to fully disable TLS session renegotiation and resumption. > > T

  1   2   3   4   5   6   7   8   9   10   >