Re: [Openvpn-devel] [PATCH] Set SSL_OP_NO_TICKET flag in SSL context for OpenSSL builds, to disable TLS stateless session resumption.

Hi, > On 17/03/2014 23:23, James Yonan wrote: > > On 17/03/2014 14:29, Gert Doering wrote: > > Right now, if I read configure.ac correct, we require 0.9.6 or later > > (and check this only if pkg-config is available) - but obviously, > > SSL_OP_NO_TICKET was added later on. > > > > Fix 1: only

Re: [Openvpn-devel] [PATCH] Set SSL_OP_NO_TICKET flag in SSL context for OpenSSL builds, to disable TLS stateless session resumption.

Hi, On 18/03/2014 14:44, Jan Just Keijser wrote: > On 18/03/14 14:12, David Sommerseth wrote: > > On 18/03/14 10:51, Jan Just Keijser wrote: > >> On 18/03/14 10:39, Steffan Karger wrote: > >>>> On 17/03/2014 23:23, James Yonan wrote: > >>>>

Re: [Openvpn-devel] [PATCH] Set SSL_OP_NO_TICKET flag in SSL context for OpenSSL builds, to disable TLS stateless session resumption.

Hi, On Sat, Mar 22, 2014 at 7:35 PM, Gert Doering <g...@greenie.muc.de> wrote: > On Tue, Mar 18, 2014 at 05:40:41PM +0100, Steffan Karger wrote: > > > So it seems I spoke too soon... sorry for the noise, although I must > > > say that I'm still in favour of checking fo

Re: [Openvpn-devel] [PATCH] Set SSL_OP_NO_TICKET flag in SSL context for OpenSSL builds, to disable TLS stateless session resumption.

On Sun, Mar 23, 2014 at 1:26 PM, Gert Doering <g...@greenie.muc.de> wrote: > On Sun, Mar 23, 2014 at 10:22:57AM +0100, Steffan Karger wrote: > > ACK. Message looks correct and clear to me. > > Thanks. Committed and pushed as 2cf9d4e3f06f4a61cb6d159728ac6c8a790d6849. > &

[Openvpn-devel] [PATCH] Bump minimum OpenSSL version to 0.9.8

OpenSSL 0.9.7 and older are considered obsolete (see http://www.openssl.org/news/news.html). This patch updates configure.ac to require OpenSSL 0.9.8 or newer, and removes a number of #ifdefs that are now no longer needed. Signed-off-by: Steffan Karger <stef...@karger.me> --- config

Re: [Openvpn-devel] [PATCH] Fix man page and OSCP script: tls_serial_{n} is decimal

Hi, On Mon, Mar 31, 2014 at 9:42 AM, Jan Just Keijser <janj...@nikhef.nl> wrote: > On 30/03/14 15:46, Gert Doering wrote: > >> Hi, >> >> On Sun, Mar 30, 2014 at 12:48:37AM +0100, Steffan Karger wrote: >> >>> 3 - Change OpenSSL builds to use hax repres

Re: [Openvpn-devel] [PATCH] Set SSL_OP_NO_TICKET flag in SSL context for OpenSSL builds, to disable TLS stateless session resumption.

Hi, On 31-03-14 16:13, Heiko Hund wrote: > On Sunday 23 March 2014 14:27:43 Steffan Karger wrote: >> +AC_EGREP_CPP(have_ssl_op_no_ticket, [ >> +#include > > We just found that this breaks if the openssl headers are in a non-standard > place. The test above sets

Re: [Openvpn-devel] Heartbleed

Hi, On 08/04/2014 13:55, Mike Tancsa wrote: > On 4/8/2014 7:47 AM, Adriaan de Jong wrote: > >> Using the tls-auth option should protect against this vulnerability > (assuming that your tls-auth key is not known to the attacker). > > > >> If you're not using tls-auth and are using a vulnerable

Re: [Openvpn-devel] OpenVPN PolarSSL builds?

Hi, On 04/14/2014 10:28 AM, Gert Doering wrote: > On Mon, Apr 14, 2014 at 11:13:24AM +0300, Samuli Seppänen wrote: >> Currently all of the binary builds we provide[*] are linked to OpenSSL. >> Would having both OpenSSL and PolarSSL builds make sense (e.g. starting >> with 2.4)? > > I think it

Re: [Openvpn-devel] RFD: ssl library version numbers

Hi, On 14-04-14 09:12, Jan Just Keijser wrote: > Gert Doering wrote: >> - if we report it, do we want to report it always (as IV_VER) or only >> if --push-peer-info is set? >> > we're reporting the openvpn version info anyway, so adding the SSL lib > version would not change much; if it is

Re: [Openvpn-devel] RFD: ssl library version numbers

On 04/16/2014 05:24 PM, Gert Doering wrote: > OK, here's the full patch with this version. One minor remark: if you add an extra * to the /* of the comment above get_ssl_library_version(void), the comment becomes a doxygen comment and will be included in the generated doxygen. Otherwise, ACK.

Re: [Openvpn-devel] [PATCH] PolarSSL 1.3

t have plugin tests to really verify everything works... -Steffan >From 491fd5e253a62940caafd973377019be1e3164f3 Mon Sep 17 00:00:00 2001 From: Steffan Karger <stef...@karger.me> List-Post: openvpn-devel@lists.sourceforge.net Date: Mon, 21 Apr 2014 11:52:51 +0200 Subject: [PATCH] Update o

Re: [Openvpn-devel] [PATCH 4/4] When tls-version-min is unspecified, revert to original versioning approach.

Hi, On 21-04-14 09:10, James Yonan wrote: > For OpenSSL, this means to use TLSv1_(client|server)_method rather > than SSLv23_(client|server)_method combined with SSL_OP_NO_x flags > for specific TLS versions to disable. I'm not sure I understand the rationale behind this. If I don't specify a

[Openvpn-devel] [PATCH] Fix build system to accept non-system crypto library locations for plugins.

Flags like {OPEN,POLAR}SSL_CFLAGS were used by the core build, but not by the plugins. However, all plugins include openvpn-plugin.h, which need crypto/ssl headers. Signed-off-by: Steffan Karger <stef...@karger.me> --- src/plugins/auth-pam/Makefile.am | 5 +++-- src/plugins/dow

Re: [Openvpn-devel] [PATCH 2/2] Add an elliptic curve testing cert chain to the sample keys

Hi, On 04/23/2014 12:08 PM, Arne Schwabe wrote: > ACK. Thanks for reviewing. Yesterday evening I've been reworking these patches a bit however. I want to have three things resolved: 1) PolarSSL 1.3 is already in master, and supports elliptic curve crypto, so the --show-curves and --ecdh-curve

Re: [Openvpn-devel] Progress on Version negotiation

Hi, On 04/23/2014 10:10 AM, Gert Doering wrote: > On Tue, Apr 22, 2014 at 10:58:22PM -0400, Timothe Litt wrote: >> It does not appear to be the negotiation, rather it's TLS1.2. > > This is quite cool, thank you. (I'm not enough of a crypto geek to > make real sense out of it, but it's quite

Re: [Openvpn-devel] Progress on Version negotiation

Hi, On 23-04-14 17:36, Timothe Litt wrote: > Just to confirm that the issue is 1.2, not the negotiation: > > I added an unconditional > sslopt |= SSL_OP_NO_TLSv1_2; > in tls_ctx_set_options. > > With this (and the context initialized to SSL_v23_*_method, so we > negotiate), the tunnel

[Openvpn-devel] [PATCH v2] ECDH support (both OpenSSL and PolarSSL now)

Hi, As discussed earlier today, updated patches for ECDH support. See http://article.gmane.org/gmane.network.openvpn.devel/8308 for the previous version. These patches comprise two changes: 1) Because the PolarSSL 1.3 patches have been merged, I updated the code and docs to reflect that

[Openvpn-devel] [PATCH 2/2] Add an elliptic curve testing cert chain to the sample keys

Signed-off-by: Steffan Karger <stef...@karger.me> --- sample/sample-keys/README| 6 ++-- sample/sample-keys/ec-ca.crt | 13 + sample/sample-keys/ec-ca.key | 6 sample/sample-keys/ec-client.crt | 61 sample/sample-k

[Openvpn-devel] [PATCH 1/2] Add support for elliptic curve diffie-hellmann key exchange (ECDH)

do *not* support TLSv1.1 or TLSv1.2, which means no that no EC-crypto can be used. Signed-off-by: Steffan Karger <stef...@karger.me> --- README.ec | 35 ++ doc/openvpn.8 | 14 ++ src/openvpn/init.c | 4 +- src/openvpn/options.c

Re: [Openvpn-devel] [PATCH 1/2] Add support for elliptic curve diffie-hellmann key exchange (ECDH)

On 24-04-14 00:43, Steffan Karger wrote: > [ ECDH patch ] ... and attached a v3 of this patch with better debug / warning messages when using an OpenSSL build without EC-crypto. -Steffan >From 91bb1da0c2fb385e4a73ef1068c381797bbbe22f Mon Sep 17 00:00:00 2001 From: Steffan Karger

[Openvpn-devel] [PATCH] Fix bug that incorrectly refuses oid representation eku's in polar builds

The return value of x509_get_numeric_string() was interpreted incorrectly by ssl_verify_polarssl.c's x509_verify_cert_eku(). This patch enables the usage of oid represenation in --remote-cert-eku options. Signed-off-by: Steffan Karger <steffan.kar...@fox-it.com> --- src/o

[Openvpn-devel] [PATCH 1/2] Change signedness of hash in x509_get_sha1_hash(), fixes compiler warning.

hash was cast from char * to unsigned char * at the return of the function. This patch removes the implicit cast by declaring hash as unsigned char * . Signed-off-by: Steffan Karger <stef...@karger.me> --- src/openvpn/ssl_verify_openssl.c | 2 +- 1 file changed, 1 insertion(+), 1 de

Re: [Openvpn-devel] [PATCH 1/2] Change signedness of hash in x509_get_sha1_hash(), fixes compiler warning.

On 27-04-14 09:55, Steffan Karger wrote: > hash was cast from char * to unsigned char * at the return of the function. > This patch removes the implicit cast by declaring hash as unsigned char * . Ignore the "1/2". This was meant as a separate patch, but git format-patch added t

[Openvpn-devel] [PATCH 1/2] Make serial env exporting consistent amongst OpenSSL and PolarSSL builds.

in hex represenation for both crypto library backends. Signed-off-by: Steffan Karger <stef...@karger.me> --- doc/openvpn.8 | 6 ++ src/openvpn/ssl_verify.c | 5 + src/openvpn/ssl_verify_backend.h | 19 +-- src/openvpn/ssl_verify_ope

[Openvpn-devel] [PATCH 2/2] Fix OCSP_check.sh to also use decimal for stdout verification.

This is an extra fix needed on top of 959d607, which already changes the serial parameter to correctly use decimal representation. Signed-off-by: Steffan Karger <stef...@karger.me> --- contrib/OCSP_check/OCSP_check.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff

Re: [Openvpn-devel] [PATCH 4/4] When tls-version-min is unspecified, revert to original versioning approach.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, On 27-04-14 19:53, Gert Doering wrote: > On Mon, Apr 21, 2014 at 01:10:04AM -0600, James Yonan wrote: The > attached patch is what I intend to commit to release/2.3 *only*, > not to master - as agreed at the IRC meeting. "Please ACK" :-)

Re: [Openvpn-devel] [PATCH applied] Re: Make serial env exporting consistent amongst OpenSSL and PolarSSL builds.

Same functionality, slightly different API calls. -Steffan >From 52d5f5a76dc70e20da740acd347cbdaab40b60df Mon Sep 17 00:00:00 2001 From: Steffan Karger <stef...@karger.me> List-Post: openvpn-devel@lists.sourceforge.net Date: Mon, 28 Apr 2014 21:50:22 +0200 Subject: [PATCH] Make serial env

Re: [Openvpn-devel] [PATCH 4/4] When tls-version-min is unspecified, revert to original versioning approach.

Hi, On 27-04-14 22:10, Steffan Karger wrote: > On 27-04-14 19:53, Gert Doering wrote: >> On Mon, Apr 21, 2014 at 01:10:04AM -0600, James Yonan wrote: The >> attached patch is what I intend to commit to release/2.3 *only*, >> not to master - as agreed at the IRC

Re: [Openvpn-devel] [PATCH] Conditionalize calls to print_default_gateway on !ENABLE_SMALL

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 ACK. - -Steffan On 29-04-14 23:09, Gert Doering wrote: > Calls to print_default_gateway() depended on #ifdef ENABLE_DEBUG, > but the actual function wasn't compiled in #ifdef ENABLE_SMALL, so > the combination "configure --enable-small

Re: [Openvpn-devel] [PATCH] Keying Material Exporters [RFC 5705]

Hi Daniel, Sorry for the delay, I've finally found some spare time to dig a bit into your patch. I've not looked at the implementation details yet, just the big picture for now. First of all, I can see exported key material being useful. As a matter of fact, OpenVPN does something similar to

Re: [Openvpn-devel] Is OpenVPN 2.3.4 (community edition) affected by OpenSSL's bug?

Hi, On 21-05-14 18:19, Lisa Minogue wrote: > According to Debian Security Advisory DSA-2931-1 > (http://www.debian.org/security/2014/dsa-2931) a bug in OpenSSL could result > in a denial of service. > > Is OpenVPN 2.3.4 software (community edition, Microsoft Windows, Mac OS, *nix > versions)

Re: [Openvpn-devel] Is OpenVPN 2.3.4 (community edition) affected by OpenSSL's bug?

Hi, On 05/22/2014 11:38 PM, Steffan Karger wrote: > On 21-05-14 18:19, Lisa Minogue wrote: >> According to Debian Security Advisory DSA-2931-1 >> (http://www.debian.org/security/2014/dsa-2931) a bug in OpenSSL could result >> in a denial of service. >> >> Is

[Openvpn-devel] [PATCH] Use SSL_MODE_RELEASE_BUFFERS if available

Hi, Attached a very old patch from trac, rebased onto master and incorporated info from the trac ticket into the commit msg. See: https://community.openvpn.net/openvpn/ticket/157 The change looks sane, and it passes client and loopback tests, so ACK. -Steffan >From

[Openvpn-devel] [PATCH] Some crypto_openssl.c cleanup

Hi, The following three patches clean up minor stuff I came along while working in crypto_openssl.c. No functional changes. 1/3 and 2/3 can be applied to master as well as release/2.3, to keep the code differences between 2.3 and 2.4 smaller. I'll send rebased patches for these later on. 3/3

[Openvpn-devel] [PATCH 1/3] Remove function without effect (cipher_ok() always returned true).

Signed-off-by: Steffan Karger <stef...@karger.me> --- src/openvpn/crypto_openssl.c | 10 ++ 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 6199e61..f471eee 100644 --- a/src/openvpn/crypto_openssl.c +++

[Openvpn-devel] [PATCH 3/3] Remove unneeded defines (were needed for pre-0.9.7 OpenSSL).

Since we now require OpenSSL 0.9.8, we don't need these anymore. Signed-off-by: Steffan Karger <stef...@karger.me> --- src/openvpn/crypto_openssl.c | 8 1 file changed, 8 deletions(-) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 22bb7c9..c3480e0

[Openvpn-devel] [PATCH 2/3] Remove unneeded wrapper functions in crypto_openssl.c

Both EVPCipherInit_ov() and EVPCipherUpdate_ov() wrapped OpenSSL functions without any changes, so lets just use the functions directly. Signed-off-by: Steffan Karger <stef...@karger.me> --- src/openvpn/crypto_openssl.c | 20 1 file changed, 4 insertions(+), 16 del

[Openvpn-devel] [PATCH] Some crypto_openssl.c cleanup for release/2.3

Hi, These are 1/3 and 2/3 of the crypto_openssl.c cleanup patches, but rebased and fixed for the release/2.3 branch. -Steffan

[Openvpn-devel] [PATCH 1/2] Remove function without effect (cipher_ok() always returned true).

Signed-off-by: Steffan Karger <stef...@karger.me> --- src/openvpn/crypto_openssl.c | 10 ++ 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 1501bc8..6671a42 100644 --- a/src/openvpn/crypto_openssl.c +++

[Openvpn-devel] [PATCH 2/2] Remove unneeded wrapper functions in crypto_openssl.c

Both EVPCipherInit_ov() and EVPCipherUpdate_ov() wrapped OpenSSL functions without any changes, so lets just use the functions directly. Signed-off-by: Steffan Karger <stef...@karger.me> --- src/openvpn/crypto_openssl.c | 20 1 file changed, 4 insertions(+), 16 del

[Openvpn-devel] [PATCH applied] Re: Use SSL_MODE_RELEASE_BUFFERS if available

think it would be worthwhile to get rid of more warnings. -Steffan >From 63cd7bba2884cc713118783adfe3f1b20623457d Mon Sep 17 00:00:00 2001 From: Steffan Karger <stef...@karger.me> List-Post: openvpn-devel@lists.sourceforge.net Date: Wed, 28 May 2014 21:40:34 +0200 Subject: [PATCH]

[Openvpn-devel] [PATCH] Add (default disabled) --enable-werror option to configure

Useful for example during development or automated builds, to make the build error out if new warnings are introduced. Signed-off-by: Steffan Karger <stef...@karger.me> --- configure.ac | 10 ++ 1 file changed, 10 insertions(+) diff --git a/configure.ac b/configure.ac index e

Re: [Openvpn-devel] [PATCH 1/7] refine assertion to allow other modes than CBC

ACK (see attached and below for more details). On 03-02-13 14:55, Jan Just Keijser wrote: > Arne Schwabe wrote: >> Am 16.08.12 10:38, schrieb Heiko Hund: >> >>> cipher_ctx_final() only returns an outlen in CBC mode. If CFB or OFB >>> are used the assertion outlen == iv_len is always false. >>>

[Openvpn-devel] [PATCH 1/5] Use generic openvpn_x509_cert_t in ssl_verify_polarssl.c

For symmetry with ssl_verify_openssl.c and release/2.3 branch. Signed-off-by: Steffan Karger <stef...@karger.me> --- src/openvpn/ssl_verify_polarssl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/openvpn/ssl_verify_polarssl.c b/src/openvpn/ssl_verify_pola

[Openvpn-devel] [PATCH 2/5] Fix ssl.c, ssl_verify_* includes

* ssl.c: remove three unneeded includes * ssl_verify_polarssl.h: remove two unneeded includes * ssl_verify_openssl.c: add missing ssl_verify_openssl.h and error.h includes, and reorder includes. Signed-off-by: Steffan Karger <stef...@karger.me> --- src/openvpn/ssl.c

[Openvpn-devel] [PATCH 4/5] Remove dependency on manage.h from ssl_verify.h

verify_user_pass_enabled() is a function on a tls_session, and belongs in ssl.c. Moving the function removes the dependency on manage.h. Signed-off-by: Steffan Karger <stef...@karger.me> --- src/openvpn/ssl.c| 21 - src/openvpn/ssl_verify.

[Openvpn-devel] [PATCH 5/5] Remove unused variable 'proxy' from socket_restart_pause()

Variable 'proxy' was set but never read, so remove it. Signed-off-by: Steffan Karger <stef...@karger.me> --- src/openvpn/init.c | 10 -- 1 file changed, 10 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 021b5ca..76b1bbe 100644 --- a/src/openvpn/init.c +++

[Openvpn-devel] [PATCH] Fix --disable-ssl builds, were broken by cleanup in 63dc03d.

Wrap ssl_verify.h in "#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)" to make it empty for --disable-ssl builds. Signed-off-by: Steffan Karger <stef...@karger.me> --- src/openvpn/ssl_verify.h | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/sr

Re: [Openvpn-devel] [PATCH] Drop incoming fe80:: packets silently now.

ACK Getting rid of useless log messages makes the important ones stand out more, which is great. Maybe put the IPv6 link-local address comment on a single line? -Steffan On 06-06-14 20:43, Gert Doering wrote: > IPv6 has the concept of "link local" addresses, fe80::, which > normally are

[Openvpn-devel] [PATCH] Fix remaining issues with OFB/CFB cipher modes

Hi, OFB and CFB cipher modes have been broken for a long time, see trac ticket #89 (https://community.openvpn.net/openvpn/ticket/89). Commit be46a2c enables support for OFB and CFB again, but leaves some minor problems around. The following patches resolve the remaining issues. Patches 1-3 fix

[Openvpn-devel] [PATCH 1/4] Rename ALLOW_NON_CBC_CIPHERS to ENABLE_OFB_CFB_MODE, and add to configure.

Makes OFB/CFB compile time configurable, and fixes output of --show-ciphers to also show OFB/CFB ciphers along the way (becasue crypto.h was not included from crypto_openssl.c). Signed-off-by: Steffan Karger <stef...@karger.me> --- configure.ac | 8 src/openvpn/cr

[Openvpn-devel] [PATCH 2/4] Add proper check for crypto modes (CBC or OFB/CFB)

removed that on the go. Also update all cipher mode checks to use the new cipher_kt_mode_*() functions for consistency. Signed-off-by: Steffan Karger <stef...@karger.me> --- src/openvpn/crypto.c | 36 +++- src/openvpn/crypto.h | 2 -- src/o

[Openvpn-devel] [PATCH 3/4] Improve --show-ciphers to show if a cipher can be used in static key mode

Also remove the bulky warning from init_key_type() and add the information to the --show-ciphers output. Signed-off-by: Steffan Karger <stef...@karger.me> --- src/openvpn/crypto.c | 4 src/openvpn/crypto_openssl.c | 19 +-- 2 files changed, 13 insertions(

[Openvpn-devel] [PATCH 4/4] Extend t_lpback tests to test all ciphers reported by --show-ciphers

... instead of just BF-CBC. Should catch more mistakes. Signed-off-by: Steffan Karger <stef...@karger.me> --- tests/t_lpback.sh | 30 ++ 1 file changed, 26 insertions(+), 4 deletions(-) diff --git a/tests/t_lpback.sh b/tests/t_lpback.sh index 40767a1..c224797

Re: [Openvpn-devel] [PATCH v2] Improve error reporting on file access to --client-config-dir and --ccd-exclusive

ACK Sorry it took so long. Patch looks good, and works as expected for me. -Steffan On 02-05-14 02:28, David Sommerseth wrote: > OpenVPN will do some simple sanity checking at startup to ensure the expected > files and directories is in place. However, with --client-config-dir and >

[Openvpn-devel] [PATCH] configure.ac: fix SSL_OP_NO_TICKET check

Only check for SSL_OP_NO_TICKET if building with --enable-ssl and using openssl. This fixes cross-compiling polarssl builds for Windows (where pkg-config would find the system openssl library, but the cross compiler would not have openssl for the target platform). Signed-off-by: Steffan Karger

[Openvpn-devel] [PATCH] Update README.polarssl

PolarSSL support has been extended and adjusted, but README.polarssl was not accordingly adjusted. This updates README.polarssl to the current state of affairs for OpenVPN 2.3. Signed-off-by: Steffan Karger <stef...@karger.me> --- README.polarssl | 4 +--- 1 file changed, 1 insertion

[Openvpn-devel] [PATCH] Update README.polarssl

PolarSSL support has been extended and adjusted, but README.polarssl was not accordingly adjusted. This updates README.polarssl to the current state of affairs for the master branch. Signed-off-by: Steffan Karger <stef...@karger.me> --- README.polarssl | 4 +--- 1 file changed, 1 insertion

[Openvpn-devel] [PATCH] Fix some typos in the man page

ACK to the attached patch, extracted from the 'version 2' patch supplied by Andris Kalnozols in trac ticket #402. Applies to both release/2.3 and master. -Steffan >From ae6e57ffb677cbee90ff55c83c5071d41ede6999 Mon Sep 17 00:00:00 2001 From: Andris Kalnozols List-Post:

Re: [Openvpn-devel] Recently-disclosed LZO vulnerability and OpenVPN's use of LZO

Hi, On 29-06-14 18:09, Jonathan K. Bullard wrote: > A recent _"Lab Mouse Security research blog" entry_ > > claimed > that a bug exists in several implementations of the LZO algorithm > commonly used by OpenVPN and

[Openvpn-devel] [PATCH] Do not upcase x509-username-field for mixed-case arguments.

hpl.hp.com> List-Post: openvpn-devel@lists.sourceforge.net Date: Sat, 28 Jun 2014 19:41:02 +0200 Subject: [PATCH 1/2] Do not upcase x509-username-field for mixed-case arguments. I revisited options.c to refine its brute-force upcasing behavior. Now, the upcasing is done only if the option argument i

[Openvpn-devel] [PATCH] cleanup: remove #if 0'ed function initiate_untrusted_session() from ssl.c.

Has been inside the #if 0 since 'git tree epoch' (sept-2005) and was not referenced, from either code, nor dead code nor comment. Signed-off-by: Steffan Karger <stef...@karger.me> --- src/openvpn/ssl.c | 16 1 file changed, 16 deletions(-) diff --git a/src/openvpn/ssl.c

[Openvpn-devel] [PATCH] Don't issue warning for 'translate to self' tls-ciphers

translating these to themselves were added to the translation table. However, to make OpenVPN not still complain, the deprecated-name check has to be reversed from 'if this is a deprecated name then complain' to 'if this is not a iana name, then complain'. Which this commit does. Signed-off-by: Steffan

Re: [Openvpn-devel] Security fix: Patch RSA key length from 4096 to 16384 bits to support enough security for negotiation of AES-256.

Hi, Thank you for sharing your concerns. On 05-07-14 12:46, caritas.mo...@hush.com wrote: > NSA says you have to protect an AES-256 key with RSA/Diffie Hellman 15360 bit. > http://www.nsa.gov/business/programs/elliptic_curve.shtml > > 4096 bit RSA/Diffie Hellman is only secure for AES-128. >

Re: [Openvpn-devel] [PATCH 1/4] Rename ALLOW_NON_CBC_CIPHERS to ENABLE_OFB_CFB_MODE, and add to configure.

On Mon, Jul 7, 2014 at 10:44 AM, Arne Schwabe <a...@rfc2549.org> wrote: > > Am 08.06.14 18:16, schrieb Steffan Karger: > > Makes OFB/CFB compile time configurable, and fixes output of --show-ciphers > > to also show OFB/CFB ciphers along the way (becasue crypto.h w

Re: [Openvpn-devel] [PATCH 1/4] Rename ALLOW_NON_CBC_CIPHERS to ENABLE_OFB_CFB_MODE, and add to configure.

On 07-07-14 10:44, Arne Schwabe wrote: > Am 08.06.14 18:16, schrieb Steffan Karger: >> Makes OFB/CFB compile time configurable, and fixes output of --show-ciphers >> to also show OFB/CFB ciphers along the way (becasue crypto.h was not >> included from crypto_openssl.c). >

Re: [Openvpn-devel] [PATCH 3/4] Improve --show-ciphers to show if a cipher can be used in static key mode

On 07-07-14 10:54, Arne Schwabe wrote: > Am 08.06.14 18:16, schrieb Steffan Karger: >> Also remove the bulky warning from init_key_type() and add the information >> to the --show-ciphers output. >> > It does what it says but I think most users will be confused about what &g

Re: [Openvpn-devel] [PATCH 3/4] Improve --show-ciphers to show if a cipher can be used in static key mode

On 07-07-14 19:52, Arne Schwabe wrote: > Am 07.07.14 19:37, schrieb Steffan Karger: >> On 07-07-14 10:54, Arne Schwabe wrote: >>> Am 08.06.14 18:16, schrieb Steffan Karger: >>>> Also remove the bulky warning from init_key_type() and add the information >

Re: [Openvpn-devel] [PATCH 3/4] Improve --show-ciphers to show if a cipher can be used in static key mode

On 07-07-14 20:22, Steffan Karger wrote: > On 07-07-14 19:52, Arne Schwabe wrote: >> Am 07.07.14 19:37, schrieb Steffan Karger: >>> On 07-07-14 10:54, Arne Schwabe wrote: >>>> Am 08.06.14 18:16, schrieb Steffan Karger: >>>>> Also remove t

Re: [Openvpn-devel] [PATCH applied] Re: Extend t_lpback tests to test all ciphers reported by --show-ciphers

Hi, On 07-07-14 22:09, Gert Doering wrote: > Your patch has been applied to the master branch. Thanks. These are actually bugfixes for stuff that should just work in 2.3 too, so I suggest to apply these patches, including the preceding OFB/CFB fix by Heiko

Re: [Openvpn-devel] [PATCH] Fix t_lpback.sh platform-dependent failures

ACK On 08-07-14 16:45, Gert Doering wrote: > commit e97aa06dc058 introduced "full openvpn cipher testing", but fails > on OpenSSL 0.9.8 with DES-CFB1 (skip), on NetBSD for RC5-* (needs extra > library, libcrypto_rc5.a) and on Solaris for POSIXly "tail" (rewrite). > > Signed-off-by: Gert Doering

Re: [Openvpn-devel] [PATCH] Do not upcase x509-username-field for mixed-case arguments.

Hi, On 08-07-14 10:16, Kalnozols, Andris wrote: > Thanks, Steffan, for the comments and code cleanup. Your method > is definitely safer and has less clutter. I tested your version > and it works as intended. Great, let's get the patch into git then. > Regarding the "ext:" argument prefix, I

Re: [Openvpn-devel] [PATCH] Add topology in sample server configuration file

Hi, On 11-07-14 20:17, Jan Just Keijser wrote: > on CentOS 5 I get > > checking for SSL_OP_NO_TICKET flag in OpenSSL... no > configure: error: OpenVPN 2.4+ requires SSL_OP_NO_TICKET in OpenSSL > > which is logical as the "stock" openssl lib on CentOS 5 is openssl 0.9.8 > ; to me, this breaks

Re: [Openvpn-devel] more SSL_OP_NO_TICKET fallout

cAoHiOGrp+5EqSHSoGqX7TTkxZ3hIBVgQ4L37 p4b9pbkXNj5J4RelcFkH78lNKnNr9AnU5JHO1SJEO1qKAY0q5ypRclvTbytcN8o6 6UVnRzcjmDnyUOgPrSct+JK7Rm9BVCpDU2a7PK0fGASs3qS9NZOmBSDV9Eg2P5tn IdvoZUrI9ZPNLDWCoDpMOkpsvQPl2BeMJ0t5Ib/LRSE8dbvfxg+GldYYQ3YA4uu8 xylgnvNTwi1GfFEicwX+9g8NEkqDKmNJd6k/OzclVyhWi3209E6prwk20NX7RDs= =u8ld -END PGP SIGNATURE- >Fr

Re: [Openvpn-devel] OpenVPN and OpenVPN-NL

Hi, On 07/17/2014 10:15 AM, Lisa Minogue wrote: > I happened to read some information about OpenVPN-NL. > > According to https://openvpn.fox-it.com/background.html a Dutch government > agency is of the opinion that among many other reasons, OpenVPN allows > insecure configurations. > > Would

Re: [Openvpn-devel] OpenSSL in OpenVPN software to be replaced?

Hi Lisa, On Mon, Jul 21, 2014 at 11:35 AM, Lisa Minogue wrote: > do you have plans to replace OpenSSL with PolarSSL or LibreSSL? And how soon > will new bundles of OpenVPN software be released that incorporate OpenSSL > alternatives? OpenVPN is already capable of using

[Openvpn-devel] [PATCH] Fix frame size calculation for non-CBC modes.

). Signed-off-by: Steffan Karger <stef...@karger.me> --- src/openvpn/crypto.c | 26 +- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index ef2bde1..2ba8487 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/cr

[Openvpn-devel] [PATCH] Fix typo in cipher_kt_mode_{cbc, ofb_cfb}() doxygen.

Signed-off-by: Steffan Karger <stef...@karger.me> --- src/openvpn/crypto_backend.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h index a48ad6c..bc067a7 100644 --- a/src/openvpn/crypto_backend.h +++ b/src/o

Re: [Openvpn-devel] OpenVPN FIPS 140-2 Compliant

Hi Peter, On 04-08-14 16:30, pbar...@netprotec.com wrote: > Anyone out that can take a quick look at this? I am really in a bind on > this one. Unfortunately I don't have any experience with nor time on my hands to dive into building against OpenSSL-FIPS either. Sorry. Enough work to do with

Re: [Openvpn-devel] new OpenSSL Security Advisories

Hi, On 07-08-14 23:11, Mike Tancsa wrote: > Has anyone had a chance to evaluate the latest security issues and how > they might impact OpenVPN ? > > https://www.openssl.org/news/secadv_20140806.txt Yes, announcement on the wiki:

Re: [Openvpn-devel] [PATCH] Do not upcase x509-username-field for mixed-case arguments.

normal operation. For each recognized extension in a certificate, extract_x509_extension() would issue an "ASN1 ERROR: can not handle field type" debug message at verb 2. Reduce that to verb 9 (D_TLS_ERRORS -> D_TLS_DEBUG) and alter the message text accordingly. Signed-off-by: Andris Kal

[Openvpn-devel] [PATCH] Fix compiler warnings in ssl_polarssl.c.

No functional changes, just add missing includes and make casts explicit. Signed-off-by: Steffan Karger <stef...@karger.me> --- src/openvpn/ssl_polarssl.c | 26 +++--- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/src/openvpn/ssl_polarssl.c b/src/o

[Openvpn-devel] [PATCH 1/2] Fix some unintialized variable warnings

Does not actually change behaviour, but fixes compiler warnings and properly initializing is good habit anyway. Signed-off-by: Steffan Karger <stef...@karger.me> --- src/openvpn/plugin.c | 2 +- src/openvpn/sig.c| 2 +- src/openvpn/socket.c | 4 ++-- 3 files changed, 4 insertions

[Openvpn-devel] [PATCH] Add option to disable Diffie Hellman key exchange by setting "--dh none"

towards a more secure configuration. Signed-off-by: Steffan Karger <stef...@karger.me> --- doc/openvpn.8 | 15 ++- src/openvpn/options.c | 14 ++ src/openvpn/ssl.c | 5 - 3 files changed, 24 insertions(+), 10 deletions(-) diff --git a/doc/openvpn.8

[Openvpn-devel] [PATCH] Remove quadratic complexity from openvpn_base64_decode()

at base64 decoding in openvpn had quadratic complexity. All we really need to know is whether the token is complete, so replace the check to check just that, and make the complexity linear wrt the input length. Signed-off-by: Steffan Karger <steffan.kar...@fox-it.com> --- src/openvpn/base64.c

Re: [Openvpn-devel] OCSP_check.sh fixup

Hi Hubert, On 23-09-14 14:45, Hubert Kario wrote: > There are few serious issues with the OCSP_check.sh script: > 1. It will accept OCSP responses with bad signatures > 2. It may accept OCSP old responses as currently valid > > detailed description on bug tracker: >

Re: [Openvpn-devel] [PATCH 1/2] ocsp_check - signature verification and cert staus results are separate

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 ACK - -Steffan On 26-09-14 12:24, Hubert Kario wrote: > when openssl returns result of parsing and verification of the OCSP > response, the signature verification is separate from the > certificate status, as such it's necessary to check both of

Re: [Openvpn-devel] [PATCH 2/2] ocsp_check - double check if ocsp didn't report any errors in execution

ACK -Steffan On 26-09-14 12:24, Hubert Kario wrote: > in case the reposnses are too old, ocsp tool can return text like this: > > Response verify OK > ca/cert.pem: WARNING: Status times invalid. > 139990703290240:error:2707307D:OCSP routines:OCSP_check_validity:status > expired:ocsp_cl.c:358:

[Openvpn-devel] [PATCH] Fix regression with password protected private keys (polarssl)

/polarssl/polarssl/commit/1a7550a -Steffan >From 3c6c25b8c2270ad0af71a8837b60ea40ecfe66be Mon Sep 17 00:00:00 2001 From: Steffan Karger <steffan.kar...@fox-it.com> List-Post: openvpn-devel@lists.sourceforge.net Date: Fri, 19 Sep 2014 06:43:48 +0200 Subject: [PATCH (2.3)] Fix regression with

Re: [Openvpn-devel] session-id implementation

Hi Lev, On 02-10-14 13:47, Lev Stipakov wrote: > Apologize for the delay. Patch with review suggestions attached. Thanks for providing the patch, and following up on comments on the list. I've been deferring a reply to your first version, because I wanted to take a thorough look at the code

Re: [Openvpn-devel] Paid Engagement

Hi, On 09-10-14 18:17, Arne Schwabe wrote: >> So, it looks like running rsa_sign with a cert/key pair coming out of >> the cryptostore store is causing some low level openssl problems. >> Don't know how easy it is fix, but most likely it's not inside the >> OpenVPN code... >> > Pretty easy (for

Re: [Openvpn-devel] New OpenVPN bundles for Windows platform that incorporate OpenSSL 1.0.1j

Hi, On 18-10-14 05:40, Илья Шипицин wrote: > how does that affect OpenVPN? > > суббота, 18 октября 2014 г. пользователь Lisa Minogue написал: > > SRTP Memory Leak (CVE-2014-3513) > Session Ticket Memory Leak (CVE-2014-3567) Denial-of-service only (no integrity or confidentiality

Re: [Openvpn-devel] [PATCH] Add option to disable Diffie Hellman key exchange by setting "--dh none"

Anyone willing to review / comment? On 23-08-14 18:21, Steffan Karger wrote: > As requested on the mailing list and in trac ticket #410, add an option to > disable 'traditional' Diffie Hellman key exchange. People want to be able > to create ecdh-only configurations. > > Also upd

Re: [Openvpn-devel] Fwd: New OpenVPN Windows installers (I004 and I604) released

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, On 21-10-14 21:45, Samuli Seppänen wrote: >> True, this should have been integrated much sooner. We expected >> a 2.4 release early 2014, not "maybe q2 2015" or such, but things >> did not work out the way as planned due to lots of personal >>

[Openvpn-devel] [PATCH] Modernize sample keys and sample configs

* Add 'remote-cert-tls server' to client config * Update config files to deprecate nsCertType in favour of the keyUsage and extendedKeyUsage extensions. * Make naming more consistent Signed-off-by: Steffan Karger <stef...@karger.me> --- sample/sample-config-files/client.conf | 17

Re: [Openvpn-devel] session-id implementation

Hi Lev, On 10/21/2014 09:33 AM, Lev Stipakov wrote: > > Thanks for your comments. I have fixed (1) and (2) - well, reusing > existing code in (2) has fixed also (1). Thanks! Do you have the patch somewhere for us to look at? > Regarding (3) - I don't have much experience in crypto thing, so it

[Openvpn-devel] FW: [PATCH] Fix regression with password protected private keys (polarssl)

Attempt 2, see below. It seems that somehow my previous mail has disappeared from the interwebs, I can't find it in the archives. -Original Message- From: Steffan Karger [mailto:steffan.kar...@fox-it.com] Sent: maandag 6 oktober 2014 21:11 To: openvpn-devel@lists.sourceforge.net Subject

Re: [Openvpn-devel] man page and options.c contradict

On 10/24/2014 11:41 AM, Arne Schwabe wrote: > Am 24.10.14 11:15, schrieb Gert Doering: > And an important distinction is that the p2p mode does not use Diffie > Hellman, meaning that it provides no Perferct Forward Security. No, I think there's another distinction. There's 'static key mode'

[Openvpn-devel] [PATCH] ssl_polarssl.c: fix includes and make casts explicit

-Wall and clang warnings that hide real problems. * changes the type of sha256_hash[] to match what polarssl expects. Signed-off-by: Steffan Karger <stef...@karger.me> --- src/openvpn/ssl_polarssl.c | 46 ++ 1 file changed, 26 insertions(+), 20 del

<    1   2   3   4   5   6   7   8   9   10   >