-by: Vladislav Grishenko
---
src/openvpn/options.c | 24 +---
1 file changed, 17 insertions(+), 7 deletions(-)
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 8bf82c57..02ac08d8 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -5682,16 +5682,26
Hi, Antonio
Thank you for review
--
Best Regards, Vladislav Grishenko
> -Original Message-
> From: Antonio Quartulli
> Sent: Thursday, September 10, 2020 2:02 PM
> To: Vladislav Grishenko ; openvpn-
> de...@lists.sourceforge.net
> Subject: Re: [Openvpn-devel] [PATCH v3
Hi Gert,
Great, many thanks
--
Best Regards, Vladislav Grishenko
> -Original Message-
> From: Gert Doering
> Sent: Thursday, September 10, 2020 2:23 PM
> To: Vladislav Grishenko
> Cc: openvpn-devel@lists.sourceforge.net
> Subject: [PATCH applied] Re: Fix best gate
op
w/o additional iteration for metric comparison.
Tested on 5.4.0, 4.1.51 and 2.6.36 kernels.
Signed-off-by: Vladislav Grishenko
---
src/openvpn/networking_sitnl.c | 47 +-
1 file changed, 41 insertions(+), 6 deletions(-)
diff --git a/src/openvpn/networking_sit
Sorry, comment typo:
- /* kernel cat return 0.0.0.0/128 host route */
+ /* kernel can return ::/128 host route */
--
Best Regards, Vladislav Grishenko
> -Original Message-
> From: Vladislav Grishenko
> Sent: Tuesday, September 8, 2020 7:54 AM
> To: openvpn-devel@lists.sou
ough in this form?
>
> I don't really see the need for that but it doesn't break the normal case of
> just
> one remote-srv, so fine with me.
>
> Arne
>
--
Best Regards, Vladislav Grishenko
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Ok, thank you for clarification
--
Best Regards, Vladislav Grishenko
> -Original Message-
> From: David Sommerseth
> Sent: Wednesday, September 9, 2020 10:49 PM
> To: Vladislav Grishenko ; openvpn-
> de...@lists.sourceforge.net
> Subject: Re: [Openvpn-devel] [P
mpty. For IPv6, no behavior is changed - request ::/128 route,
so just clarify the sizes via netlink route api.
Tested on 5.4.0, 4.1.51, 2.6.36 and 2.6.22 kernels.
Signed-off-by: Vladislav Grishenko
---
doc/man-sections/advanced-options.rst | 7 +++--
src/openvpn/networking_sitnl.c
Hi David,
> -Original Message-
> From: David Sommerseth
> Sent: Tuesday, September 8, 2020 6:23 PM
> To: Vladislav Grishenko ; openvpn-
> de...@lists.sourceforge.net
> Subject: Re: [Openvpn-devel] [PATCH] Fix --remote protocol can't be set
> without
> port argume
-username-field support at all.
v2: conform C99, man update, fix typos
v3: reuse buffer methods, drop delimiter define, use memcpy
v4: man update, change delimeter "_" to avoid path issues on windows
Signed-off-by: Vladislav Grishenko
---
doc/man-sections/tls-options.rst | 14 +---
add support for tcp / http proxy (natively)
man update
v4: due RFC 2782 ambiguity, prefer to use all resolved DNS SRV records, even
ones with weight 0 after the records containing weights greater than 0
were all selected, keep related code disabled for historical reasons.
man update
Signe
, not dump along
with specifying correct dst perfix size.
Tested on 5.4.0, 4.1.51 and 2.6.36 kernels.
Signed-off-by: Vladislav Grishenko
---
src/openvpn/networking_sitnl.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/networking_sitnl.c b/src/openvpn/networking_sitnl.c
tead
better proxy support (tcp mode not supported so far)
log discovery attempts and results, if enabled
v3: complete logic rewrite
use separate --remote-srv [service] [proto] option
remove fallback, same is achieved with additiona --remote/--remote-srv
add "auto" prot
Hi Gert,
Thanks for that.
Perhaps same approach can be applied to server's tcp listening, would
require testing of more management cases.
--
Best Regards, Vladislav Grishenko
> -Original Message-
> From: Gert Doering
> Sent: Sunday, October 4, 2020 5:19 PM
> To: Vladisl
Hi Gert,
Thank you.
--
Best Regards, Vladislav Grishenko
> -Original Message-
> From: Gert Doering
> Sent: Monday, October 5, 2020 3:36 PM
> To: Vladislav Grishenko
> Cc: openvpn-devel@lists.sourceforge.net
> Subject: [PATCH applied] Re: Support X509 field list to be
Hi Gert,
> "--tcp-server"
Yep, mean it, even poll doesn't used there. Have no any prio about it tho,
just related thoughts.
--
Best Regards, Vladislav Grishenko
> -Original Message-
> From: Gert Doering
> Sent: Monday, October 5, 2020 10:28 PM
> To: Vladisl
v7:
- prefer line breaks before long string parameters
- use win32/posix suffixes for query_servinfo
v8:
- rework compatibility with --preresolve and --persist-remote-ip
- fix dns data structures leak on wine/win32
- add priority and weight logging
Signed-off-by: Vladislav
tor in man
capitalize hex serialNumber value
Signed-off-by: Vladislav Grishenko
---
doc/man-sections/tls-options.rst | 21 ++
src/openvpn/init.c | 6 ++--
src/openvpn/options.c| 49 +---
src/openvpn/options.h| 4
Hi Arne,
> From: Arne Schwabe
> Sent: Monday, October 5, 2020 1:26 PM
> Am 05.10.20 um 02:51 schrieb Vladislav Grishenko:
> > OpenVPN has the ability to choose different X509 field in case "CN"
> > can not be use used to be unique
Hi, Arne
Many thanks the review, please refer comments inline
--
Best Regards, Vladislav Grishenko
> -Original Message-
> From: Arne Schwabe
> Sent: Tuesday, August 25, 2020 2:10 PM
> Am 25.08.20 um 00:15 schrieb Vladislav Grishenko:
> > DNS SRV (rfc2782) support all
ws/unix-specific parts into extra functions
rename functions into servinfo scope, add doxygen comments when appropriate
remove addrinfo hack, use servinfo containers of addrinfo list instead
better proxy support (tcp mode not supported so far)
log discovery attempts and results, if
t, etc), almost all the required mechanics
is implemented for that.
References:
https://tools.ietf.org/html/rfc2782
https://en.wikipedia.org/wiki/SRV_record
https://sourceforge.net/p/openvpn/mailman/message/34364911/
https://forums.openvpn.net/viewtopic.php?f=10=13660
Signed-off-
kill cn [mode]: Kill the client instance(s) having common name cn.
--
Best Regards, Vladislav Grishenko
-Original Message-
From: Selva Nair
Sent: Friday, August 14, 2020 11:22 PM
To: openvpn-devel
Subject: Re: [Openvpn-devel] [PATCH v2] Allow management to kill client
instances by CN wi
-by: Vladislav Grishenko
---
doc/management-notes.txt | 2 ++
src/openvpn/multi.c | 15 ++-
2 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/doc/management-notes.txt b/doc/management-notes.txt
index 61daaf07..91073693 100644
--- a/doc/management-notes.txt
+++ b/doc
it in total
Signed-off-by: Vladislav Grishenko
---
src/openvpn/socket.c | 22 +-
1 file changed, 21 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
index 76bdbfc5..049216ff 100644
--- a/src/openvpn/socket.c
+++ b/src/openvpn/socket.c
@@ -1464,13
,
revents=POLLOUT}])
If connection still can't established - this should be treated as either too
slow/far or non-responding server, so imprecise connection checks every next
one second in loop will be performed as usual.
Signed-off-by: Vladislav Grishenko
---
src/openvpn/socket.c | 20
tput reasons.
This patch implements the first stage only.
v2: move from gettimeofday() (1st way) back to time(), don't check previous
value of "now_usec" in update_usec() instead
v3: recover "now_usec" checks against time jumps within one second, zero it
in update_time(
j code at all -> returned time
will always be monotonic by design.
At least on supported platforms (!_WIN32).
--
Best Regards, Vladislav Grishenko
> -Original Message-
> From: Arne Schwabe
> Sent: Tuesday, September 22, 2020 1:41 PM
> To: Vladislav Grishenko ; openvpn-
&
th
Since update_time() and openvpn_gettimeofday() calls are mixed in runtime,
to fix their coexistance update_time() must update "now_usec" as well,
calling just update_now() is not enough.
Signed-off-by: Vladislav Grishenko
---
src/openvpn/otime.h | 6 +-
1 file changed, 1 insert
Hi Antonio,
Here's I have aligned the last line to add next new proto, already aligned.
Yes, you’re right “UDPv6” also needs to be aligned, and space needs to be added
for all lines, thank you.
V7 is sent
--
Best Regards, Vladislav Grishenko
> -Original Mess
is
reformatted as well.
v7: prefer line breaks before long string parameters
reformat proto_names array
Signed-off-by: Vladislav Grishenko
---
src/openvpn/init.c| 3 +-
src/openvpn/options.c | 80 +--
src/openvpn/socket.c | 52
cking the previous and possibly obsolete
value with no performance changes against the current implementation.
This patch implements the second way.
Signed-off-by: Vladislav Grishenko
---
src/openvpn/otime.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/openvpn/otime.c b/s
Thank you a lot,
That "fix for real" is about persist_remote_ip option as far as I
understand, not directly related to this fatal assert fix.
--
Best Regards, Vladislav Grishenko
> -Original Message-
> From: Gert Doering
> Sent: Thursday, September 17, 2020 1:46
ly non-negative value and
managemet_event_loop_n_seconds() can take negative values to have infinite
wait, if necessary.
Since there were no negative or zero parameter for management_sleep() users, no
side effect behavior change is expected.
Seems, a bit simpler can't be achieved :)
--
Best Regards
=POLLOUT}])
v2: cosmetics, decrease connection_timeout to avoid wait more than it
v3: teach management_sleep() to handle zero timeout and reject negative
use 1s timeout for connection and 0s timeout for management events
Signed-off-by: Vladislav Grishenko
---
src/openvpn/manage.c | 30
Hi, Gert
> > That "fix for real" is about persist_remote_ip option as far as I
> > understand, not directly related to this fatal assert fix.
>
> Well, the whole preresolve / connection entry "complex" is old and has
been
> extended and updated a few times, and your SVR patch also builds on top
cat /path/to/crl.crl | extractcrl.py -f der - /path/to/outdir
Output example:
Loaded: 309797 revoked certs in 4.136s
Scanned: 312006 files in 0.61s
Created: 475 files in 0.05s
Removed: 2684 files in 0.116s
Signed-off-by: Vladislav Grishenko
---
contrib/extract-crl/extractcrl.py
nges near around.
In this case I had to follow Antonio suggestion about the breaks, previous
version w/o them hasn't pass review.
As for blame, most of git ui tools allows to traverse blame in depth, incl.
tig - console git shell, anyway any refactoring brings the same issue.
--
Best Regards, Vladislav
m with connection advancing fix
allow management skip/accept for exact remote service hosts as for --remote
improve compatibility with a way "--persist-remote-ip" is handled
ensure max line length is 80
v6: pick out code-style conformant changes into separate patch
add more
man update
v5: rebase against upstream with connection advancing fix
allow management skip/accept for exact remote service hosts as for --remote
improve compability with a way "--persist-remote-ip" is handled
ensure max line length is 80
Signed-off-by: Vladis
mote == NULL)
Fix this behaviour by cleaning stale addinfo objects.
Signed-off-by: Vladislav Grishenko
---
src/openvpn/init.c | 10 ++
1 file changed, 10 insertions(+)
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index a785934a..508270a7 100644
--- a/src/openvpn/init.c
+++ b/src/op
mote == NULL)
Fix this behaviour by cleaning stale addinfo objects.
v2: better comment placement and too long length fix
Signed-off-by: Vladislav Grishenko
---
src/openvpn/init.c | 11 +++
1 file changed, 11 insertions(+)
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index a78593
man update
v5: rebase against upstream with connection advancing fix
allow management skip/accept for exact remote service hosts as for --remote
improve compatibility with a way "--persist-remote-ip" is handled
ensure max line length is 80
v6: pick out code-style confor
Per https://community.openvpn.net/openvpn/wiki/CodeStyle the maximum line
length is 80 characters. This patch allows to split upcoming changes into
CodeStyle-conformant (w/o real code change) and more feature-specific.
Signed-off-by: Vladislav Grishenko
---
src/openvpn/init.c| 3 ++-
src
Hi, Lev
Thanks for review, I'll make improvements in V2.
--
Best Regards, Vladislav Grishenko
-Original Message-
From: Lev Stipakov
Sent: Wednesday, August 5, 2020 1:29 PM
To: Vladislav Grishenko
Cc: openvpn-devel
Subject: Re: [Openvpn-devel] [PATCH] Log serial number of revoked
ir" mode for better
consistency with crl file (non-dir) mode.
v2: log if serial is not availble, require it in crl-verify dir mode
Signed-off-by: Vladislav Grishenko
---
src/openvpn/ssl_verify.c | 14 +++---
src/openvpn/ssl_verify_mbedtls.c | 5 +++--
src/openvpn/ssl_verify_opens
:18:12 2020 127.0.0.1:16001 TLS_ERROR: BIO read
tls_read_plaintext error
--
Best Regards, Vladislav Grishenko
-Original Message-
From: Gert Doering
Sent: Wednesday, August 5, 2020 4:55 PM
To: Vladislav Grishenko
Cc: openvpn-devel@lists.sourceforge.net
Subject: [PATCH applied] Re: Log
Tested-By: Vladislav Grishenko
Read-checked with --ignore-space-change, build & tested with sample
server/client profile.
--
Best Regards, Vladislav Grishenko
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
h
Tested-By: Vladislav Grishenko
Read-checked with --ignore-space-change, build & tested with sample
server/client profile.
--
Best Regards, Vladislav Grishenko
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
h
backend is the only supported at the moment, since so far MbedTLS
has no alt user name support at all.
v2: conform C99, man update, fix typos
Signed-off-by: Vladislav Grishenko
---
doc/man-sections/tls-options.rst | 9 --
src/openvpn/init.c | 4 +--
src/ope
ir" mode for better
consistency with crl file (non-dir) mode.
Signed-off-by: Vladislav Grishenko
---
src/openvpn/ssl_verify.c | 7 ---
src/openvpn/ssl_verify_mbedtls.c | 5 +++--
src/openvpn/ssl_verify_openssl.c | 5 +++--
3 files changed, 10 insertions(+), 7 deletions(-)
'*' as the last trailing
symbol of kill command parameter.
Single '*' wildcard would be too greedy and can be too harmful,
therefore not allowed. Wildcards in the middle of parameter string
are not supported to keep the the things simple at the moment.
Signed-off-by: Vladislav Grishenko
---
doc/management
OpenVPN has the ability to choose different x509 field in case "CN"
can't be use used to be unique connected username since commit
935c62be9c0c8a256112df818bfb8470586a23b6.
Unfortunately it's not enough in case client has multiple and valid
certificates from PKI for different devices (ex. laptop,
backend is the only supported at the moment, since so far MbedTLS
has no alt user name support at all.
v2: conform C99, man update, fix typos
v3: reuse buffer methods, drop delimiter define, use memcpy
Signed-off-by: Vladislav Grishenko
---
doc/man-sections/tls-options.rst | 9 --
src/ope
_x509_get_username() call,
subsequent appending will be done via buffer methods - this way buffer size
will be untied from TLS_USERNAME_LEN.
> C89 style instead C99. The !!i feels weird. It is the same as max(i, 1)
> but less readable.
Yes, sure.
--
Best Regards, Vladislav Grishenko
-
ds were returned,
client will move on to the next connection entry.
v10:
add get_cached_srv_entry() for servinfo vs addrinfo cache split
add check for mixed --remote and --remote-srv
add doxygen dns srv functions comments
use query_servinfo() for both unix and windows
fix undefined
AI_NODATA.
--
Best Regards, Vladislav Grishenko
> -Original Message-
> From: Gert Doering
> Sent: Friday, December 4, 2020 7:02 PM
> To: Vladislav Grishenko
> Cc: openvpn-devel@lists.sourceforge.net
> Subject: Re: [Openvpn-devel] [PATCH v9] Add DNS SRV remote host discovery
&
---
src/openvpn/socket.c | 14 +-
1 file changed, 5 insertions(+), 9 deletions(-)
diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
index bd085e8f..31e8fe9a 100644
--- a/src/openvpn/socket.c
+++ b/src/openvpn/socket.c
@@ -625,10 +625,8 @@ query_servinfo(const char *domain, int
ds were returned,
client will move on to the next connection entry.
v10:
add get_cached_srv_entry() for servinfo vs addrinfo cache split
add check for mixed --remote and --remote-srv
add doxygen dns srv functions comments
use query_servinfo() for both unix and windows
fix undefined
rds were returned,
client will move on to the next connection entry.
v9:
add get_cached_srv_entry() for servinfo vs addrinfo cache split
add check for mixed --remote and --remote-srv
add doxygen dns srv functions comments
use query_servinfo() for both unix and windows
fix undefin
Hi Arne,
Thank you for the review and please refer v9 where all the mentioned parts are
handled.
--
Best Regards, Vladislav Grishenko
> -Original Message-
> From: Arne Schwabe
> Sent: Tuesday, October 20, 2020 11:58 AM
> To: Vladislav Grishenko ; openvpn-
> de...@lists.
Hello and happy holidays,
Is there a chance to get back to this patch since v9 was acked and minor fix
for undefined EAI_NODATA on FreeBSD was applied?
--
Best Regards, Vladislav Grishenko
> -Original Message-
> From: Vladislav Grishenko
> Sent: Friday, December 4, 202
ds were returned,
client will move on to the next connection entry.
v12:
add get_cached_srv_entry() for servinfo vs addrinfo cache split
add check for mixed --remote and --remote-srv
add doxygen dns srv functions comments
use query_servinfo() for both unix and windows
fix unde
Thanks!
Need to say, implemented "run an openssl binary" internal method is a bit
faster than python-native crl parsing, according our tests and usage
experience.
--
Best Regards, Vladislav Grishenko
> -Original Message-
> From: Gert Doering
> Sent: Thursday,
ds were returned,
client will move on to the next connection entry.
v11:
add get_cached_srv_entry() for servinfo vs addrinfo cache split
add check for mixed --remote and --remote-srv
add doxygen dns srv functions comments
use query_servinfo() for both unix and windows
fix unde
feedback regarding the SRV feature.
Would be great, if you could kindly suggest when re-review/merge can be
scheduled if no issue found.
--
Best Regards, Vladislav Grishenko
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https
:
ip route add default \
nexthop via 192.168.1.1 dev eth1 weight 1 \
nexthop via 192.168.2.1 dev eth2 weight 1
Reported-By: Donald Sharp
Signed-off-by: Vladislav Grishenko
---
src/openvpn/networking_sitnl.c | 35 ++
1 file changed, 35 insertions
while selecting default route too.
Reported-By: Donald Sharp
Signed-off-by: Vladislav Grishenko
---
src/openvpn/networking_sitnl.c | 24 ++--
1 file changed, 22 insertions(+), 2 deletions(-)
diff --git a/src/openvpn/networking_sitnl.c b/src/openvpn/networking_sitnl.c
index
while selecting default route too.
Signed-off-by: Vladislav Grishenko
---
src/openvpn/networking_sitnl.c | 18 +-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/networking_sitnl.c b/src/openvpn/networking_sitnl.c
index 2bc70a50..56543648 100644
--- a/src
:
ip route add default \
nexthop via 192.168.1.1 dev eth1 weight 1 \
nexthop via 192.168.2.1 dev eth2 weight 1
Signed-off-by: Vladislav Grishenko
---
src/openvpn/networking_sitnl.c | 37 ++
1 file changed, 37 insertions(+)
diff --git a/src
while selecting default route too.
v2: keep gateway address unchanged on lookup error
v3: reduce ammout of gateway address copying
Reported-by: Donald Sharp
Signed-off-by: Vladislav Grishenko
---
src/openvpn/networking_sitnl.c | 26 --
1 file changed, 24 insertions(+), 2
:
ip route add default \
nexthop via 192.168.1.1 dev eth1 weight 1 \
nexthop via 192.168.2.1 dev eth2 weight 1
v2: keep gateway address unchanged on lookup error
v3: reduce ammout of gateway address copying
Reported-by: Donald Sharp
Signed-off-by: Vladislav Grishenko
---
src
function remains "buggy" for the other cases.
Buggy here is searching default gateway for 0.0.0.0/0 itself. Other cases are
right from the scratch :)
--
Best Regards, Vladislav Grishenko
> -Original Message-
> From: Antonio Quartulli
> Sent: Friday, April 16, 2021 7:01
Hi, please refer diff against v14 https://pastebin.com/XA0dWiih
--
Best Regards, Vladislav Grishenko
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
ad
v12:
add get_cached_srv_entry() for servinfo vs addrinfo cache split
add check for mixed --remote and --remote-srv
add doxygen dns srv functions comments
use query_servinfo() for both unix and windows
fix undefined NS_MAXMSG issue on macOS
fix undefined EAI_NODATA issue on Fr
Hi, sure, will do.
Yes, I’ve noticed undesired code dup in v14 and have fixed everything found
in v15 rebase, same will be rechecked in v16 of course.
Thanks!
Ср, 11 янв. 2023 г. в 01:05, Gert Doering :
> Hi,
>
> On Thu, Dec 29, 2022 at 12:27:46PM +0500, Vladislav Grishenko wrote:
>
> You disable this test here, but you don't add this in any of the
> later checks. So it seems this test is just completely removed when
> using remote-srv?
Right, this check should be moved into options_postprocess_verify_ce_proto()
and seems forgotten, will add it t
Hi, Frank
Observing behavior is not desired, indeed. I'll look into
--
Best Regards, Vladislav Grishenko
> -Original Message-
> From: Frank Lichtenheld
> Sent: Thursday, December 1, 2022 6:37 PM
> To: Gert Doering
> Cc: openvpn-devel@lists.sourceforge.net
> Subject:
78 matches
Mail list logo