Re: [Openvpn-devel] Should we use mbedTLS certificate profiles?

2017-02-27 Thread James Yonan
On 27/02/2017 18:18, David Sommerseth wrote: > On 27/02/17 23:06, James Yonan wrote: >> On 25/02/2017 08:40, Steffan Karger wrote: > [...snip...] >>> I'd say so. Something like: >>> >>> legacy: RSA 1024+, SHA1+, all curves >>> default: RSA 204

Re: [Openvpn-devel] Should we use mbedTLS certificate profiles?

2017-02-27 Thread James Yonan
On 25/02/2017 08:40, Steffan Karger wrote: > On 25-02-17 07:04, James Yonan wrote: >> On 24/02/2017 16:10, Steffan Karger wrote: >>> On 24-02-17 22:28, James Yonan wrote: >>>> On 24/02/2017 02:40, Steffan Karger wrote: >>>>> On 23-02-17 22:41,

Re: [Openvpn-devel] Should we use mbedTLS certificate profiles?

2017-02-24 Thread James Yonan
On 24/02/2017 16:10, Steffan Karger wrote: > Hi, > > On 24-02-17 22:28, James Yonan wrote: >> On 24/02/2017 02:40, Steffan Karger wrote: >>> On 23-02-17 22:41, James Yonan wrote: >>>> On 23/02/2017 01:22, Steffan Karger wrote: >>>>> On 22-02-17 1

Re: [Openvpn-devel] Should we use mbedTLS certificate profiles?

2017-02-24 Thread James Yonan
On 24/02/2017 02:40, Steffan Karger wrote: > On 23-02-17 22:41, James Yonan wrote: >> On 23/02/2017 01:22, Steffan Karger wrote: >>> On 22-02-17 19:48, James Yonan wrote: >>>> mbedTLS 2 has a new feature that allows rejection of certificates if the >>>>

Re: [Openvpn-devel] Should we use mbedTLS certificate profiles?

2017-02-23 Thread James Yonan
On 23/02/2017 01:22, Steffan Karger wrote: > Hi James, > > On 22-02-17 19:48, James Yonan wrote: >> mbedTLS 2 has a new feature that allows rejection of certificates if the >> key size is too small or the signing hash is weak. >> >> The feature is controlled vi

[Openvpn-devel] Should we use mbedTLS certificate profiles?

2017-02-22 Thread James Yonan
mbedTLS 2 has a new feature that allows rejection of certificates if the key size is too small or the signing hash is weak. The feature is controlled via struct mbedtls_x509_crt_profile. For example, you could specify that certificates must be at least 2048 bits and use a SHA-2 signing alg.

Re: [Openvpn-devel] [PATCH 02/10] Added PIP_OPT_MASK for process_ip_header fast exit path.

2016-03-04 Thread James Yonan
On 04/03/2016 02:49, Arne Schwabe wrote: Am 04.03.16 um 08:29 schrieb James Yonan: On 03/03/2016 16:48, Arne Schwabe wrote: Am 03.03.16 um 09:18 schrieb James Yonan: Define PIP_OPT_MASK to represent all flags of interest to process_ip_header, so that it can have a fast exit path

Re: [Openvpn-devel] [PATCH 02/10] Added PIP_OPT_MASK for process_ip_header fast exit path.

2016-03-04 Thread James Yonan
On 03/03/2016 16:48, Arne Schwabe wrote: Am 03.03.16 um 09:18 schrieb James Yonan: Define PIP_OPT_MASK to represent all flags of interest to process_ip_header, so that it can have a fast exit path if no flags are set. Basically what this patch does is to change the condition to if (flags

[Openvpn-devel] [PATCH 10/10] Bind to local socket before dropping privileges

2016-03-03 Thread James Yonan
Bind the local TCP/UDP socket before UID/GID downgrade, otherwise we cannot bind to ports < 1024. Signed-off-by: James Yonan <ja...@openvpn.net> --- src/openvpn/init.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/ini

[Openvpn-devel] [PATCH 09/10] Added directive to specify HTTP proxy credentials in config.

2016-03-03 Thread James Yonan
The inline directive http-proxy-user-pass can be used to specify proxy credentials in config, e.g.: http-proxy proxy.tld 3128 auto-nct foo bar This usage is already supported by OpenVPN 3. Signed-off-by: James Yonan <ja...@openvpn.net> --- src/openvpn/misc.c| 8 src/o

[Openvpn-devel] [PATCH 08/10] Added ./configure flag to disable user-defined scripts.

2016-03-03 Thread James Yonan
er-defined scripting */ #define ENABLE_SCRIPTS 1 or disabled by ensuring that ENABLE_SCRIPTS is undefined. If ENABLE_SCRIPTS is undefined, OpenVPN will log "[NOSCRIPTS]" in the initial version info line. This patch assumes that script_security defaults to SSEC_BUILT_IN or less. Signed-off

[Openvpn-devel] [PATCH 07/10] Implemented x509-track for PolarSSL.

2016-03-03 Thread James Yonan
Signed-off-by: James Yonan <ja...@openvpn.net> --- src/openvpn/ssl_verify_polarssl.c | 166 ++ src/openvpn/syshead.h | 2 +- 2 files changed, 167 insertions(+), 1 deletion(-) diff --git a/src/openvpn/ssl_verify_polarssl.c b/src/o

[Openvpn-devel] [PATCH 06/10] PolarSSL x509_get_sha1_hash now returns correct SHA1 fingerprint.

2016-03-03 Thread James Yonan
Signed-off-by: James Yonan <ja...@openvpn.net> --- src/openvpn/ssl_verify_polarssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/openvpn/ssl_verify_polarssl.c b/src/openvpn/ssl_verify_polarssl.c index e87d2e2..9d0d086 100644 --- a/src/openvpn/ssl_verify_pola

[Openvpn-devel] [PATCH 05/10] Extended x509-track for OpenSSL to report SHA1 fingerprint.

2016-03-03 Thread James Yonan
For example: x509-track "+SHA1" will extract the SHA1 fingerprints for all certs in the peer chain. This patch is ported from OpenVPN 2.1. Signed-off-by: James Yonan <ja...@openvpn.net> --- src/openvpn/ssl_verify_openssl.c | 114 +-- 1

[Openvpn-devel] [PATCH 04/10] Added flags parameter to format_hex_ex.

2016-03-03 Thread James Yonan
the generated hex string in upper case. Signed-off-by: James Yonan <ja...@openvpn.net> --- src/openvpn/buffer.c | 11 +++ src/openvpn/buffer.h | 4 +++- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/src/openvpn/buffer.c b/src/openvpn/buffer.c index bc67d65..52c6ab9

[Openvpn-devel] [PATCH 03/10] tls_serial_{n} value should be distinguishable as hex or decimal.

2016-03-03 Thread James Yonan
nSSL returns decimal serial numbers. RFC 5280, published in 2008, decrees that serial numbers can be up to 20 bytes long, hence it is necessary to support SSL libraries that return the serial number as a hex string. Signed-off-by: James Yonan <ja...@openvpn.net> --- src/openvpn/ssl_verify

[Openvpn-devel] [PATCH 02/10] Added PIP_OPT_MASK for process_ip_header fast exit path.

2016-03-03 Thread James Yonan
Define PIP_OPT_MASK to represent all flags of interest to process_ip_header, so that it can have a fast exit path if no flags are set. Merged from OpenVPN 2.1 Signed-off-by: James Yonan <ja...@openvpn.net> --- src/openvpn/forward.c | 8 +--- src/openvpn/forward.h | 4 +++- 2 files c

[Openvpn-devel] [PATCH 01/10] Added "remote-override" config directive.

2016-03-03 Thread James Yonan
remote-override -- replace the hostname in all remote directives with alt-remote. Merged from OpenVPN 2.1 Signed-off-by: James Yonan <ja...@openvpn.net> --- doc/openvpn.8 | 5 + src/openvpn/options.c | 8 +++- src/openvpn/options.h | 2 ++ 3 files changed, 14 insertions

[Openvpn-devel] --block-outside-dns speed

2016-02-16 Thread James Yonan
Has anyone seen issues with --block-outside-dns speed? Because this approach drops certain DNS packets, I'm wondering if apps will experience lag time while waiting for dropped DNS requests to time out. James

Re: [Openvpn-devel] [PATCH v7-master] Add Windows DNS Leak fix using WFP ('block-outside-dns')

2015-12-04 Thread James Yonan
These may have been fixed by now, but noticed some issues in the original patch that was discussed in the OpenVPN-devel IRC meeting several weeks ago. * win_adapter_index_to_luid is declared to return a NET_LUID but not all code paths return a value. * wcscat(svchostpath, L"\\svchost.exe")

Re: [Openvpn-devel] Adding a ctrl-C handler in windows

2015-11-09 Thread James Yonan
On 09/11/2015 00:38, Samuli Seppänen wrote: Hi, I plan to add a control-C handler in win32.c. The handler will simply map it to SIGTERM. Is there any particular reason why control-C is not currently handled? Hi, I forwarded this email to James - he might have a clue. Currently the

Re: [Openvpn-devel] OpenVPN protocol extensions update

2015-01-09 Thread James Yonan
ix: http://thread.gmane.org/gmane.network.openvpn.devel/9386 which is waiting for an ACK. Otherwise implementation is pretty much in line with your spec. Great, thanks. James -Lev 2015-01-07 2:08 GMT+02:00 James Yonan <ja...@openvpn.net>: I've updated the OpenVPN protocol extension doc

[Openvpn-devel] OpenVPN protocol extensions update

2015-01-07 Thread James Yonan
I've updated the OpenVPN protocol extension doc with additional details, now that more of these features have been implemented in OpenVPN 3. If you are implementing any of these features in OpenVPN 2.x, please review so we can ensure that OpenVPN 2.x and 3 are on the same page with respect to

[Openvpn-devel] OpenVPN Protocol extensions

2014-11-13 Thread James Yonan
In addition to the Peer-ID/DATA_V2 protocol change proposal, here are a couple more proposed extensions for AEAD mode and Compression V2 that we can discuss at the upcoming Munich hackathon. James OpenVPN Protocol extensions 1. DATA_V2 opcode with 24-bit peer ID 2. AEAD mode To support

[Openvpn-devel] [PATCH 6/6] Fixed some compile issues with show_library_versions()

2014-05-08 Thread James Yonan
() as returning const char *, to avoid loss of const qualifier in ssl_openssl.c. Signed-off-by: James Yonan <ja...@openvpn.net> --- src/openvpn/options.c | 15 +-- src/openvpn/options.h | 2 ++ src/openvpn/ssl_backend.h | 2 +- src/openvpn/ssl_openssl.c | 2 +- src/o

[Openvpn-devel] [PATCH 5/6] Define PATH_SEPARATOR for MSVC builds.

2014-05-08 Thread James Yonan
Signed-off-by: James Yonan <ja...@openvpn.net> --- config-msvc.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config-msvc.h b/config-msvc.h index 9a95ae6..fa99384 100644 --- a/config-msvc.h +++ b/config-msvc.h @@ -76,6 +76,9 @@ #define HAVE_OPENSSL_ENGINE 1 +#define PATH_SEP

[Openvpn-devel] [PATCH 4/6] MSVC 2008 doesn't support dimensioning an array with a const var nor using %z as a printf format specifier.

2014-05-08 Thread James Yonan
Signed-off-by: James Yonan <ja...@openvpn.net> --- src/openvpn/ssl_openssl.c | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 481600a..d845fd7 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/o

[Openvpn-devel] [PATCH 3/6] Explicitly cast the third parameter of setsockopt to const void * to avoid warning.

2014-05-08 Thread James Yonan
Signed-off-by: James Yonan <ja...@openvpn.net> --- src/openvpn/socket.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/openvpn/socket.h b/src/openvpn/socket.h index 4e7e7f8..793cd9f 100644 --- a/src/openvpn/socket.h +++ b/src/openvpn/socket.h @@ -1023,7 +1023,7 @@

[Openvpn-devel] [PATCH 2/6] In socket.c, fixed issue where uninitialized value (err) is being passed to to gai_strerror.

2014-05-08 Thread James Yonan
Signed-off-by: James Yonan <ja...@openvpn.net> --- src/openvpn/socket.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c index 7ff14cc..6e68c18 100644 --- a/src/openvpn/socket.c +++ b/src/openvpn/socket.c @@ -1150,7 +

[Openvpn-devel] [PATCH 1/6] Fixed several instances of declarations after statements.

2014-05-08 Thread James Yonan
Signed-off-by: James Yonan <ja...@openvpn.net> --- src/openvpn/init.c | 10 ++ src/openvpn/socket.c | 2 +- src/openvpn/win32.c | 6 +++--- 3 files changed, 10 insertions(+), 8 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 52d370b..3fb 100644 ---

[Openvpn-devel] MSVC Fixes for 2.3

2014-05-08 Thread James Yonan
This series of patches is for the 2.3 branch and fixes MSVC compile issues. Some of these may be applicable to master as well, though I haven't checked yet. James

Re: [Openvpn-devel] [PATCH 4/4] When tls-version-min is unspecified, revert to original versioning approach.

2014-04-30 Thread James Yonan
On 28/04/2014 15:19, Steffan Karger wrote: Hi, On 27-04-14 22:10, Steffan Karger wrote: On 27-04-14 19:53, Gert Doering wrote: On Mon, Apr 21, 2014 at 01:10:04AM -0600, James Yonan wrote: The attached patch is what I intend to commit to release/2.3 *only*, not to master - as agreed at the IRC

Re: [Openvpn-devel] Progress on Version negotiation

2014-04-24 Thread James Yonan
On 23/04/2014 18:22, Timothe Litt wrote: I don't see that cryptoapi.c has been updated to work with TLS 1.2. Yes, just came to the same conclusion. Long-term the key-loaders need to get updated. Maybe short-term the options that invoke them could force NO_TLSv_1_2... That would make things

Re: [Openvpn-devel] Progress on Version negotiation

2014-04-24 Thread James Yonan
On 23/04/2014 17:21, Timothe Litt wrote: On 23-Apr-14 16:06, Steffan Karger wrote: I generated a matching pair of traces of the failure (client and server) & posted a summary. Let me know if you would like the full traces. Sent off-list. I've been trying to reproduce the error. I grabbed my

Re: [Openvpn-devel] [PATCH 2/4] Added PIP_OPT_MASK for process_ip_header fast exit path.

2014-04-23 Thread James Yonan
On 23/04/2014 04:17, Arne Schwabe wrote: Am 21.04.14 21:26, schrieb James Yonan: On 21/04/2014 05:27, Arne Schwabe wrote: On 21.04.2014 09:10, James Yonan wrote: Define PIP_OPT_MASK to represent all flags of interest to process_ip_header, so that it can have a fast exit path if no flags

Re: [Openvpn-devel] [PATCH 1/4] Added "remote-override" config directive.

2014-04-21 Thread James Yonan
On 21/04/2014 05:33, Arne Schwabe wrote: On 21.04.2014 09:10, James Yonan wrote: remote-override -- replace the hostname in all remote directives with alt-remote. Just a question. How does remote-override differ from ip-remote-hint? Both options seem to have the same effect aside from very

Re: [Openvpn-devel] [PATCH 2/4] Added PIP_OPT_MASK for process_ip_header fast exit path.

2014-04-21 Thread James Yonan
On 21/04/2014 05:27, Arne Schwabe wrote: On 21.04.2014 09:10, James Yonan wrote: Define PIP_OPT_MASK to represent all flags of interest to process_ip_header, so that it can have a fast exit path if no flags are set. I haven't look at the code but if remember correctly, this method does

Re: [Openvpn-devel] [PATCH 4/4] When tls-version-min is unspecified, revert to original versioning approach.

2014-04-21 Thread James Yonan
On 21/04/2014 05:49, Gert Doering wrote: Hi, On Mon, Apr 21, 2014 at 01:11:05PM +0200, Arne Schwabe wrote: Yes. But with this patch it is always turned off, keeping OpenVPN in 99% of installations in TLS 1.0. Is there any other known case where it breaks aside from the Tomato OpenVPN client?

Re: [Openvpn-devel] [PATCH] PolarSSL 1.3

2014-04-21 Thread James Yonan
On 19/04/2014 08:33, Steffan Karger wrote: Hi, On 04/18/2014 02:49 PM, Steffan Karger wrote: On 04/17/2014 09:41 PM, James Yonan wrote: I'm not sure I understand the (SIZE_MAX - hashlen) > asn_len part. Wouldn't this always be true for reasonable values of hashlen and asn_len? This sho

[Openvpn-devel] [PATCH 4/4] When tls-version-min is unspecified, revert to original versioning approach.

2014-04-21 Thread James Yonan
ciphersuites. Signed-off-by: James Yonan <ja...@openvpn.net> --- src/openvpn/ssl.c | 4 ++-- src/openvpn/ssl_backend.h | 15 +-- src/openvpn/ssl_openssl.c | 31 ++- src/openvpn/ssl_polarssl.c | 43 +++ 4

[Openvpn-devel] [PATCH 3/4] Use native strtoull() with MSVC 2013.

2014-04-21 Thread James Yonan
MSVC 2013 C library now defines strtoull() function, so use the native implementation when available. Signed-off-by: James Yonan <ja...@openvpn.net> --- config-msvc.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config-msvc.h b/config-msvc.h index 99c00f9..9a95ae6 100644 --- a/

[Openvpn-devel] [PATCH 2/4] Added PIP_OPT_MASK for process_ip_header fast exit path.

2014-04-21 Thread James Yonan
Define PIP_OPT_MASK to represent all flags of interest to process_ip_header, so that it can have a fast exit path if no flags are set. Merged from OpenVPN 2.1 Signed-off-by: James Yonan <ja...@openvpn.net> --- src/openvpn/forward.c | 6 +- src/openvpn/forward.h | 4 +++- 2 files chan

[Openvpn-devel] [PATCH 1/4] Added "remote-override" config directive.

2014-04-21 Thread James Yonan
remote-override -- replace the hostname in all remote directives with alt-remote. Merged from OpenVPN 2.1 Signed-off-by: James Yonan <ja...@openvpn.net> --- src/openvpn/options.c | 7 ++- src/openvpn/options.h | 2 ++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git

[Openvpn-devel] x509-track for PolarSSL

2014-04-17 Thread James Yonan
Just wondering if anyone has looked at implementing x509-track for PolarSSL? James

Re: [Openvpn-devel] [PATCH] PolarSSL 1.3

2014-04-17 Thread James Yonan
On 27/02/2014 12:40, steffan.kar...@fox-it.com wrote: Hi, The attached patches add support for PolarSSL 1.3. These patches are for master only, as they drop support for PolarSSL 1.2. Supporting both versions would require a lot of #ifdef's, so I opted for dropping 1.2. Along with PolarSSL 1.3

Re: [Openvpn-devel] [PATCH] Fix man page and OSCP script: tls_serial_{n} is decimal

2014-04-17 Thread James Yonan
ftware can distinguish it. This very simple patch does that. James >From a8f0d219d4edd1e95520cc40d27a0cd79cace2c2 Mon Sep 17 00:00:00 2001 From: James Yonan <ja...@openvpn.net> List-Post: openvpn-devel@lists.sourceforge.net Date: Wed, 16 Apr 2014 21:29:42 -0600 Subject: [PATCH] tls_seri

[Openvpn-devel] possible socks authentication issue?

2014-04-17 Thread James Yonan
Someone on the Tor lists is claiming that OpenVPN isn't implementing SOCKSv5 authentication correctly: https://lists.torproject.org/pipermail/tor-dev/2014-March/006427.html Any ideas? James

Re: [Openvpn-devel] [PATCH] Fix man page and OSCP script: tls_serial_{n} is decimal

2014-04-01 Thread James Yonan
On 30/03/2014 07:46, Gert Doering wrote: Hi, On Sun, Mar 30, 2014 at 12:48:37AM +0100, Steffan Karger wrote: 3 - Change OpenSSL builds to use hax representation I tend toward this one - user visible behaviour shouldn't change (unless unavoidable) depending on SSL library used. So for me

Re: [Openvpn-devel] [PATCH] Set SSL_OP_NO_TICKET flag in SSL context for OpenSSL builds, to disable TLS stateless session resumption.

2014-03-17 Thread James Yonan
On 17/03/2014 14:29, Gert Doering wrote: Hi, On Sun, Mar 16, 2014 at 06:49:36PM -0600, James Yonan wrote: However, even with the above code, stateless session resumption is still possible unless explicitly disabled with the SSL_OP_NO_TICKET flag. This patch does this. This actually raises

[Openvpn-devel] [PATCH] Set SSL_OP_NO_TICKET flag in SSL context for OpenSSL builds, to disable TLS stateless session resumption.

2014-03-17 Thread James Yonan
OpenVPN doesn't want or need SSL session renegotiation or resumption, as it handles renegotiation on its own. For this reason, OpenVPN always disables the SSL session cache: SSL_CTX_set_session_cache_mode (ctx, SSL_SESS_CACHE_OFF) However, even with the above code, stateless session resumption

Re: [Openvpn-devel] Adding support for AEAD cipher modes (AES-GCM, et al.)

2013-08-27 Thread James Yonan
On 18/06/2013 01:23, Joachim Schipper wrote: Joachim Schipper wrote [I'm continuing my own message here]: -Original Message- From: Kenny Root [mailto:ke...@the-b.org] Sent: dinsdag 4 juni 2013 2:15 To: openvpn-devel@lists.sourceforge.net Subject: [Openvpn-devel] Adding support for AEAD

Re: [Openvpn-devel] [Openvpn-users] why doesn't openvpn negotiate settings?

2013-08-04 Thread James Yonan
We've recently merged some patches allowing OpenVPN to negotiate certain settings (such as compression), but unfortunately at this time neither cipher nor auth directives can be negotiated in the 2.x branch. The 3.0 branch has fixed this somewhat by having the client support cipher and auth

[Openvpn-devel] [PATCH] MSVC fixes

2013-07-28 Thread James Yonan
Fixes to allow compilation with Microsoft Visual Studio 2008 * Fixed several instances of declarations after statements. * In socket.c, fixed issue where uninitialized value (err) is being passed to to gai_strerror. * ssl.c is trying to access multi_output_peer_info_env function in multi.c,

[Openvpn-devel] [PATCH] TLS versioning

2013-06-24 Thread James Yonan
This is the TLS versioning patch as discussed in last Thursday's IRC meeting. It combines these two patches: https://github.com/jamesyonan/openvpn/commit/03a5599202bdc3ba07983dc4efdae387fb8fb436 https://github.com/jamesyonan/openvpn/commit/d23005413b0e0f28a3c48a6342f494763d5c9b40 James diff

Re: [Openvpn-devel] OpenVPN Versioning

2013-06-19 Thread James Yonan
On 18/06/2013 01:41, Joachim Schipper wrote: From: James Yonan <ja...@openvpn.net>: On 14/06/2013 02:47, Joachim Schipper wrote: >From James Yonan <ja...@openvpn.net>: TLS Protocol Since day 1, OpenVPN has used TLS 1.0 as a control channel and key exchange mechani

Re: [Openvpn-devel] OpenVPN Versioning

2013-06-19 Thread James Yonan
On 17/06/2013 01:58, Steffan Karger wrote: On 06/14/2013 09:53 PM, James Yonan wrote: To get the adaptive versioning behavior in OpenSSL, you have to use SSLv23_server_method() or SSLv23_client_method() and then explicitly disable the versions you don't want to consider, i.e. SSL_OP_NO_SSLv2

Re: [Openvpn-devel] OpenVPN Versioning

2013-06-12 Thread James Yonan
On 12/06/2013 15:08, Arne Schwabe wrote: Am 12.06.13 21:38, schrieb James Yonan: About finding out which cipher client and server use. I am not really familiar with this code so forgive my stupid question. TLS somehow also does this "select the best cipher to use" dance. Why ca

Re: [Openvpn-devel] [Openvpn-users] OpenVPN client released for iOS

2013-01-20 Thread James Yonan
On 18/01/2013 15:31, Marcel Pennewiß wrote: On Wed, 16 Jan 2013 21:48:23 -0700 James Yonan <ja...@openvpn.net> wrote: The client is based on the new C++ OpenVPN core that is also used in the OpenVPN Connect client for Android. The C++ core is a portable, lightweight class library for bu

[Openvpn-devel] OpenVPN client released for iOS

2013-01-17 Thread James Yonan
Just wanted to let everyone know that the OpenVPN Connect client for iOS has just been released and is now available in the app store. This is an official Apple-sanctioned OpenVPN client developed by OpenVPN Technologies in collaboration with Apple. The client is based on the new C++ OpenVPN

[Openvpn-devel] OpenVPN and BEAST

2011-09-21 Thread James Yonan
We've gotten some questions about whether OpenVPN is vulnerable to the "BEAST" exploit. At the time of this writing, the details of the "BEAST" exploit haven't been released yet, but the general consensus is that it exploits the known-IV weakness in SSL and TLS 1.0 that is discussed by Bard

[Openvpn-devel] OpenVPN and SSL vulnerability CVE-2010-3864

2010-11-19 Thread James Yonan
Regarding the recently discovered SSL vulnerability CVE-2010-3864, OpenVPN should not be affected because it is single-threaded. James

[Openvpn-devel] Alternatives to tapinstall?

2010-10-21 Thread James Yonan
I would be interested to know if anyone has succeeded in using alternative approaches to install the windows TAP driver (other than using tapinstall/devcon). In particular, has anyone tried using the Difx API? This posting seems to indicate that people have succeeded along these lines, but I

[Openvpn-devel] OpenVPN version 2.1.2 released

2010-08-16 Thread James Yonan
2010.08.09 -- Version 2.1.2 * Windows security issue: Fixed potential local privilege escalation vulnerability in Windows service. The Windows service did not properly quote the executable filename passed to CreateService. A local attacker with write access to the root directory C:\

[Openvpn-devel] ESET Smart Security interferes with TAP driver install

2010-04-22 Thread James Yonan
I've observed a case on Windows Server 2008R2 where an antivirus product called ESET Smart Security prevents install of the TAP driver. The net effect in tapinstall (devcon) is that UpdateDriverForPlugAndPlayDevices returns error code 1450 (ERROR_NO_SYSTEM_RESOURCES). Apparently ESET

Re: [Openvpn-devel] Supporting "route-gateway dhcp" on non-Windows

2010-03-09 Thread James Yonan
r 08, 2010 at 08:21:35AM -0700, James Yonan wrote: (2) Complex method: Write code in OpenVPN to simulate a DHCP client, then translate the settings received in the DHCP reply to OpenVPN push-style directives (such as ifconfig, route, etc.) as if they had been pushed by the OpenVPN server. ...

Re: [Openvpn-devel] [PATCH] IPv6 support for TUN/TAP driver on windows

2010-03-08 Thread James Yonan
- how does one debug Windows drivers? Is there a printf() as in Linux that goes to console / syslog? I have not yet figured out that part. I did my debugging with Wireshark ("see what packets move back and forth and stare at the packet details"). While Windows doesn't support "printf"

[Openvpn-devel] Linux tun/tap performance issues

2010-03-08 Thread James Yonan
I believe this has been discussed before, but I noticed recently that a Linux-based OpenVPN client (Linux 2.6.24, OpenVPN 2.1.1) spends a lot more CPU time in kernel space than in user space. This is surprising, given the fact that all of the CPU-intensive cryptographic operations are being

[Openvpn-devel] Supporting "route-gateway dhcp" on non-Windows

2010-03-08 Thread James Yonan
OpenVPN 2.1 has a relatively recent feature that allows a TAP-based OpenVPN session to be established where the client gets its IP address assignment and other attributes from the server-side DHCP server. The feature is enabled by the "route-gateway dhcp" directive on the client. It's a

Re: [Openvpn-devel] 2.1 rc20 and multiple interfaces problem

2009-12-12 Thread James Yonan
Davide Brini wrote: On Friday 11 December 2009, James Yonan wrote: Try adding the "nobind" directive to your client config file. I think this will solve the problem. That seems indeed to do it. Thank you very much! However, never in my life could I have imagined that th

Re: [Openvpn-devel] Building the TAP drivers from source and then signing them (possible?)

2009-12-11 Thread James Yonan
Jon Onstott wrote: Hello, I am compiling OpenVPN and the TAP driver from source and would like the TAP driver to be signed so that it installs correctly on Vista (and doesn't pop-up warning dialog boxes). I noticed that the configure scripts attempt to do that if "signtool" is defined. Is

Re: [Openvpn-devel] OpenVPN project organization [WAS: Introducing OpenVPN Community Manager]

2009-12-11 Thread James Yonan
Karl O. Pinc wrote: On 12/10/2009 04:39:57 AM, Samuli Seppänen wrote: David Sommerseth ha scritto: I believe James have received several patches in the past from people on the mailing list - or directly. They will either include patches into their own source trees, or kick them back

Re: [Openvpn-devel] 2.1 rc20 and multiple interfaces problem

2009-12-11 Thread James Yonan
2 at 04:15 -0700, James Yonan wrote: Are you using the --multihome option? Sorry to jump in here, but I've run into a weird behavior when using multihome in all versions, up to rc15 (I haven't tried later versions, but I guess that it would be the same thing since I don't see anythi

Re: [Openvpn-devel] 2.1 rc20 and multiple interfaces problem

2009-12-11 Thread James Yonan
where I found it (after you let me know about it) was with openvpn --help. Thank you, I'll try it. BTW, why is it not by default? Regards, Olaf On Thu, 2009-11-12 at 04:15 -0700, James Yonan wrote: Are you using the --multihome option? James, this option is not documented in the man pages

[Openvpn-devel] Prebuilt tarball available for 2.1_rc22

2009-11-20 Thread James Yonan
http://openvpn.net/prebuilt/2.1_rc22-prebuilt.tbz

Re: [Openvpn-devel] Character classes in the tls-verify script

2009-11-12 Thread James Yonan
Victor Wagner wrote: > On 2009.10.24 at 13:39:56 -0600, James Yonan wrote: > >> Can you submit a patch (as an email attachment) with this fix? > Attached > > This patch also contains X509_NAME_oneline replacement, which handles > MSB characters. > > I've not checked

Re: [Openvpn-devel] Questions related to the SSL renegotiation vulnerability

2009-11-12 Thread James Yonan
thought I must be missing something. So if OpenVPN always uses a new session, what would be the point of adding an option to disable renegotiation at the server side? Cheers, Dunc James Yonan wrote: OpenVPN uses a fresh SSL/TLS session for each of its mid-session renegotiations. This means

[Openvpn-devel] OpenVPN 2.1_rc21 released

2009-11-12 Thread James Yonan
This release is to respond to the OpenSSL vulnerability CVE-2009-3555. Some people have worried that the fix made to OpenSSL to address this vulnerability (ban all SSL/TLS renegotiations) would break OpenVPN's session renegotiation capability. This is not the case. OpenVPN does not rely on

Re: [Openvpn-devel] Questions related to the SSL renegotiation vulnerability

2009-11-12 Thread James Yonan
OpenVPN uses a fresh SSL/TLS session for each of its mid-session renegotiations. This means that when you see: TLS: soft reset sec=0 bytes=314/0 pkts=6/0 OpenVPN is actually creating a brand new SSL/TLS session. So the important point here is that OpenVPN does not rely on the session

Re: [Openvpn-devel] Feature request: Client-side username/password retrieval using environment variables

2009-10-13 Thread James Yonan
The Zep Man wrote: Dear openvpn-devel list, OpenVPN supports verification of a username/password combination on the server-side by parsing these to a 'script' using auth-user-pass-verify'. With this, it is possible to use a file ('via-file') or environment variables ('via-env') to parse the

[Openvpn-devel] OpenVPN 2.1_rc20 released

2009-10-02 Thread James Yonan
2009.10.01 -- Version 2.1_rc20 * Fixed a bug introduced in 2.1_rc17 (svn r4436) where using the redirect-gateway option by itself, without any extra parameters, would cause the option to be ignored. * Fixed build problem when ./configure --disable-server is used. * Fixed ifconfig command

Re: [Openvpn-devel] [PATCH] Post-initialization SELinux support for OpenVPN

2009-08-19 Thread James Yonan
Sebastien Raveau wrote: Hi everybody! OpenVPN already has support for dropping privileges and confining itself to a directory *after* startup (thanks to calls like setgid, setuid and chroot) which makes for much better management than if you had to respectively start OpenVPN unprivileged and

Re: [Openvpn-devel] PATCH 2.1-RC*: critical fix for FreeBSD 8 in topology subnet mode.

2009-08-19 Thread James Yonan
Thanks Stefan and Matthias. I've committed the patch. James Matthias Andree wrote: Hi Jim, there has been a recent change in FreeBSD 8 BETA that will break OpenVPN 2.1's "topology subnet" mode by (rightfully!) rejecting the ifconfig command we're currently using (which incorrectly sets the

Re: [Openvpn-devel] OpenVPN 2.1_rc19 released

2009-07-16 Thread James Yonan
Matthias Andree wrote: James Yonan schrieb: 2009.07.16 -- Version 2.1_rc19 ... * In configure.ac, use datadir instead of datarootdir for compatibility with Dear Jim, This is backwards. Please don't do that, but revert that change and instead update the argument of AC_PREREQ

[Openvpn-devel] OpenVPN 2.1_rc19 released

2009-07-16 Thread James Yonan
This release fixes an issue with the Windows TAP driver that can cause BSODs on Vista (normally seen in the OpenVPN client). The problem is that Windows has always restricted kernel threads to a very small stack size (12KB on x86 32-bit). If they go over this limit, Windows will crash with a

Re: [Openvpn-devel] Packet filtering in OpenVPN

2009-06-15 Thread James Yonan
Arne Schwabe wrote: Hello, I am at the moment looking to integrating packet filtering into OpenVPN. My reason to do so, are the following: - Windows own Firewall does not work when routing/bridging is used - I am not aware of a OpenSource Firewall for windows - Being able to do NAT without

Re: [Openvpn-devel] OpenVPN 2.1_rc17 released

2009-06-07 Thread James Yonan
David Sommerseth wrote: James Yonan wrote: Change Log: 2009.05.30 -- Version 2.1_rc17 * Reduce the debug level (--verb) at which received management interface commands are echoed from 7 to 3. Passwords will be filtered. * Fixed race condition in management interface recv code

[Openvpn-devel] OpenVPN 2.1_rc18 released

2009-06-07 Thread James Yonan
2009.06.07 -- Version 2.1_rc18 * Fixed compile error on ./configure --enable-small * Fixed issue introduced in r4475 (2.1-rc17) where cryptoapi.c change does not build on Windows on non-MINGW32. James

Re: [Openvpn-devel] Loss of routes causes routing loop

2009-06-07 Thread James Yonan
Daniel Johnson wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Karl O. Pinc wrote: Openvpn does not do DNS at all. You can use it to push DNS related DHCP options to the "clients" so that they are directed to a DNS server that does the right thing. (There may be a way to do something

[Openvpn-devel] OpenVPN 2.1_rc17 released

2009-05-30 Thread James Yonan
Change Log: 2009.05.30 -- Version 2.1_rc17 * Reduce the debug level (--verb) at which received management interface commands are echoed from 7 to 3. Passwords will be filtered. * Fixed race condition in management interface recv code on Windows, where sending a set of several commands to

Re: [Openvpn-devel] Get server to listen for TCP and UDP connections

2009-05-30 Thread James Yonan
David Sommerseth wrote: M. G. wrote: Hello, I recently changed my VPN-tunnel from TCP to UDP for the sake of better performance. It generally works very well but I noticed that I can't connect to my server from some networks when using UDP, e.g. at work. This may be an issue with the

Re: [Openvpn-devel] Unable to use -OFB or -CFB ciphers in OpenVPN

2009-05-30 Thread James Yonan
Victor Wagner wrote: On 2009.05.27 at 10:48:30 -0700, Frank Yellin wrote: I posted the following onto the OpenVPN forum, but it was suggested that I would be better off mailing directly to this list. = I seem to have found a bug in 2.1_rc16 that is also

Re: [Openvpn-devel] version 2.1

2009-05-18 Thread James Yonan
We will be releasing a new Windows GUI for 2.1 that properly uses the management interface, and can be run by a user without administrator privileges. The GUI has already been developed and is available now with our Access Server product. We will be open-sourcing this Windows client GUI as part

[Openvpn-devel] ANNOUNCEMENT: OpenVPN Access Server beta available

2009-05-16 Thread James Yonan
age does not configure the system so that the openvpnas service starts during system startup. Best Regards, James Yonan & the OpenVPN Technologies Team

[Openvpn-devel] Patch Queue, was: Re: [PATCH] Fix for "Cannot read current defaultgateway" problem on Linux

2009-02-12 Thread James Yonan
Alon Bar-Lev wrote: On Tuesday 10 February 2009 13:35:35 David Balazic wrote: Ping ? Should I resend the patch without the end-of-line-spaces change ? James has his own response times. I suggest you have much patience :) Alon. I apologize for not having the bandwidth to focus as much

Re: [Openvpn-devel] IPv6 Support

2009-02-12 Thread James Yonan
Marcel Pennewiß wrote: On Thursday 13 November 2008 01:23:46 Marcel Pennewiß wrote: Hi, Hi again, a long time ago Juanjo Ciarlante wrote a patch for openvpn to create a tunnel via ipv6 [1]. Later i fixed the patch to work with openvpn-2.0 and 2.1 which i use on OpenWRT and Gentoo. Roy (from

Re: [Openvpn-devel] OVPN patching process RE: [PATCH] Fix non-C89 comments

2009-02-02 Thread James Yonan
David, A couple issues with the patch: * sscanf usage doesn't check for buffer overflow. * You use gw_if_name in some places and gw_ifname in other places. To eliminate confusion it would be best to use a consistent form. Also, to reiterate, try submitting the patch as an attachment to

Re: [Openvpn-devel] [PATCH] Fix non-C89 comments

2009-01-27 Thread James Yonan
Matthias Andree wrote: On Tue, 27 Jan 2009, Alon Bar-Lev wrote: Sent this to James. Did not apply. My queue is at: http://svn.openvpn.net/projects/openvpn/contrib/alon Perhaps the choice of version control system used for OpenVPN could deserve a second thought -- Mercurial or better Git

Re: [Openvpn-devel] windows 7 and openvpn

2009-01-21 Thread James Yonan
I've patched the NSIS installer to omit the Windows version check. Try this installer: http://openvpn.net/beta/openvpn-2.1_rc15e-install.exe James István Szukács wrote: Hi folks! I am wondering if you have ever had success to run openvpn on windows 7. The problem is the latest

Re: [Openvpn-devel] OpenVPN affected? - Incorrect checks for malformed signatures in OpenSSL

2009-01-14 Thread James Yonan
I don't believe this issue significantly affects OpenVPN. OpenVPN does not use the EVP_VerifyFinal function. The issue is that some internal OpenSSL functions do not properly check the return value of this function. The issue is primarily of concern if you are using DSA or ECDSA

Re: [Openvpn-devel] openvpn crashing (both 2.0.9 and 2.1rc13)

2008-11-17 Thread James Yonan
Nikola Ciprich wrote: Hello, we are experiencing openvpn crashes from time to time, usually few times a week. It happens with both 2.0.9 and 2.1rc13. I've enabled coredumps, and backtrace looks always the same: Core was generated by `/usr/sbin/openvpn --daemon --writepid

  1   2   3   4   5   6   >