On 27/02/2017 18:18, David Sommerseth wrote:
> On 27/02/17 23:06, James Yonan wrote:
>> On 25/02/2017 08:40, Steffan Karger wrote:
> [...snip...]
>>> I'd say so. Something like:
>>>
>>> legacy: RSA 1024+, SHA1+, all curves
>>> default: RS
On 25/02/2017 08:40, Steffan Karger wrote:
> On 25-02-17 07:04, James Yonan wrote:
>> On 24/02/2017 16:10, Steffan Karger wrote:
>>> On 24-02-17 22:28, James Yonan wrote:
>>>> On 24/02/2017 02:40, Steffan Karger wrote:
>>>>> On 23-02-17 22:41,
On 24/02/2017 16:10, Steffan Karger wrote:
> Hi,
>
> On 24-02-17 22:28, James Yonan wrote:
>> On 24/02/2017 02:40, Steffan Karger wrote:
>>> On 23-02-17 22:41, James Yonan wrote:
>>>> On 23/02/2017 01:22, Steffan Karger wrote:
>>>>> On 22-02-17 1
On 24/02/2017 02:40, Steffan Karger wrote:
> On 23-02-17 22:41, James Yonan wrote:
>> On 23/02/2017 01:22, Steffan Karger wrote:
>>> On 22-02-17 19:48, James Yonan wrote:
>>>> mbedTLS 2 has a new feature that allows rejection of certificates if the
>>>>
On 23/02/2017 01:22, Steffan Karger wrote:
> Hi James,
>
> On 22-02-17 19:48, James Yonan wrote:
>> mbedTLS 2 has a new feature that allows rejection of certificates if the
>> key size is too small or the signing hash is weak.
>>
>> The feature is controlled vi
mbedTLS 2 has a new feature that allows rejection of certificates if the
key size is too small or the signing hash is weak.
The feature is controlled via struct mbedtls_x509_crt_profile.
For example, you could specify that certificates must be at least 2048
bits and use a SHA-2 signing alg.
Wo
On 04/03/2016 02:49, Arne Schwabe wrote:
Am 04.03.16 um 08:29 schrieb James Yonan:
On 03/03/2016 16:48, Arne Schwabe wrote:
Am 03.03.16 um 09:18 schrieb James Yonan:
Define PIP_OPT_MASK to represent all flags of interest to
process_ip_header, so that it can have a fast exit path
if no
On 03/03/2016 16:48, Arne Schwabe wrote:
Am 03.03.16 um 09:18 schrieb James Yonan:
Define PIP_OPT_MASK to represent all flags of interest to
process_ip_header, so that it can have a fast exit path
if no flags are set.
Basically what this patch does is to change the condition to
if (flags
Bind the local TCP/UDP socket before UID/GID downgrade,
otherwise we cannot bind to ports < 1024.
Signed-off-by: James Yonan
---
src/openvpn/init.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index cb73a3d..9658895 100
The inline directive http-proxy-user-pass can be used to
specify proxy credentials in config, e.g.:
http-proxy proxy.tld 3128 auto-nct
foo
bar
This usage is already supported by OpenVPN 3.
Signed-off-by: James Yonan
---
src/openvpn/misc.c| 8
src/openvpn/misc.h| 2 ++
src
er-defined scripting */
#define ENABLE_SCRIPTS 1
or disabled by ensuring that ENABLE_SCRIPTS is undefined.
If ENABLE_SCRIPTS is undefined, OpenVPN will log "[NOSCRIPTS]"
in the initial version info line.
This patch assumes that script_security defaults to
SSEC_BUILT_IN or less.
Signed
Signed-off-by: James Yonan
---
src/openvpn/ssl_verify_polarssl.c | 166 ++
src/openvpn/syshead.h | 2 +-
2 files changed, 167 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/ssl_verify_polarssl.c
b/src/openvpn/ssl_verify_polarssl.c
index
Signed-off-by: James Yonan
---
src/openvpn/ssl_verify_polarssl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/openvpn/ssl_verify_polarssl.c
b/src/openvpn/ssl_verify_polarssl.c
index e87d2e2..9d0d086 100644
--- a/src/openvpn/ssl_verify_polarssl.c
+++ b/src/openvpn
For example:
x509-track "+SHA1"
will extract the SHA1 fingerprints for all certs in the
peer chain.
This patch is ported from OpenVPN 2.1.
Signed-off-by: James Yonan
---
src/openvpn/ssl_verify_openssl.c | 114 +--
1 file changed, 74 inserti
generated hex string
in upper case.
Signed-off-by: James Yonan
---
src/openvpn/buffer.c | 11 +++
src/openvpn/buffer.h | 4 +++-
2 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/src/openvpn/buffer.c b/src/openvpn/buffer.c
index bc67d65..52c6ab9 100644
--- a/src/openvpn
while
OpenSSL returns decimal serial numbers.
RFC 5280, published in 2008, decrees that serial numbers can be
up to 20 bytes long, hence it is necessary to support SSL
libraries that return the serial number as a hex string.
Signed-off-by: James Yonan
---
src/openvpn/ssl_verify_polarssl.c
Define PIP_OPT_MASK to represent all flags of interest to
process_ip_header, so that it can have a fast exit path
if no flags are set.
Merged from OpenVPN 2.1
Signed-off-by: James Yonan
---
src/openvpn/forward.c | 8 +---
src/openvpn/forward.h | 4 +++-
2 files changed, 4 insertions(+), 8
remote-override -- replace the hostname in all remote
directives with alt-remote.
Merged from OpenVPN 2.1
Signed-off-by: James Yonan
---
doc/openvpn.8 | 5 +
src/openvpn/options.c | 8 +++-
src/openvpn/options.h | 2 ++
3 files changed, 14 insertions(+), 1 deletion(-)
diff
Has anyone seen issues with --block-outside-dns speed? Because this
approach drops certain DNS packets, I'm wondering if apps will
experience lag time while waiting for dropped DNS requests to time out.
James
These may have been fixed by now, but noticed some issues in the
original patch that was discussed in the OpenVPN-devel IRC meeting
several weeks ago.
* win_adapter_index_to_luid is declared to return a
NET_LUID but not all code paths return a value.
* wcscat(svchostpath, L"\\svchost.exe") i
On 09/11/2015 00:38, Samuli Seppänen wrote:
Hi,
I plan to add a control-C handler in win32.c. The handler will simply
map it to SIGTERM. Is there any particular reason why control-C is not
currently handled?
Hi,
I forwarded this email to James - he might have a clue.
Currently the Windows
nother client. I have
submitted a fix:
http://thread.gmane.org/gmane.network.openvpn.devel/9386
which is waiting for an ACK.
Otherwise implementation is pretty much in line with your spec.
Great, thanks.
James
-Lev
2015-01-07 2:08 GMT+02:00 James Yonan :
I've updated the OpenVPN protocol
I've updated the OpenVPN protocol extension doc with additional details,
now that more of these features have been implemented in OpenVPN 3.
If you are implementing any of these features in OpenVPN 2.x, please
review so we can ensure that OpenVPN 2.x and 3 are on the same page with
respect to
In addition to the Peer-ID/DATA_V2 protocol change proposal,
here are a couple more proposed extensions for AEAD mode and
Compression V2 that we can discuss at the upcoming Munich
hackathon.
James
OpenVPN Protocol extensions
1. DATA_V2 opcode with 24-bit peer ID
2. AEAD mode
To support AEAD
ry_version() as returning const char *,
to avoid loss of const qualifier in ssl_openssl.c.
Signed-off-by: James Yonan
---
src/openvpn/options.c | 15 +--
src/openvpn/options.h | 2 ++
src/openvpn/ssl_backend.h | 2 +-
src/openvpn/ssl_openssl.c | 2 +-
src/openvpn/ssl_
Signed-off-by: James Yonan
---
config-msvc.h | 3 +++
1 file changed, 3 insertions(+)
diff --git a/config-msvc.h b/config-msvc.h
index 9a95ae6..fa99384 100644
--- a/config-msvc.h
+++ b/config-msvc.h
@@ -76,6 +76,9 @@
#define HAVE_OPENSSL_ENGINE 1
+#define PATH_SEPARATOR '\\'
Signed-off-by: James Yonan
---
src/openvpn/ssl_openssl.c | 7 +++
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 481600a..d845fd7 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -261,8 +261,7
Signed-off-by: James Yonan
---
src/openvpn/socket.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/openvpn/socket.h b/src/openvpn/socket.h
index 4e7e7f8..793cd9f 100644
--- a/src/openvpn/socket.h
+++ b/src/openvpn/socket.h
@@ -1023,7 +1023,7 @@ static inline void
Signed-off-by: James Yonan
---
src/openvpn/socket.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
index 7ff14cc..6e68c18 100644
--- a/src/openvpn/socket.c
+++ b/src/openvpn/socket.c
@@ -1150,7 +1150,6 @@ resolve_bind_local
Signed-off-by: James Yonan
---
src/openvpn/init.c | 10 ++
src/openvpn/socket.c | 2 +-
src/openvpn/win32.c | 6 +++---
3 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 52d370b..3fb 100644
--- a/src/openvpn/init.c
This series of patches is for the 2.3 branch and fixes MSVC compile issues.
Some of these may be applicable to master as well, though I haven't checked yet.
James
On 28/04/2014 15:19, Steffan Karger wrote:
Hi,
On 27-04-14 22:10, Steffan Karger wrote:
On 27-04-14 19:53, Gert Doering wrote:
On Mon, Apr 21, 2014 at 01:10:04AM -0600, James Yonan wrote: The
attached patch is what I intend to commit to release/2.3 *only*,
not to master - as agreed at the IRC
On 23/04/2014 18:22, Timothe Litt wrote:
I don't see that cryptoapi.c has been updated to work with TLS 1.2.
Yes, just came to the same conclusion.
Long-term the key-loaders need to get updated.
Maybe short-term the options that invoke them could force NO_TLSv_1_2...
That would make things wo
On 23/04/2014 17:21, Timothe Litt wrote:
On 23-Apr-14 16:06, Steffan Karger wrote:
I generated a matching pair of traces of the failure (client and server)
& posted a summary.
Let me know if you would like the full traces.
Sent off-list.
I've been trying to reproduce the error. I grabbed my
On 23/04/2014 04:17, Arne Schwabe wrote:
Am 21.04.14 21:26, schrieb James Yonan:
On 21/04/2014 05:27, Arne Schwabe wrote:
On 21.04.2014 09:10, James Yonan wrote:
Define PIP_OPT_MASK to represent all flags of interest to
process_ip_header, so that it can have a fast exit path
if no flags are
On 21/04/2014 05:33, Arne Schwabe wrote:
On 21.04.2014 09:10, James Yonan wrote:
remote-override -- replace the hostname in all remote
directives with alt-remote.
Just a question. How does remote-override differ from ip-remote-hint?
Both options seem to have the same effect aside from very
On 21/04/2014 05:27, Arne Schwabe wrote:
On 21.04.2014 09:10, James Yonan wrote:
Define PIP_OPT_MASK to represent all flags of interest to
process_ip_header, so that it can have a fast exit path
if no flags are set.
I haven't look at the code but if remember correctly, this method doe
On 21/04/2014 05:49, Gert Doering wrote:
Hi,
On Mon, Apr 21, 2014 at 01:11:05PM +0200, Arne Schwabe wrote:
Yes. But with this patch it is always turned off, keeping OpenVPN in 99%
of installations in TLS 1.0. Is there any other known case where it
breaks aside from the Tomato OpenVPN client?
On 19/04/2014 08:33, Steffan Karger wrote:
Hi,
On 04/18/2014 02:49 PM, Steffan Karger wrote:
On 04/17/2014 09:41 PM, James Yonan wrote:
I'm not sure I understand the (SIZE_MAX - hashlen) > asn_len part.
Wouldn't this always be true for reasonable values of hashlen and asn_len?
ciphersuites.
Signed-off-by: James Yonan
---
src/openvpn/ssl.c | 4 ++--
src/openvpn/ssl_backend.h | 15 +--
src/openvpn/ssl_openssl.c | 31 ++-
src/openvpn/ssl_polarssl.c | 43 +++
4 files changed, 56
MSVC 2013 C library now defines strtoull() function,
so use the native implementation when available.
Signed-off-by: James Yonan
---
config-msvc.h | 3 +++
1 file changed, 3 insertions(+)
diff --git a/config-msvc.h b/config-msvc.h
index 99c00f9..9a95ae6 100644
--- a/config-msvc.h
+++ b/config
Define PIP_OPT_MASK to represent all flags of interest to
process_ip_header, so that it can have a fast exit path
if no flags are set.
Merged from OpenVPN 2.1
Signed-off-by: James Yonan
---
src/openvpn/forward.c | 6 +-
src/openvpn/forward.h | 4 +++-
2 files changed, 4 insertions(+), 6
remote-override -- replace the hostname in all remote
directives with alt-remote.
Merged from OpenVPN 2.1
Signed-off-by: James Yonan
---
src/openvpn/options.c | 7 ++-
src/openvpn/options.h | 2 ++
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/options.c b/src
Just wondering if anyone has looked at implementing x509-track for PolarSSL?
James
On 27/02/2014 12:40, steffan.kar...@fox-it.com wrote:
Hi,
The attached patches add support for PolarSSL 1.3. These patches are for
master only, as they drop support for PolarSSL 1.2. Supporting both versions
would require a lot of #ifdef's, so I opted for dropping 1.2.
Along with PolarSSL 1.3 c
client software can distinguish it.
This very simple patch does that.
James
>From a8f0d219d4edd1e95520cc40d27a0cd79cace2c2 Mon Sep 17 00:00:00 2001
From: James Yonan
List-Post: openvpn-devel@lists.sourceforge.net
Date: Wed, 16 Apr 2014 21:29:42 -0600
Subject: [PATCH] tls_serial_{n} value shoul
Someone on the Tor lists is claiming that OpenVPN isn't implementing
SOCKSv5 authentication correctly:
https://lists.torproject.org/pipermail/tor-dev/2014-March/006427.html
Any ideas?
James
On 30/03/2014 07:46, Gert Doering wrote:
Hi,
On Sun, Mar 30, 2014 at 12:48:37AM +0100, Steffan Karger wrote:
3 - Change OpenSSL builds to use hax representation
I tend toward this one - user visible behaviour shouldn't change (unless
unavoidable) depending on SSL library used.
So for me this
On 17/03/2014 14:29, Gert Doering wrote:
Hi,
On Sun, Mar 16, 2014 at 06:49:36PM -0600, James Yonan wrote:
However, even with the above code, stateless session resumption
is still possible unless explicitly disabled with the
SSL_OP_NO_TICKET flag. This patch does this.
This actually raises
OpenVPN doesn't want or need SSL session renegotiation or
resumption, as it handles renegotiation on its own.
For this reason, OpenVPN always disables the SSL session cache:
SSL_CTX_set_session_cache_mode (ctx, SSL_SESS_CACHE_OFF)
However, even with the above code, stateless session resumption
i
On 14/03/2014 05:53, Steffan Karger wrote:
Hi,
On 03/13/2014 10:37 PM, Abdullah Alshalan wrote:
> Hi,
> I have a few questions about OpenVPN and I would appreciate if you
can answer whatever you can.
I'll give it a try. I assume these questions relate to the 'Triple
Handshake'-attack (https:
---
config-msvc.h | 3 +++
1 file changed, 3 insertions(+)
diff --git a/config-msvc.h b/config-msvc.h
index 99c00f9..9a95ae6 100644
--- a/config-msvc.h
+++ b/config-msvc.h
@@ -89,7 +89,10 @@
#define strncasecmp strnicmp
#define strcasecmp _stricmp
#define snprintf _snprintf
+
+#if _MSC_VER < 1
On 18/06/2013 01:23, Joachim Schipper wrote:
Joachim Schipper wrote [I'm continuing my own message here]:
-Original Message-
From: Kenny Root [mailto:ke...@the-b.org]
Sent: dinsdag 4 juni 2013 2:15
To: openvpn-devel@lists.sourceforge.net
Subject: [Openvpn-devel] Adding support for AEAD c
Interesting paper... So what are the current blockers for OpenVPN
supporting ECC with OpenSSL?
We will certainly consider any patch that addresses these issues.
James
On 05/08/2013 10:30, Asim Ali wrote:
I would like to know where OpenVPN stands on having TLS 1.2 working
with Suite B cryptog
We've recently merged some patches allowing OpenVPN to negotiate certain
settings (such as compression), but unfortunately at this time neither
cipher nor auth directives can be negotiated in the 2.x branch.
The 3.0 branch has fixed this somewhat by having the client support
cipher and auth di
Fixes to allow compilation with Microsoft Visual Studio 2008
* Fixed several instances of declarations after statements.
* In socket.c, fixed issue where uninitialized value (err)
is being passed to to gai_strerror.
* ssl.c is trying to access multi_output_peer_info_env
function in multi.c,
This is the TLS versioning patch as discussed in last Thursday's IRC
meeting.
It combines these two patches:
https://github.com/jamesyonan/openvpn/commit/03a5599202bdc3ba07983dc4efdae387fb8fb436
https://github.com/jamesyonan/openvpn/commit/d23005413b0e0f28a3c48a6342f494763d5c9b40
James
diff -
On 18/06/2013 01:41, Joachim Schipper wrote:
From: James Yonan :
On 14/06/2013 02:47, Joachim Schipper wrote:
>From James Yonan :
TLS Protocol
Since day 1, OpenVPN has used TLS 1.0 as a control channel and key
exchange mechanism. But now we have TLS 1.1 and 1.2, each of wh
On 17/06/2013 01:58, Steffan Karger wrote:
On 06/14/2013 09:53 PM, James Yonan wrote:
To get the adaptive versioning behavior in OpenSSL, you have to use
SSLv23_server_method() or SSLv23_client_method() and then explicitly
disable the versions you don't want to consider, i.e. SSL_OP_NO_
On 14/06/2013 02:47, Joachim Schipper wrote:
From James Yonan :
TLS Protocol
Since day 1, OpenVPN has used TLS 1.0 as a control channel and key
exchange mechanism. But now we have TLS 1.1 and 1.2, each of which
addresses significant shortcomings in its predecessor. Fortunately
On 12/06/2013 15:08, Arne Schwabe wrote:
Am 12.06.13 21:38, schrieb James Yonan:
About finding out which cipher client and server use. I am not really
familiar with this code so forgive my stupid question. TLS somehow also
does this "select the best cipher to use" dance. Why can&#x
I'm going to present some ideas and patches to make OpenVPN more solid
in the area of versioning. The overall goal is to make OpenVPN more
robust with respect to differences between client and server in OpenVPN
version, TLS version, protocol capabilities, and config file grammar.
Specifically
On 18/01/2013 15:31, Marcel Pennewiß wrote:
On Wed, 16 Jan 2013 21:48:23 -0700
James Yonan wrote:
The client is based on the new C++ OpenVPN core that is also used in
the OpenVPN Connect client for Android. The C++ core is a portable,
lightweight class library for building OpenVPN clients
Just wanted to let everyone know that the OpenVPN Connect client for iOS
has just been released and is now available in the app store.
This is an official Apple-sanctioned OpenVPN client developed by OpenVPN
Technologies in collaboration with Apple.
The client is based on the new C++ OpenVPN
We've gotten some questions about whether OpenVPN is vulnerable to the
"BEAST" exploit.
At the time of this writing, the details of the "BEAST" exploit haven't
been released yet, but the general consensus is that it exploits the
known-IV weakness in SSL and TLS 1.0 that is discussed by Bard ba
Regarding the recently discovered SSL vulnerability CVE-2010-3864,
OpenVPN should not be affected because it is single-threaded.
James
I would be interested to know if anyone has succeeded in using
alternative approaches to install the windows TAP driver (other than
using tapinstall/devcon).
In particular, has anyone tried using the Difx API? This posting seems
to indicate that people have succeeded along these lines, but I
2010.08.09 -- Version 2.1.2
* Windows security issue:
Fixed potential local privilege escalation vulnerability in
Windows service. The Windows service did not properly quote the
executable filename passed to CreateService. A local attacker
with write access to the root directory C:\ coul
I've observed a case on Windows Server 2008R2 where an antivirus product
called ESET Smart Security prevents install of the TAP driver.
The net effect in tapinstall (devcon) is that
UpdateDriverForPlugAndPlayDevices returns error code 1450
(ERROR_NO_SYSTEM_RESOURCES).
Apparently ESET interfe
r 08, 2010 at 08:21:35AM -0700, James Yonan wrote:
(2) Complex method: Write code in OpenVPN to simulate a DHCP client,
then translate the settings received in the DHCP reply to OpenVPN
push-style directives (such as ifconfig, route, etc.) as if they had
been pushed by the OpenVPN server.
... thi
- how does one debug Windows drivers? Is there a printf() as in Linux
that goes to console / syslog?
I have not yet figured out that part. I did my debugging with Wireshark
("see what packets move back and forth and stare at the packet details").
While Windows doesn't support "printf" in
I believe this has been discussed before, but I noticed recently that a
Linux-based OpenVPN client (Linux 2.6.24, OpenVPN 2.1.1) spends a lot
more CPU time in kernel space than in user space. This is surprising,
given the fact that all of the CPU-intensive cryptographic operations
are being do
OpenVPN 2.1 has a relatively recent feature that allows a TAP-based
OpenVPN session to be established where the client gets its IP address
assignment and other attributes from the server-side DHCP server.
The feature is enabled by the "route-gateway dhcp" directive on the client.
It's a pretty
Davide Brini wrote:
On Friday 11 December 2009, James Yonan wrote:
Try adding the "nobind" directive to your client config file. I think
this will solve the problem.
That seems indeed to do it. Thank you very much!
However, never in my life could I have imagined that this wa
2009.12.11 -- Version 2.1.1
* Fixed some breakage in openvpn.spec (which is required to build an
RPM distribution) where it was referencing a non-existent
subdirectory in the tarball, causing it to fail (patch from
David Sommerseth).
James
Jon Onstott wrote:
Hello,
I am compiling OpenVPN and the TAP driver from source and would like the
TAP driver to be signed so that it installs correctly on Vista (and
doesn't pop-up warning dialog boxes). I noticed that the configure
scripts attempt to do that if "signtool" is defined. Is t
Karl O. Pinc wrote:
On 12/10/2009 04:39:57 AM, Samuli Seppänen wrote:
David Sommerseth ha scritto:
I believe James have received several patches in the past from
people on
the mailing list - or directly.
They will either include patches into their own source
trees, or
kick them back to
Yes -- the changes to the tap-win32 source code is only in the comments
and clarifies that the source is licensed under GPL 2.
James
David Sommerseth wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 11/12/09 10:17, James Yonan wrote:
I'm happy to announce the release of OpenVPN
I'm happy to announce the release of OpenVPN 2.1.0. This release is
basically 2.1_rc22 + some last-minute trivial fixes to documentation and
plugin sample code. Enjoy!
James
f
On Thu, 2009-11-12 at 04:15 -0700, James Yonan wrote:
Are you using the --multihome option?
Sorry to jump in here, but I've run into a weird behavior when using multihome
in all versions, up to rc15 (I haven't tried later versions, but I guess that
it would be the same thing since
The only place where I found it (after
you let me know about it) was with openvpn --help.
Thank you, I'll try it.
BTW, why is it not by default?
Regards,
Olaf
On Thu, 2009-11-12 at 04:15 -0700, James Yonan wrote:
Are you using the --multihome option?
James, this option is not documen
David,
I've committed a fix for this:
r5261 | james | 2009-12-10 16:50:03 -0700 (Thu, 10 Dec 2009) | 10 lines
Changed paths:
M /branches/BETA21/openvpn/plugin/auth-pam/auth-pam.c
M /branches/BETA21/openvpn/plugin/down
http://openvpn.net/prebuilt/2.1_rc22-prebuilt.tbz
Change log:
2009.11.20 -- Version 2.1_rc22
* Fixed a client-side bug on Windows that occurred when the
"dhcp-pre-release" or "dhcp-renew" options were combined with
"route-gateway dhcp". The release/renew would not occur
because the Windows DHCP renew function is blocking and
therefore
Victor Wagner wrote:
> On 2009.10.24 at 13:39:56 -0600, James Yonan wrote:
>
>> Can you submit a patch (as an email attachment) with this fix?
> Attached
>
> This patch also contains X509_NAME_oneline replacement, which handles
> MSB characters.
>
> I've not ch
n.user/28105
I thought I must be missing something.
So if OpenVPN always uses a new session, what would be the point of
adding an option to disable renegotiation at the server side?
Cheers,
Dunc
James Yonan wrote:
OpenVPN uses a fresh SSL/TLS session for each of its mid-session
renegotiatio
This release is to respond to the OpenSSL vulnerability CVE-2009-3555.
Some people have worried that the fix made to OpenSSL to address this
vulnerability (ban all SSL/TLS renegotiations) would break OpenVPN's
session renegotiation capability. This is not the case. OpenVPN does
not rely on the
OpenVPN uses a fresh SSL/TLS session for each of its mid-session
renegotiations. This means that when you see:
TLS: soft reset sec=0 bytes=314/0 pkts=6/0
OpenVPN is actually creating a brand new SSL/TLS session. So the
important point here is that OpenVPN does not rely on the session
rene
Stefan Monnier wrote:
I've posted a bug report at:
http://sourceforge.net/tracker/index.php?func=detail&aid=2872760&group_id=48978&atid=454719
since since I haven't heard any reaction for almost 2 weeks now
(although the report includes a patch which works well, at least for
me), I'm wondering
Victor Wagner wrote:
I've found out that string_mod family of function do very bad job
with certificates with cyrillic characters in the subject.
As of OpenVPN 2.1_rc19 class CC_PRINT is determined by function
isprint from ctype.h, which does wrong job if there was no setlocale
call (and there i
The Zep Man wrote:
Dear openvpn-devel list,
OpenVPN supports verification of a username/password combination on the
server-side by parsing these to a 'script' using auth-user-pass-verify'.
With this, it is possible to use a file ('via-file') or environment
variables ('via-env') to parse the g
2009.10.01 -- Version 2.1_rc20
* Fixed a bug introduced in 2.1_rc17 (svn r4436) where using the
redirect-gateway option by itself, without any extra parameters,
would cause the option to be ignored.
* Fixed build problem when ./configure --disable-server is used.
* Fixed ifconfig command fo
Sebastien Raveau wrote:
Hi everybody!
OpenVPN already has support for dropping privileges and confining
itself to a directory *after* startup (thanks to calls like setgid,
setuid and chroot) which makes for much better management than if you
had to respectively start OpenVPN unprivileged and ad
Thanks for noticing that. I've committed the patch.
James
Rob Lemley wrote:
I noticed that building OpenVPN with --disable-server fails. Turns out
to be a problem with the management server and the commands it allows.
I've attached a simple patch which fixes it, not sure if it's "right" or
not
Thanks Stefan and Matthias. I've committed the patch.
James
Matthias Andree wrote:
Hi Jim,
there has been a recent change in FreeBSD 8 BETA that will break OpenVPN
2.1's "topology subnet" mode by (rightfully!) rejecting the ifconfig
command we're currently using (which incorrectly sets the lo
Matthias Andree wrote:
James Yonan schrieb:
2009.07.16 -- Version 2.1_rc19
...
* In configure.ac, use datadir instead of datarootdir for compatibility
with
Dear Jim,
This is backwards. Please don't do that, but revert that change and
instead update the argument of AC_PRER
This release fixes an issue with the Windows TAP driver that can cause
BSODs on Vista (normally seen in the OpenVPN client). The problem is
that Windows has always restricted kernel threads to a very small stack
size (12KB on x86 32-bit). If they go over this limit, Windows will
crash with a
Arne Schwabe wrote:
Hello,
I am at the moment looking to integrating packet filtering into OpenVPN. My
reason to do so, are the following:
- Windows own Firewall does not work when routing/bridging is used
- I am not aware of a OpenSource Firewall for windows
- Being able to do NAT without t
David Sommerseth wrote:
James Yonan wrote:
Change Log:
2009.05.30 -- Version 2.1_rc17
* Reduce the debug level (--verb) at which received management interface
commands are echoed from 7 to 3. Passwords will be filtered.
* Fixed race condition in management interface recv code on
2009.06.07 -- Version 2.1_rc18
* Fixed compile error on ./configure --enable-small
* Fixed issue introduced in r4475 (2.1-rc17) where cryptoapi.c change
does not build on Windows on non-MINGW32.
James
1 - 100 of 672 matches
Mail list logo
