Re: [Openvpn-devel] [PATCH] Include utun device number in utun error messages

2020-07-25 Thread Jonathan K. Bullard
Hi, On Sat, Jul 25, 2020 at 7:51 PM Arne Schwabe wrote: > > For lack of a better API (or knowledge about a better API) we try to > open utun devices on macOS by trying utun0 to utun255 and use the > first one that works. On my Mac I have already 4 devices that > do nothing but are just there and

Re: [Openvpn-devel] [PATCH applied] Re: Unified success messages for setting mtu

2020-07-06 Thread Jonathan K. Bullard
Hi, On Mon, Jul 6, 2020 at 11:43 AM Gert Doering wrote: > > Acked-by: Gert Doering > > Thanks :-) - given that this is somewhat trivial, I have not actually > run a binary to look at the messages. I have counted arguments and done > a test build to see if new warnings show up (no). > > I *do*

Re: [Openvpn-devel] [RFC] Challenges with OpenVPN and configuring DNS

2020-07-03 Thread Jonathan K. Bullard
Hi. There's a lot here and I haven't digested all of it, but have a couple of comments about macOS and Tunnelblick, below. On Tue, Jun 23, 2020 at 6:57 PM David Sommerseth wrote: > > > Hi, > > Arne and I have discussed the challenge of DNS configuration and we have paid > attention to a recent

Re: [Openvpn-devel] [Openvpn-users] Multiple DNS search suffixes on Windows

2020-07-03 Thread Jonathan K. Bullard
Hi, On Fri, Jul 3, 2020 at 3:39 AM Jan Just Keijser wrote: > > Hi, > > On 02/07/20 23:04, David Sommerseth wrote: > > On 30/06/2020 16:15, Jan Just Keijser wrote: > >> hi, > >> > >> On 30/06/20 16:11, Gert Doering wrote: > >>> Hi, > >>> > >>> On Tue, Jun 30, 2020 at 04:07:52PM +0200, Jan Just

Re: [Openvpn-devel] [Patch] New man page corrections - windows-options.rst

2020-07-02 Thread Jonathan K. Bullard
Improves English diction and/or grammar of man page. Acked-by: Jonathan K. Bullard On Tue, Jun 30, 2020 at 9:11 PM Richard Bonhomme wrote: > > Signed-off-by: Richard Bonhomme > --- > doc/man-sections/windows-options.rst | 4 ++-- > 1 file changed, 2 insertions(+), 2 deleti

Re: [Openvpn-devel] [Openvpn-users] Multiple DNS search suffixes on Windows

2020-06-21 Thread Jonathan K. Bullard
Hi, On Sun, Jun 21, 2020 at 11:15 AM Selva Nair wrote: > > Hi, > > On Sun, Jun 21, 2020 at 7:14 AM Gert Doering wrote: > > > > Hi, > > > > going through OpenVPN threads that went stale - I think this is > > actually a nice addition (read: other people have already asked > > me if this can be

Re: [Openvpn-devel] [Openvpn-users] Multiple DNS search suffixes on Windows

2020-06-21 Thread Jonathan K. Bullard
Hi! On Sun, Jun 21, 2020 at 7:15 AM Gert Doering wrote: > > Hi, > > going through OpenVPN threads that went stale - I think this is > actually a nice addition (read: other people have already asked > me if this can be done). > > On Thu, Mar 05, 2020 at 01:53:12PM +0100, Jan Just Keijser wrote: >

Re: [Openvpn-devel] OpenVPN 2.4.9 released

2020-04-18 Thread Jonathan K. Bullard
Hi, On Fri, Apr 17, 2020 at 9:22 PM Antonio Quartulli wrote: > > Hi, > > On 18/04/2020 00:41, Jonathan K. Bullard wrote: > > Hi, > > > > On Fri, Apr 17, 2020 at 5:35 PM Gert Doering wrote: > >> > >> ... the new subkeys are just a few weeks

Re: [Openvpn-devel] OpenVPN 2.4.9 released

2020-04-17 Thread Jonathan K. Bullard
Hi, On Fri, Apr 17, 2020 at 5:35 PM Gert Doering wrote: > > ... the new subkeys are just a few weeks old, so we need to publish > a new key bundle with the new subkeys. So until a new security-keys-2020.asc (or whatever you will call it) is published on the OpenVPN website, I can't verify the

Re: [Openvpn-devel] OpenVPN 2.4.9 released

2020-04-17 Thread Jonathan K. Bullard
IHi, On Fri, Apr 17, 2020 at 8:47 AM Samuli Seppänen wrote: > > The OpenVPN community project team is proud to release OpenVPN 2.4.9. It > can be downloaded from here: > > I'm having trouble verifying 2.4.9.tar.gz with GPG. I'm pretty clueless about

Re: [Openvpn-devel] [PATCH v2 2/2] When auth-user-pass file has no password, query the management

2020-04-02 Thread Jonathan K. Bullard
Hi, On Mon, Mar 30, 2020 at 2:06 PM wrote: > > From: Selva Nair > > When only username is found in the file, redirect the auth-user-pass > query to the management if management-query-passwords is enabled. > Otherwise the user is prompted on console, if available, as before. > > This changes the

Re: [Openvpn-devel] [PATCH 2/2] When auth-user-pass file has no password, query the management

2020-03-30 Thread Jonathan K. Bullard
On Mon, Mar 30, 2020 at 12:30 PM Selva Nair wrote: > That is, if management-query-passwords is enabled and auth file is > missing password, query the management, not on console irrespective > of other options and OS. If that's acceptable, I'll submit a v2. That's fine with me (and Tunnelblick),

Re: [Openvpn-devel] [PATCH 2/2] When auth-user-pass file has no password, query the management

2020-03-30 Thread Jonathan K. Bullard
Hi, On Mon, Mar 30, 2020 at 11:12 AM Selva Nair wrote: > Jonathan K. Bullard wrote: > > > > If the OS X command line user was using --management-query-passwords > > (as Tunnelblick does), they wouldn't see the password prompt on > > /dev/tty, would they? >

Re: [Openvpn-devel] [PATCH 2/2] When auth-user-pass file has no password, query the management

2020-03-29 Thread Jonathan K. Bullard
Hi, On Sun, Mar 29, 2020 at 7:58 PM Selva Nair wrote: > > Hi, > > On Sun, Mar 29, 2020 at 7:13 PM Jonathan K. Bullard > wrote: > > On a Mac using Tunnelblick (which uses the management interface with > > management-query-passwords enabled), if the auth-user-

Re: [Openvpn-devel] [PATCH 2/2] When auth-user-pass file has no password, query the management

2020-03-29 Thread Jonathan K. Bullard
Hi, On Sun, Mar 29, 2020 at 4:34 PM wrote: > > From: Selva Nair > > If only username is found in the file, redirect the auth-user-pass > query to the management on Windows if (i) management-query-passwords > is enabled and (ii) stdout is redirected to a log file. These > restrictions avoid

Re: [Openvpn-devel] Removing --disable-server option from OpenVPN

2019-09-18 Thread Jonathan K. Bullard
Oops. On Wed, Sep 18, 2019 at 6:54 AM Jonathan K. Bullard wrote: > > Hi, > > On Wed, Sep 18, 2019 at 6:38 AM Samuli Seppänen wrote: > > > > Hi, > > > > We are considering removing the --disable-server option from OpenVPN in 2.5. > > > > Do

Re: [Openvpn-devel] Removing --disable-server option from OpenVPN

2019-09-18 Thread Jonathan K. Bullard
Hi, On Wed, Sep 18, 2019 at 6:38 AM Samuli Seppänen wrote: > > Hi, > > We are considering removing the --disable-server option from OpenVPN in 2.5. > > Do you use (and need) it, or know of somebody using (and needing) it? As far as I know, it is not used by any Tunnelblick users. Also, note

Re: [Openvpn-devel] [PATCH 0/5] Implement additional two step authentication methods

2019-06-13 Thread Jonathan K. Bullard
Hi, On Thu, Jun 13, 2019 at 2:35 PM Selva Nair wrote: > > Hi > > On Thu, Jun 13, 2019 at 10:42 AM Arne Schwabe wrote: > > > > These patches mainly implement forwarding passing/forwarding extra > > messages between management interface on server and client side. > > > > These new extra messages

[Openvpn-devel] Fwd: [PATCH] Remove deprecated --compat-x509-names and --no-name-remapping

2018-10-24 Thread Jonathan K. Bullard
Sorry, sent to Steffan but not the list: -- Forwarded message - From: Jonathan K. Bullard Date: Wed, Oct 24, 2018 at 7:00 AM Subject: Re: [Openvpn-devel] [PATCH] Remove deprecated --compat-x509-names and --no-name-remapping To: Steffan Karger Hi, The actual option name

[Openvpn-devel] [PATCH v2] Clarify and expand management interface documentation

2018-08-08 Thread Jonathan K. Bullard via Openvpn-devel
--auth-retry none" (the default) is in effect. * Fix a typo. ("posesses" => "possesses"). Signed-off-by: Jonathan K. Bullard --- v2: * Incorporate Selva Nair’s suggestions (thanks!). * Remove incorrect quotes in Example 8. * Use &

Re: [Openvpn-devel] [PATCH] Clarify and expand management interface documentation

2018-08-08 Thread Jonathan K. Bullard via Openvpn-devel
Thanks, Selva. I agree with all of your comments except two, details below: On August 2, 2018 11:32 AM, Selva Nair wrote: > > >NEED-OK:Need 'token-insertion-request' confirmation MSG:Please insert > > your cryptographic token > > > > > > - The management client, if it is a GUI, can

[Openvpn-devel] [PATCH] Clarify and expand management interface documentation

2018-07-31 Thread Jonathan K. Bullard via Openvpn-devel
--auth-retry none" (the default) is in effect. * Update the list of UIs that support challenge/response. * Fix a typo. ("posesses" => "possesses"). Signed-off-by: Jonathan K. Bullard --- doc/management-notes.txt | 213 --- 1 file

Re: [Openvpn-devel] Dynamic challenge/response questions

2018-07-24 Thread Jonathan K. Bullard
Hi, On Tue, Jul 24, 2018 at 12:02 AM, Selva Nair wrote: > Hi, > > On Mon, Jul 23, 2018 at 10:58 PM, Jonathan K. Bullard > wrote: >> I was testing Tunnelblick with Selva's C/R server and config (thanks >> again for that) and there was a problem. Maybe I'm (still) >&

Re: [Openvpn-devel] Dynamic challenge/response questions

2018-07-23 Thread Jonathan K. Bullard
Hi, On Mon, Jul 23, 2018 at 10:31 PM, Selva Nair wrote: > On Sat, Jul 21, 2018 at 1:21 PM, Jonathan K. Bullard > wrote: > >> Some, perhaps including Selva's $payingCustomer, may not want to use >> Tunnelblick betas or use OpenVPN 2.5 until it is released. > > I missed

Re: [Openvpn-devel] Dynamic challenge/response questions

2018-07-23 Thread Jonathan K. Bullard
t 02:38:55PM -0400, Selva Nair wrote: >>> On Thu, Jul 19, 2018 at 1:52 PM, Gert Doering wrote: >>> > On Thu, Jul 19, 2018 at 11:43:17AM -0400, Jonathan K. Bullard wrote: >>> >> Thank you, Selva! (Now all I need to do is get it working!) >>> > >>

Re: [Openvpn-devel] Dynamic challenge/response questions

2018-07-21 Thread Jonathan K. Bullard
Hi, On Thu, Jul 19, 2018 at 2:38 PM, Selva Nair wrote: > Jon: I have a server for testing static and dynamic challenge. If > interested I can send you a config. Or use access server with a free > test license. Mine will just challenge with 1 + 1 = ? kind of > questions, nothing fancy. Thanks,

Re: [Openvpn-devel] Dynamic challenge/response questions

2018-07-19 Thread Jonathan K. Bullard
Hi Arne, (For some reason Gmail put your post in my spam folder, so I just saw it now.) On Thu, Jul 19, 2018 at 11:49 AM, Arne Schwabe wrote: > Am 19.07.18 um 17:43 schrieb Jonathan K. Bullard: >> Thank you, Selva! (Now all I need to do is get it working!) >> > > If

Re: [Openvpn-devel] Dynamic challenge/response questions

2018-07-19 Thread Jonathan K. Bullard
Hi, Selva, On Thu, Jul 19, 2018 at 2:38 PM, Selva Nair wrote: >> Jon: I have a server for testing static and dynamic challenge. If > interested I can send you a config. Or use access server with a free > test license. Mine will just challenge with 1 + 1 = ? kind of > questions, nothing fancy.

Re: [Openvpn-devel] Dynamic challenge/response questions

2018-07-19 Thread Jonathan K. Bullard
Thank you, Selva! (Now all I need to do is get it working!) Best regards, Jon On Thu, Jul 19, 2018 at 11:39 AM, Selva Nair wrote: > Hi, > > On Thu, Jul 19, 2018 at 10:48 AM, Jonathan K. Bullard > wrote: >> Thank you very much, Selva. >> >> On Wed, Jul 18, 2018

Re: [Openvpn-devel] Dynamic challenge/response questions

2018-07-19 Thread Jonathan K. Bullard
Thank you very much, Selva. On Wed, Jul 18, 2018 at 10:48 PM, Selva Nair wrote: > There are two messages involved: > > 1. First comes the fake auth failure message which contains the > challenge string. The format of this is as you have quoted above. The > single quoted string between the

[Openvpn-devel] Dynamic challenge/response questions

2018-07-18 Thread Jonathan K. Bullard
I'm trying to implement dynamic challenge/response in Tunnelblick and have some questions. I've been using the management-interface documentation [1] as my guide. 1. Is what the management interface sends something like (all on one line): >PASSWORD:Verification Failed: 'Auth'

Re: [Openvpn-devel] [OpenVPN/openvpn-gui] UI showing green connected status despite not beeing able to create a route (#9)

2018-07-06 Thread Jonathan K. Bullard
Hi, On Fri, Jul 6, 2018 at 3:24 PM, Selva Nair wrote: > > Hi, > > Copying the devel list as a reminder that "we" have been asking for this > change for a long time :) > > On Fri, Jul 6, 2018 at 2:48 PM, Gert Doering wrote: >> >> Hi, >> >> On Fri, Jul 06, 2018 at 08:25:02AM -0700, Selva Nair

Re: [Openvpn-devel] [PATCH] Make up/down script errors not FATAL

2018-07-02 Thread Jonathan K. Bullard
Hi. On Mon, Jul 2, 2018 at 9:24 PM, wrote: > > From: Selva Nair > > Instead log only a warning. > > This helps user interfaces enforce a safer script-security setting > without causing a FATAL error. Can you expand on that? What "safer script secuity settings' do you have in mind? Tunnelblick

Re: [Openvpn-devel] [PATCH v5] Add Interactive Service developer documentation

2018-06-09 Thread Jonathan K. Bullard
Hi, On Sat, Jun 9, 2018 at 12:23 PM, Selva Nair wrote: > > Hi, > > On Thu, Apr 19, 2018 at 7:23 AM, Simon Rozman wrote: > > The OpenVPN Interactive Service documentation from > > https://community.openvpn.net/openvpn/wiki/OpenVPNInteractiveService was > > upgraded with a description of the

Re: [Openvpn-devel] [PATCH] Specify platform and version on command line.

2018-04-13 Thread Jonathan K. Bullard
Hi. On Fri, Apr 13, 2018 at 1:23 PM, Micah Morton wrote: > From 557d2e73bf21ddb9d07b43f716c7914d610e7392 Mon Sep 17 00:00:00 2001 > From: Micah Morton > Date: Fri, 13 Apr 2018 09:55:22 -0700 > Subject: [PATCH] Specify platform and version on command

Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.

2018-04-01 Thread Jonathan K. Bullard
Hi, On Sun, Apr 1, 2018 at 11:34 AM, Gert Doering wrote: > Hi, > > On Sun, Apr 01, 2018 at 10:19:37AM -0400, Selva Nair wrote: >> On Sun, Apr 1, 2018 at 2:30 AM, Gert Doering wrote: >> >> > As discussed in trac #208 and on IRC with Antonio, OpenVPN 2.5

Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.

2018-04-01 Thread Jonathan K. Bullard
Hi, On Sun, Apr 1, 2018 at 2:30 AM, Gert Doering wrote: > As discussed in trac #208 and on IRC with Antonio, OpenVPN 2.5 will > be IPv6-only. Removal of IPv4-related code and options will dramatically > reduce code complexity, confusing options, bugs and user questions. >

Re: [Openvpn-devel] OpenSSL version(s) officially supported by OpenVPN?

2018-03-07 Thread Jonathan K. Bullard
Hi. On Wed, Mar 7, 2018 at 4:25 AM, Steffan Karger <steffan.kar...@fox-it.com> wrote: > > Hi, > > On 06-03-18 23:16, Jonathan K. Bullard wrote: > > Can someone clarify which versions of OpenSSL OpenVPN supports (that > > is, "works with when linked stati

[Openvpn-devel] OpenSSL version(s) officially supported by OpenVPN?

2018-03-06 Thread Jonathan K. Bullard
Hi. Inspired by the recent discussion about LibreSSL support: Can someone clarify which versions of OpenSSL OpenVPN supports (that is, "works with when linked statically")? >From what I gather: * OpenVPN 2.3.18 supports OpenSSL 1.0.2n * OpenVPN 2.4.5 supports OpenSSL 1.0.2n and 1.1.0g *

Re: [Openvpn-devel] [PATCH] Properly respond to SIGTERM received during DNS resolution.

2018-02-05 Thread Jonathan K. Bullard
lem, right? > > (I'm not sure I'm reading the description right, to understand the > actual issue this is fixing - but if I'm reading it right, then this > makes sense :-) - what about SIGINT?) On Tue, Apr 12, 2016 at 11:48 AM, Fish Wang <fish.t...@gmail.com> wrote: > > Right

[Openvpn-devel] Fwd: [PATCH 2/3] Allow external EC key through --management-external-key

2018-01-25 Thread Jonathan K. Bullard
Hi. On Mon, Jan 22, 2018 at 12:31 PM, Selva Nair wrote: > What about extending the current "version" command with an argument > where the client states the version of "management-speak" that it > supports. Current management version is 1, we increase it to 1.1 and > unless

Re: [Openvpn-devel] On testing with openssl 0.9.8

2018-01-22 Thread Jonathan K. Bullard
Hi, On Mon, Jan 22, 2018 at 7:33 AM, David Sommerseth wrote: > Let me rather twist this question around ... Do we want to support OpenSSL > 0.9.8? Are there any Linux distributions or other OSes out there in the wild > which is still supported which are also

Re: [Openvpn-devel] Follow up on sending messages to the GUI

2017-12-14 Thread Jonathan K. Bullard
Hi, On Sat, Dec 2, 2017 at 7:08 AM, Jonathan K. Bullard <jkbull...@gmail.com> wrote: > Hi, > > On Fri, Dec 1, 2017 at 10:58 AM, Selva Nair <selva.n...@gmail.com> wrote: >> >> Hi, >> >> On Fri, Dec 1, 2017 at 8:53 AM, Arne Schwabe <a...@rfc2549.or

Re: [Openvpn-devel] Follow up on sending messages to the GUI

2017-12-02 Thread Jonathan K. Bullard
Hi, On Fri, Dec 1, 2017 at 10:58 AM, Selva Nair wrote: > > Hi, > > On Fri, Dec 1, 2017 at 8:53 AM, Arne Schwabe wrote: >> >> Am 30.11.2017 um 03:03 schrieb Selva Nair: >> >> Cross-posting to users and devel as this may be of interest to both. >> >> Hi, >>

Re: [Openvpn-devel] Follow up on sending messages to the GUI

2017-11-30 Thread Jonathan K. Bullard
Hi, On Thu, Nov 30, 2017 at 10:26 PM, Selva Nair <selva.n...@gmail.com> wrote: > Hi Jon, > > On Thu, Nov 30, 2017 at 8:41 PM, Jonathan K. Bullard <jkbull...@gmail.com> > wrote: > >> Thanks, Selva, >> >> On Wed, Nov 29, 2017 at 9:03 PM, Selva Nair &

Re: [Openvpn-devel] Follow up on sending messages to the GUI

2017-11-30 Thread Jonathan K. Bullard
Thanks, Selva, On Wed, Nov 29, 2017 at 9:03 PM, Selva Nair wrote: > > I have made a draft implementation of this feature that was discussed in a > previous thread. A test executable (GUI only) is in this pre-release: > >

Re: [Openvpn-devel] [PATCH] Implement "status 4" (JSON) for management interface

2017-11-15 Thread Jonathan K. Bullard
Hi, On Tue, Nov 14, 2017 at 7:40 AM, David Sommerseth wrote: > > On 14/11/17 12:02, Gert Doering wrote: >> JSON is very trivial to produce (unlike XML, or netlink). The escaping >> rules on producing are also very easy - basically, encode things in double >>

Re: [Openvpn-devel] [PATCH] Implement "status 4" (JSON) for management interface

2017-11-14 Thread Jonathan K. Bullard
Hi, On Tue, Nov 14, 2017 at 3:31 AM, Gert Doering wrote: > Hi, > > On Mon, Nov 13, 2017 at 01:16:46PM +0100, David Sommerseth wrote: >> But we should consider if we want to make use of a JSON library >> producing the JSON streams. The reason is to ensure the output is >>

Re: [Openvpn-devel] [PATCH] contrib: Remove keychain-mcd code

2017-07-25 Thread Jonathan K. Bullard
On Tue, Jul 25, 2017 at 9:03 AM, David Sommerseth wrote: > After the security audits performed by Cryptography Engineering the > spring of 2017 [1], there were several concerns about the contrib code > for the macOS keychain support. After more careful review of this > code

Re: [Openvpn-devel] [PATCH] Implement block-ipv6

2017-07-07 Thread Jonathan K. Bullard
Hi. I have one small nit-pick. On Thu, Jul 6, 2017 at 11:33 AM, Arne Schwabe wrote: > This can be used to redirect all IPv6 traffic to the tun interface, > effectively black holing the IPv6 traffic. Without ICMPv6 error messages this > will result in timeouts when the server

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

2017-06-21 Thread Jonathan K. Bullard
On Wed, Jun 21, 2017 at 12:48 PM, Matthias Andree wrote: > > Am 21.06.2017 um 16:33 schrieb Samuli Seppänen: > > On 21/06/2017 17:06, Simon Matter wrote: > >>> On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen > >>> wrote: > The OpenVPN community

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

2017-06-21 Thread Jonathan K. Bullard
On Wed, Jun 21, 2017 at 7:48 AM, Jonathan K. Bullard <jkbull...@gmail.com> wrote: > On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen <sam...@openvpn.net> > wrote: > > The OpenVPN community project team is proud to release OpenVPN 2.4.3. It > > can be downl

Re: [Openvpn-devel] ***UNCHECKED*** Re: OpenVPN 2.4.3 released (with security fixes)

2017-06-21 Thread Jonathan K. Bullard
On Wed, Jun 21, 2017 at 8:40 AM, David Sommerseth <open...@sf.lists.topphemmelig.net> wrote: > On 21/06/17 14:30, David Sommerseth wrote: >> On 21/06/17 13:48, Jonathan K. Bullard wrote: >>> On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen <sam...@openvpn.net> wro

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

2017-06-21 Thread Jonathan K. Bullard
On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen wrote: > The OpenVPN community project team is proud to release OpenVPN 2.4.3. It > can be downloaded from here: > > Hi. Thanks for this release. Verifying the PGP

Re: [Openvpn-devel] Problem with sig for 2.3.16?

2017-05-20 Thread Jonathan K. Bullard
On Fri, May 19, 2017 at 6:41 PM, David Sommerseth <open...@sf.lists.topphemmelig.net> wrote: > On 19/05/17 21:23, Jonathan K. Bullard wrote: [snip] > > OK, I get that, but the key file from the link David provided (and > > which was also in his reply to the email announcing 2.

Re: [Openvpn-devel] Problem with sig for 2.3.16?

2017-05-19 Thread Jonathan K. Bullard
On Fri, May 19, 2017 at 1:44 PM, Samuli Seppänen <sam...@openvpn.net> wrote: > On 19/05/2017 17:50, David Sommerseth wrote: >> On 19/05/17 16:28, Jonathan K. Bullard wrote: >>> When I try to verify the signature on openvpn-2.3.16.tar.gz (using >>> openvpn-2.3.1

[Openvpn-devel] Problem with sig for 2.3.16?

2017-05-19 Thread Jonathan K. Bullard
When I try to verify the signature on openvpn-2.3.16.tar.gz (using openvpn-2.3.16.tar.gz.asc) from the "Downloads" page [1], I get the following: gpg: assuming signed data in `XXX/openvpn-2.3.16.tar.gz' gpg: Signature made Thu May 18 16:56:48 2017 EDT using RSA key ID 8CC2B034 gpg:

Re: [Openvpn-devel] OpenVPN 2.3.16 released

2017-05-19 Thread Jonathan K. Bullard
On Fri, May 19, 2017 at 5:29 AM, Samuli Seppänen wrote: > > The OpenVPN community project team is proud to release OpenVPN 2.3.16. > It can be downloaded from here: > > > > This is a minor release that fixes a few bugs.

Re: [Openvpn-devel] The future of contrib/keychain-mcd

2017-05-06 Thread Jonathan K. Bullard
Hi. Several weeks ago "kaloprominat" submitted PR #369 [1] to Tunnelblick. It incorporates the keychain-mcd code into Tunnelblick. (I don't know if that triggered your scrutiny of keychain-mcd or if that is a coincidence.) I have not finished reviewing the PR, but it includes fixes for several

Re: [Openvpn-devel] [PATCH] Use SHA256 for the internal digest, instead of MD5

2016-12-25 Thread Jonathan K. Bullard
On Sun, Dec 25, 2016 at 6:20 PM, Steffan Karger wrote: > Hi, > > On 18-12-16 22:26, Gert Doering wrote: >> On Sun, Dec 18, 2016 at 05:40:55PM +0100, Steffan Karger wrote: >>> Our internal options digest uses MD5 hashes to store the state, instead of >>> storing the full options

Re: [Openvpn-devel] Summary of today's (Monday, 10th Oct 2016) community meeting

2016-11-03 Thread Jonathan K. Bullard
Hi, On Thu, Nov 3, 2016 at 8:26 AM, Gert Doering <g...@greenie.muc.de> wrote: > > On Wed, Nov 02, 2016 at 06:19:26AM -0400, Jonathan K. Bullard wrote: > > On Mon, Oct 10, 2016 at 4:26 PM, Samuli Seppänen <sam...@openvpn.net> > wrote: > > > Discussed

Re: [Openvpn-devel] Summary of today's (Monday, 10th Oct 2016) community meeting

2016-11-02 Thread Jonathan K. Bullard
On Mon, Oct 10, 2016 at 4:26 PM, Samuli Seppänen wrote: > Discussed OpenVPN 2.3.13 release. Three things are missing: > > 1. recursive routing > 2. block-outside-dns v2 > 3. 64MB renegotiation for 64-bit block ciphers > > Cron2 will take care of 1-2, and syzzer will tackle 3.

Re: [Openvpn-devel] [PATCH v4] Remove tun-ipv6 Option. Instead assume that IPv6 is always supported.

2016-10-12 Thread Jonathan K. Bullard
Thanks to both Gert and Arne for their answers. On Wed, Oct 12, 2016 at 9:12 AM, Arne Schwabe wrote: >> What I should have asked is: with this patch will an OpenVPN client >> still send out IPv4 packets if there are no IPv6 options specified or >> pulled from the server?

Re: [Openvpn-devel] [PATCH v4] Remove tun-ipv6 Option. Instead assume that IPv6 is always supported.

2016-10-12 Thread Jonathan K. Bullard
Thanks, Arne. Sorry if I wasn't a clear as I should have been. On Wed, Oct 12, 2016 at 8:08 AM, Arne Schwabe <a...@rfc2549.org> wrote: > > Am 12.10.16 um 13:17 schrieb Jonathan K. Bullard: > > Hi. > > > > On Wed, Oct 12, 2016 at 5:13 AM, Arne Schwabe <a...@rfc

Re: [Openvpn-devel] [PATCH v4] Remove tun-ipv6 Option. Instead assume that IPv6 is always supported.

2016-10-12 Thread Jonathan K. Bullard
Hi. On Wed, Oct 12, 2016 at 5:13 AM, Arne Schwabe wrote: > > This option was useful when Ipv6 tun support was > non standard and was an internal/user specified flag > that tracked the Ipv6 capability of the tun device. > > All supported OS support IPv6. Also tun-ipv6 is >

Re: [Openvpn-devel] Topics for today's (Monday, 10th Oct 2016) community meeting

2016-10-10 Thread Jonathan K. Bullard
On Mon, Oct 10, 2016 at 8:56 AM, Samuli Seppänen wrote: > > We're going to have an IRC meeting today starting at 20:00 CEST (18:00 > UTC) on #openvpn-meeting irc.freenode.net. You do not have to be > logged in to Freenode to join the channel. I can't attend the meeting, so

Re: [Openvpn-devel] [PATCH] Have the same username/password length regardless of PKCS#11 enablement

2016-09-22 Thread Jonathan K. Bullard
On Thu, Sep 22, 2016 at 6:04 AM, David Sommerseth wrote: > If running an OpenVPN client with --enable-pkcs11 and a server without > and having a username and/or password with more than 128 characters, > the authentication will fail as the server truncates the password > to 128

[Openvpn-devel] The end of the Gmane archive

2016-07-29 Thread Jonathan K. Bullard
Yesterday Lars Ingebrigtsen, who established and has run Gmane since 2002, posted an article saying that Gmane might go away [1]. He posted an update [2] which says the Gmane archive *has* gone away and unless someone steps up to take it over, it is gone for good. The OpenVPN mailing list

Re: [Openvpn-devel] [PATCH 3/7] vlan: Add global, per-client 802.1q-based options

2016-04-03 Thread Jonathan K. Bullard
On Sun, Apr 3, 2016 at 2:51 PM, Mike Auty wrote: > > This patch add the new global "--vlan-tagging" boolean switch. This specifies > whether openvpn should handle 802.1q tagged packets in any way. > > This patch also adds the new global '--vlan-accept tagged|untagged|all'

Re: [Openvpn-devel] Options that are "safe" for users to modify?

2015-12-13 Thread Jonathan K. Bullard
Thanks, Selva. On Sat, Dec 12, 2015 at 5:43 PM, Selva Nair wrote: > I suppose, not just adding but also removing options will be allowed. There > could be more options that are ok (i.e not unsafe) to remove but not change. What I'm proposing isn't to allow

Re: [Openvpn-devel] Options that are "safe" for users to modify?

2015-12-12 Thread Jonathan K. Bullard
Hi. On Sat, Dec 12, 2015 at 5:23 PM, Arne Schwabe wrote: > Might not really be related to this but have looked into the work that > provides the certificates and keys via the managment console? We have > even have a contrib program that gets certificates from the Mac OS X >

[Openvpn-devel] Options that are "safe" for users to modify?

2015-12-12 Thread Jonathan K. Bullard
Inspired by Gert, I am considering adding a new feature to Tunnelblick (FOSS GUI for OpenVPN on OS X) and would like your reactions. In an earlier thread on openvpn-users, my original more grandiose idea was (with good reason) NAKed. It was also suggested that openvpn-devel was a better place for

Re: [Openvpn-devel] Docs or Bug: --push options no longer require double quotes

2015-07-25 Thread Jonathan K. Bullard
On Sat, Jul 25, 2015 at 3:45 PM, Gert Doering wrote: > Hi, > > On Sat, Jul 25, 2015 at 01:34:46PM +0100, debbie...@gmail.com wrote: >> As the title states --push no longer requires options to be double quoted. > > Well, *did* it require double quotes at some point? If yes,

Re: [Openvpn-devel] [PATCH v2] Add TFTP and WPAD DHCP options

2015-07-03 Thread Jonathan K. Bullard
On Thu, Jul 2, 2015 at 6:24 AM, Jan Just Keijser wrote: > I fully agree. Here's v2 with Jonathan's remarks addressed as well. ACK as to my concerns, thanks!

Re: [Openvpn-devel] [PATCH] Add TFTP and WPAD DHCP options

2015-07-02 Thread Jonathan K. Bullard
On Thu, Jul 2, 2015 at 2:56 AM, Jan Just Keijser wrote: > Attached is the patch to add the TFTP and WPAD DHCP options. The patch > is based on openvpn 2.3.7 as I did not know how to do a windows mingw > build of the git version ... > The patch was tested on Windows XP 32bit and

Re: [Openvpn-devel] [Patch] Version 2: Fail if options have extra parameters

2015-06-03 Thread Jonathan K. Bullard
On Wed, Jun 3, 2015 at 2:33 AM, Arne Schwabe wrote: > ACK. But some things I noticed (should go into separate patch) > > We do not catch > > --connection foo, it is silently ignored I noticed a few such problems, mostly in options that I couldn't find consistent documentation

[Openvpn-devel] [Patch] Version 2: Fail if options have extra parameters

2015-06-02 Thread Jonathan K. Bullard
This is a new thread with version 2 of the patch; the first submission included the wrong .patch file and was withdrawn. The attached patch causes an error if an option has extra parameters; previously they were ignored (ticket #557 at https://community.openvpn.net/openvpn/ticket/557). This

Re: [Openvpn-devel] [Patch] Fail if options have extra parameters

2015-05-30 Thread Jonathan K. Bullard
Please ignore this patch; it is an old version. I will resubmit. Sorry for the noise. On Fri, May 29, 2015 at 11:54 AM, Jonathan K. Bullard <jkbull...@gmail.com> wrote: > Sorry, forgot to add a link to the ticket for this: > > https://community.openvpn.net/openvpn/ticket/557 >

Re: [Openvpn-devel] [Patch] Fail if options have extra parameters

2015-05-29 Thread Jonathan K. Bullard
Sorry, forgot to add a link to the ticket for this: https://community.openvpn.net/openvpn/ticket/557 On Fri, May 29, 2015 at 11:38 AM, Jonathan K. Bullard <jkbull...@gmail.com> wrote: > The attached patch causes an error if an option has are extra > parameters; previously they

[Openvpn-devel] [Patch] Fail if options have extra parameters

2015-05-29 Thread Jonathan K. Bullard
The attached patch causes an error if an option has are extra parameters; previously they were ignored. This feature was discussed on the openvpn-devel mailing list: http://thread.gmane.org/gmane.network.openvpn.devel/9599 The patch is for the master branch only -- the consensus of the mailing

[Openvpn-devel] [Patch] Fix null pointer dereference in options.c

2015-05-23 Thread Jonathan K. Bullard
(At Gert's request, I am posting this to openvpn-devel.) This patch fixes a null pointer dereference in options.c. Below are versions for openvpn-master and openvpn-2.3; they differ only in the line number reference. 2.3 branch diff -U 4 -r

Re: [Openvpn-devel] OpenVPN argument parsing of most options ignores "extra" parameters

2015-05-18 Thread Jonathan K. Bullard
On Mon, May 4, 2015 at 9:26 AM, Jonathan K. Bullard wrote: > If I have a > configuration that has worked for many years I might be more likely to > not notice one warning among all the output in a typical log at the > default "verb 3" setting. Correction: the defa

Re: [Openvpn-devel] Request peer review of modified OpenVPN client software

2015-05-12 Thread Jonathan K. Bullard
On Tue, May 12, 2015 at 7:27 AM, Lisa Minogue wrote: > Can I conclude from your above statements that applying obfuscation > patches to the standard OpenVPN client software may actually introduce > security vulnerabilities? > The openvpn_xorpatch

Re: [Openvpn-devel] OpenVPN argument parsing of most options ignores "extra" parameters

2015-05-04 Thread Jonathan K. Bullard
On Sun, May 3, 2015 at 12:33 PM, Steffan Karger <stef...@karger.me> wrote: > On 17-04-15 11:28, Jonathan K. Bullard wrote: > > I would like to propose a patch which complains if OpenVPN options > > include parameters that are not expected. > > I agree that silentl

Re: [Openvpn-devel] [PATCH v3] Mac OS X Keychain management client

2015-02-23 Thread Jonathan K. Bullard
On Mon, Feb 23, 2015 at 8:10 AM, David Woodhouse wrote: > On Mon, 2015-02-23 at 13:59 +0100, Arne Schwabe wrote: >> >> All fine. My rationale was like, if I want a certificate with a certain >> SUBJECT (e.g. CN=schw...@mycoolca.com) etc. it should not matter for men >> wether

Re: [Openvpn-devel] [PATCH v3] Mac OS X Keychain management client

2015-02-23 Thread Jonathan K. Bullard
On Mon, Feb 23, 2015 at 4:00 AM, Gert Doering wrote: > > On Mon, Feb 23, 2015 at 09:28:31AM +0100, Arne Schwabe wrote: > > > What do you think of the change? > > I like the idea. You could make the macos-keychain in the string optional. > > What Arne said (both parts of it)

[Openvpn-devel] [PATCH] Fix mismatch of fprintf format specifier and argument type

2015-02-06 Thread Jonathan K. Bullard
This fixes a warning about a mismatch between a fprintf format string and an argument type on Darwin-64-bit builds: %lu specifies type 'unsigned long' but the argument has type '__darwin_suseconds_t' (aka 'int') --- openvpn/src/openvpn/error.c 2015-01-23 13:17:50.0 -0500 +++

Re: [Openvpn-devel] New OpenVPN Windows installers (I004 and I604) released

2014-10-21 Thread Jonathan K. Bullard
On Tue, Oct 21, 2014 at 6:43 AM, Gert Doering wrote: > Yes, exactly. In essence, you have a windows service running with full > privileges, which is instructed by the GUI to run an openvpn.exe process > (with user privs, so OpenVPN can't do damage) and OpenVPN communicates >

Re: [Openvpn-devel] New OpenVPN Windows installers (I004 and I604) released

2014-10-21 Thread Jonathan K. Bullard
On Tue, Oct 21, 2014 at 5:11 AM, Gert Doering wrote: > This will hopefully be fixed in 2.4 with the interactive service, we just > need to find time for Heiko to find the code and send it to us :-) (but > I've already seen it last year) Is there any documentation for the new

Re: [Openvpn-devel] Easy-RSA v3 release planning

2014-07-15 Thread Jonathan K. Bullard
22:57:29, Jonathan K. Bullard <jkbull...@gmail.com> > wrote: > > > On Tue, Dec 17, 2013 at 9:05 PM, Josh Cepek <josh.ce...@usa.net> wrote: > > The notable fix since -rc1 has been support for OpenSSL-0.9.8 (commit > > 8b1fe01.) While I hope this isn't a common

Re: [Openvpn-devel] Easy-RSA v3 release planning

2014-07-15 Thread Jonathan K. Bullard
On Tue, Dec 17, 2013 at 9:05 PM, Josh Cepek wrote: > The notable fix since -rc1 has been support for OpenSSL-0.9.8 (commit > 8b1fe01.) While I hope this isn't a common need, the fix was simple > enough, and this is still a supported OpenSSL version. > Any update on the

[Openvpn-devel] Recently-disclosed LZO vulnerability and OpenVPN's use of LZO

2014-06-29 Thread Jonathan K. Bullard
A recent *"Lab Mouse Security research blog" entry* claimed that a bug exists in several implementations of the LZO algorithm commonly used by OpenVPN and that the bug causes a security vulnerability. A rebuttal on

Re: [Openvpn-devel] [Openvpn-users] [PATCH] Add support for specifying the syslog facility, as requested in trac #188.

2014-05-02 Thread Jonathan K. Bullard
On Fri, May 2, 2014 at 11:20 AM, David Sommerseth < openvpn.l...@topphemmelig.net> wrote: > The core principle in OpenVPN's option > parsing is that the last argument wins. So if you have f.ex. --ping-exit > 3 > times in a command line and two times in a config file, it's the last one > which

Re: [Openvpn-devel] English language? Re: [PATCH] Support non-ASCII characters in Windows tmp path

2013-12-04 Thread Jonathan K. Bullard
On Wed, Dec 4, 2013 at 4:35 AM, Matthias Andree wrote: > Am 19.11.2013 18:36, schrieb Heiko Hund: > > + msg (M_WARN, "Could not get temporary directory. Path is too > long." > > + " Consider to use --tmp-dir"); > > I think when touching the code, we ought to

Re: [Openvpn-devel] [Patch v7] Add support of utun devices under Mac OS X

2013-06-27 Thread Jonathan K. Bullard
On Fri, Jun 21, 2013 at 6:48 AM, Arne Schwabe wrote: > Mac OS X 10.7+ natively supports tun devices (called utun). The "standard" > utun.ko driver is sometimes problematic (e.g. VmWare Fusion 5 and tun.ko do > not work together). > > When OpenVPN is compiled with utun support

Re: [Openvpn-devel] [Patch v3.1] Add support of utun devices under Mac OS X

2013-06-20 Thread Jonathan K. Bullard
On Thu, Jun 20, 2013 at 4:58 AM, Arne Schwabe wrote: > I have a OS X 10.6 VM with Xcode 3.2.6 installed and this VM has the > if/utun.h header. I probably was added somewhere between 10.6.0 and 10.6.8. Ah. Thanks for mentioning this. That makes sense. > I changed the M_ERR to

Re: [Openvpn-devel] [Patch v2] Add support of utun devices under Mac OS X

2013-06-20 Thread Jonathan K. Bullard
On Tue, Jun 18, 2013 at 1:23 AM, Arne Schwabe wrote: > > Mac OS X 10.7+ natively supports tun devices (called utun). The "standard" > utun.ko driver is sometimes problematic (e.g. VmWare Fusion 5 and tun.ko do > not work together). > > When OpenVPN is compiled with utun

Re: [Openvpn-devel] building on OSX (for Tunnelblick)

2013-04-02 Thread Jonathan K. Bullard
On Tue, Apr 2, 2013 at 9:46 AM, Arne Schwabe wrote: > > Tunnelblick is still being built on OS X 10.6.8 with Xcode 3.2.2 > > because it still supports PowerPC, which later versions of Xcode > > (which are required for use on 10.7+) don't support. > Is there a specific reason

Re: [Openvpn-devel] building on OSX (for Tunnelblick) (was: [PATCH] Add support of utun devices under Mac OS X)

2013-04-01 Thread Jonathan K. Bullard
On Mon, Apr 1, 2013 at 2:48 PM, Gert Doering <g...@greenie.muc.de> wrote: > On Mon, Apr 01, 2013 at 09:26:04AM -0400, Jonathan K. Bullard wrote: > > I don't have an opinion about including it in 2.3.2 vs. 2.4 -- I still > > can't get anything after 2.3alpha1 to build pro

Re: [Openvpn-devel] [PATCH] Add support of utun devices under Mac OS X

2013-04-01 Thread Jonathan K. Bullard
49.org> wrote: > Am 01.04.13 17:18, schrieb Jonathan K. Bullard: > > On Mon, Apr 1, 2013 at 11:06 AM, Arne Schwabe <a...@rfc2549.org> wrote: >> >>> >>> The "standard" utun.ko driver is sometimes problematic (e.g. VmWare >>>>>>&g

  1   2   >