Re: [Openvpn-devel] OpenVPN 2.4.9 released

2020-04-19 Thread Christian Hesse 
Samuli Seppänen  on Mon, 2020/04/20 09:13:
> On a related note: I think we should consider stopping the distribution
> of the security list's public key from our webservers and just instruct
> people to fetch the key from the keyservers and refresh it if they have
> trouble.

Key server operation became instable lately. I would suggest to set up a web
key directory (WKD):
https://wiki.gnupg.org/WKD

Downloading the key from your WKD would require this command from a
recent gpg:

gpg --locate-keys secur...@openvpn.net
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpAVZ6bqxT7A.pgp
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.9 released

2020-04-19 Thread Samuli Seppänen 
Hi,

Il 19/04/20 13:03, Gert Doering ha scritto:
> Hi,
> 
> On Sat, Apr 18, 2020 at 02:30:46PM +0200, Simon Matter wrote:
>> A long time ago I was asking them to also show MD5/SHAXXX checksums so I
>> can easily verify the downloads. My request was turned down for reasons I
>> still don't understand. At least it could give us some peace of mind when
>> downloading OpenVPN and the PGP stuff doesn't work or is not used by the
>> person downloading it.
> 
> True... Samuli, are you listening?  Adding SHA256s to the release
> announcement might not be so hard to integrate into your process, and
> help in case GPG acts up again.

> (Mostly because "the mail on the list is signed, the other openvpn
> developers see it, and if someone tries to play games, we'll notice")

Having SHA256 sum in the _release announcement_ is good, because it
can't be forged easily. But I would also have have it on the download
page. I just need to ask our webmaster to add that field. If the website
is tampered then we still have the release announcement to refer to.

On a related note: I think we should consider stopping the distribution
of the security list's public key from our webservers and just instruct
people to fetch the key from the keyservers and refresh it if they have
trouble.

Meaning: I don't see the extra value distributing the key from our
webserver gives anyone. But please correct me if I'm missing something.

> 
> gert
> 
> 
> 
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
> 




signature.asc
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.9 released

2020-04-19 Thread Gert Doering 
Hi,

On Sat, Apr 18, 2020 at 02:30:46PM +0200, Simon Matter wrote:
> A long time ago I was asking them to also show MD5/SHAXXX checksums so I
> can easily verify the downloads. My request was turned down for reasons I
> still don't understand. At least it could give us some peace of mind when
> downloading OpenVPN and the PGP stuff doesn't work or is not used by the
> person downloading it.

True... Samuli, are you listening?  Adding SHA256s to the release
announcement might not be so hard to integrate into your process, and
help in case GPG acts up again.

(Mostly because "the mail on the list is signed, the other openvpn
developers see it, and if someone tries to play games, we'll notice")

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.9 released

2020-04-18 Thread Jonathan K. Bullard 
Hi,

On Fri, Apr 17, 2020 at 9:22 PM Antonio Quartulli  wrote:
>
> Hi,
>
> On 18/04/2020 00:41, Jonathan K. Bullard wrote:
> > Hi,
> >
> > On Fri, Apr 17, 2020 at 5:35 PM Gert Doering  wrote:
> >>
> >> ... the new subkeys are just a few weeks old, so we need to publish
> >> a new key bundle with the new subkeys.
> >
> > So until a new security-keys-2020.asc (or whatever you will call it)
> > is published on the OpenVPN website, I can't verify the download?
> >
> > Of course, if the download was compromised, the website probably was,
> > so any key published on it is, too.
> >
> > Sigh.
>
> If the updated key was pushed to the keyserver (it should), you can
> delete and re-fetch it from the keyserver directly.

That worked, thanks,

Jon Bullard


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.9 released

2020-04-18 Thread Simon Matter via Openvpn-devel 
> Hi,
>
> On Fri, Apr 17, 2020 at 5:35 PM Gert Doering  wrote:
>>
>> ... the new subkeys are just a few weeks old, so we need to publish
>> a new key bundle with the new subkeys.
>
> So until a new security-keys-2020.asc (or whatever you will call it)
> is published on the OpenVPN website, I can't verify the download?

Hi,

A long time ago I was asking them to also show MD5/SHAXXX checksums so I
can easily verify the downloads. My request was turned down for reasons I
still don't understand. At least it could give us some peace of mind when
downloading OpenVPN and the PGP stuff doesn't work or is not used by the
person downloading it.

Regards,
Simon



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.9 released

2020-04-17 Thread Antonio Quartulli 
Hi,

On 18/04/2020 00:41, Jonathan K. Bullard wrote:
> Hi,
> 
> On Fri, Apr 17, 2020 at 5:35 PM Gert Doering  wrote:
>>
>> ... the new subkeys are just a few weeks old, so we need to publish
>> a new key bundle with the new subkeys.
> 
> So until a new security-keys-2020.asc (or whatever you will call it)
> is published on the OpenVPN website, I can't verify the download?
> 
> Of course, if the download was compromised, the website probably was,
> so any key published on it is, too.
> 
> Sigh.

If the updated key was pushed to the keyserver (it should), you can
delete and re-fetch it from the keyserver directly.

Regards,

-- 
Antonio Quartulli


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.9 released

2020-04-17 Thread Jonathan K. Bullard 
Hi,

On Fri, Apr 17, 2020 at 5:35 PM Gert Doering  wrote:
>
> ... the new subkeys are just a few weeks old, so we need to publish
> a new key bundle with the new subkeys.

So until a new security-keys-2020.asc (or whatever you will call it)
is published on the OpenVPN website, I can't verify the download?

Of course, if the download was compromised, the website probably was,
so any key published on it is, too.

Sigh.

Thanks for the info, though, Gert.

Jon Bullard


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.9 released

2020-04-17 Thread Christian Hesse 
"Jonathan K. Bullard"  on Fri, 2020/04/17 17:16:
>  IHi,
> 
> On Fri, Apr 17, 2020 at 8:47 AM Samuli Seppänen  wrote:
> >
> > The OpenVPN community project team is proud to release OpenVPN 2.4.9. It
> > can be downloaded from here:
> >
> >   
> 
> I'm having trouble verifying 2.4.9.tar.gz with GPG. I'm pretty
> clueless about gpg, but I think it may not have been signed with the
> correct key.

The key is still correct, but it has new subkeys. Try to refresh the key from
a keyserver:

$ gpg --refresh-keys F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpgVFhW9fafH.pgp
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.9 released

2020-04-17 Thread Gert Doering 
Hi,

On Fri, Apr 17, 2020 at 05:16:56PM -0400, Jonathan K. Bullard wrote:
> On Fri, Apr 17, 2020 at 8:47 AM Samuli Seppänen  wrote:
> >
> > The OpenVPN community project team is proud to release OpenVPN 2.4.9. It
> > can be downloaded from here:
> >
> > 
> 
> I'm having trouble verifying 2.4.9.tar.gz with GPG. I'm pretty
> clueless about gpg, but I think it may not have been signed with the
> correct key.

It's a new subkey, and gpg is pretty retarded about importing new
subkeys to an existing key - as in: it will just not do anything.

So for me (to import a new private key when subkeys rotate) I need
to totally remove the key from the keyring, and then re-add it to
get the new subkey.

That said...

> $ gpg --import security-key-2019.asc

... the new subkeys are just a few weeks old, so we need to publish
a new key bundle with the new subkeys.

Samuli...?

(And people wonder why nobody is using PGP crypto)

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.9 released

2020-04-17 Thread Jonathan K. Bullard 
 IHi,

On Fri, Apr 17, 2020 at 8:47 AM Samuli Seppänen  wrote:
>
> The OpenVPN community project team is proud to release OpenVPN 2.4.9. It
> can be downloaded from here:
>
> 

I'm having trouble verifying 2.4.9.tar.gz with GPG. I'm pretty
clueless about gpg, but I think it may not have been signed with the
correct key.

When I try to verify the signature:

$ gpg -v --verify openvpn-2.4.9.tar.gz.asc openvpn-2.4.9.tar.gz
gpg: Signature made Fri Apr 17 07:18:44 2020 EDT
gpg:using RSA key 333D46306CF9D9F1F630DB8D96AEC408005D6BB4
gpg: Can't check signature: No public key

But I have the Security Mailing List GPG key (downloaded 2019-10-31)
and used it to verify earlier downloads [1]. I downloaded a fresh copy
of the key, but it is identical to my old one. I tried re-importing:

$ gpg --import security-key-2019.asc
gpg: key 12F5F7B42F2B01E7: "OpenVPN - Security Mailing List
" not changed
gpg: Total number processed: 1
gpg:  unchanged: 1

Which I interpret as "the identical key was already loaded".

$ gpg --list-public-keys --keyid-format LONG
pub   rsa4096/12F5F7B42F2B01E7 2017-02-09 [SC] [expires: 2027-02-07]
  F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7
uid [ unknown] OpenVPN - Security Mailing List 

This is with gpg (GnuPG) 2.2.3, libgcrypt 1.8.1

Any suggestions?

Jon Bullard

[1] 2.4.8 verifies OK (although the key has now expired):

$ gpg --verify openvpn-2.4.8.tar.gz.asc  openvpn-2.4.8.tar.gz
gpg: Signature made Wed Oct 30 08:49:58 2019 EDT
gpg:using RSA key 82175D35AA8D0E8BDE5F4F9E5DC351805ACFEAC6
gpg: Good signature from "OpenVPN - Security Mailing List
" [unknown]
gpg: Note: This key has expired!
Primary key fingerprint: F554 A368 7412 CFFE BDEF  E0A3 12F5 F7B4 2F2B 01E7
 Subkey fingerprint: 8217 5D35 AA8D 0E8B DE5F  4F9E 5DC3 5180 5ACF EAC6


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] OpenVPN 2.4.9 released

2020-04-17 Thread Samuli Seppänen 
The OpenVPN community project team is proud to release OpenVPN 2.4.9. It
can be downloaded from here:



This is primarily a maintenance release with bugfixes and improvements.
This release also fixes a security issue (CVE-2020-11810, trac #1272)
which allows disrupting service of a freshly connected client that has
not yet not negotiated session keys. The vulnerability cannot be used to
inject or steal VPN traffic.

A summary of all included changes is available here:



A full list of changes is available here:



Please note that LibreSSL is not a supported crypto backend. We accept
patches and we do test on OpenBSD 6.0 which comes with LibreSSL, but if
newer versions of LibreSSL break API compatibility we do not take
responsibility to fix that.

Also note that  Windows installers have been built with NSIS version
that has been patched against several NSIS installer code execution and
privilege escalation problems:



Based on our testing, though, older Windows versions such as Windows 7
might not benefit from these fixes. We thus strongly encourage you to
always move NSIS installers to a non-user-writeable location before
running them. Our long-term plan is to migrate to using MSI installers
instead.

Compared to OpenVPN 2.3 this is a major update with a large number of
new features, improvements and fixes. Some of the major features are
AEAD (GCM) cipher and Elliptic Curve DH key exchange support, improved
IPv4/IPv6 dual stack support and more seamless connection migration when
client's IP address changes (Peer-ID). Also, the new --tls-crypt feature
can be used to increase users' connection privacy.

OpenVPN GUI bundled with the Windows installer has a large number of new
features compared to the one bundled with OpenVPN 2.3. One of major
features is the ability to run OpenVPN GUI without administrator privileges.

For full details, look here:



The new OpenVPN GUI features are documented here:



Please note that OpenVPN 2.4 installers will not work on Windows XP.

For generic help use these support channels:

Official documentation:

Wiki: 
Forums: 
User mailing list: 
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Bug tracker and wiki: 
Developer mailing list: 
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires
Freenode registration)


Samuli

Antonio Quartulli (1):
  socks: use the right function when printing struct openvpn_sockaddr

Arne Schwabe (3):
  Fetch OpenSSL versions via source/old links
  Fix OpenSSL error stack handling of tls_ctx_add_extra_certs
  Fix OpenSSL 1.1.1 not using auto elliptic curve selection

Gert Doering (1):
  Preparing release v2.4.9 (ChangeLog, version.m4, Changes.rst)

Lev Stipakov (4):
  Fix broken fragmentation logic when using NCP
  Fix building with --enable-async-push in FreeBSD
  Fix broken async push with NCP is used
  Fix illegal client float (CVE-2020-11810)

Maxim Plotnikov (1):
  OpenSSL: Fix --crl-verify not loading multiple CRLs in one file

Santtu Lakkala (1):
  Fix OpenSSL private key passphrase notices

Selva Nair (7):
  Swap the order of checks for validating interactive service user
  Move querying username/password from management interface to a function
  When auth-user-pass file has no password query the management interface 
(if available).
  Fix possibly uninitialized return value in GetOpenvpnSettings()
  Fix possible access of uninitialized pipe handles
  Skip expired certificates in Windows certificate store
  Allow unicode search string in --cryptoapicert option

Tom van Leeuwen (1):
  mbedTLS: Make sure TLS session survives move

WGH (1):
  docs: Add reference to X509_LOOKUP_hash_dir(3)



signature.asc
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel