subject:"\[Openvpn\-devel\] Summary of the community meeting \(Wed, 12th Mar 2019\)"

Re: [Openvpn-devel] Summary of the community meeting (Wed, 12th Mar 2019)

2019-03-17 Thread Steffan Karger

Hi Jan Just,

On 13-03-19 13:13, Jan Just Keijser wrote:
> On 13/03/19 13:00, Samuli Seppänen wrote:
>> Here's the summary of the IRC meeting.
>>
>> Talked about release OpenVPN 2.x Windows installers with OpenSSL 1.1.1.
>> Agreed that this makes sense as people (on forums for example) already
>> take 2.4.x and replace the OpenSSL libraries forcibly. Mattock tested
>> openvpn-build with OpenSSL 1.1.1b and there were no issues - a NSI
>> installer was produced. The next Windows installer release will thus
>> have latest OpenSSL 1.1.1 version. If serious issues are found we can
>> always have separate installer releases for OpenSSL 1.1.0 and 1.1.1
>> versions.
>>
> as always, thanks for the summary and chatlog; I really wanted to attend
> this morning but got stuck in a work meeting. There was something
> related to OpenSSL 1.1.1 support that I wanted to bring up:
> 
> OpenSSL 1.1.1 does TLS v1.3; does OpenVPN support TLS v1.3 (for the
> control channel) already?  If so, then it might be a good chance to
> change the internal key derivation stuff in OpenVPN:
> 
> TLS < 1.2   --> use the sha1+md5 routines (which is basically what TLS
> itself does for TSL < 1.1
> TLS >= 1.3 --> use the "export_keying_material" routines in OpenSSL,
> which will create (sha2) keys for you, based on the connection parameters.
> 
> That way, we can slowly migrate users away from the sha1+md5 stuff ,
> which will help with fips compliance as well.
> 
> Thought, anyone?

That would have been nice, except that older OpenVPN versions compiled
against newer OpenSSL sort-of can do TLS 1.3 already. So we can't really
couple the openvpn key derivation / PRF to the TLS version (without
breaking existing setups).

I've considered moving to using the key material exporter functionality
too, and it would be cleaner for us to use. As far as I know though,
mbed TLS doesn't support that extension. And that's tricky to work
around, because the extension needs access to TLS-internal key material.
In the end I think we might be better off by simply upgrading our
internal hash.

We discussed this two hackathons ago, but it didn't make it onto the 2.5
list. Mostly because for our usage, md5+sha1 is fine (all we need is
preimage resistance, not collision resistance). But as we already agreed
back then, even if it was for appearances only, we should migrate away
from it.

-Steffan

___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Summary of the community meeting (Wed, 12th Mar 2019)

2019-03-13 Thread Jan Just Keijser


Hi Samuli,

On 13/03/19 13:00, Samuli Seppänen wrote:

Hi,

Here's the summary of the IRC meeting.


Talked about release OpenVPN 2.x Windows installers with OpenSSL 1.1.1.
Agreed that this makes sense as people (on forums for example) already
take 2.4.x and replace the OpenSSL libraries forcibly. Mattock tested
openvpn-build with OpenSSL 1.1.1b and there were no issues - a NSI
installer was produced. The next Windows installer release will thus
have latest OpenSSL 1.1.1 version. If serious issues are found we can
always have separate installer releases for OpenSSL 1.1.0 and 1.1.1
versions.


as always, thanks for the summary and chatlog; I really wanted to attend 
this morning but got stuck in a work meeting. There was something 
related to OpenSSL 1.1.1 support that I wanted to bring up:


OpenSSL 1.1.1 does TLS v1.3; does OpenVPN support TLS v1.3 (for the 
control channel) already?  If so, then it might be a good chance to 
change the internal key derivation stuff in OpenVPN:


TLS < 1.2   --> use the sha1+md5 routines (which is basically what TLS 
itself does for TSL < 1.1
TLS >= 1.3 --> use the "export_keying_material" routines in OpenSSL, 
which will create (sha2) keys for you, based on the connection parameters.


That way, we can slowly migrate users away from the sha1+md5 stuff , 
which will help with fips compliance as well.


Thought, anyone?

JJK

PS it would also be useful to add something to the handshake protocol to 
allow the server to tell a *client* which version it is running; I am 
not aware of any way to do , currently. Push-peer-info is 
client-to-server only.





___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Summary of the community meeting (Wed, 12th Mar 2019)

2019-03-13 Thread Samuli Seppänen

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wednesday 12th March 2019
Time: 11:30 CET (10:30 UTC)

Planned meeting topics for this meeting were here:



The next meeting has not been scheduled yet.

Your local meeting time is easy to check from services such as



SUMMARY

cron2, dazo, mattock, plaisthos and rozmansi participated in this
meeting.

--

Discussed the OpenVPN 2.5 release. Agreed to strip out obsolete
deadlines from the status page:

https://community.openvpn.net/openvpn/wiki/StatusOfOpenvpn25

Also agreed that "this year" is a reasonable goal.

--

Discussed tap-windows6 HLK testing / WHQL certification. Not much has
happened: we're close, but not there yet.

--

Talked about release OpenVPN 2.x Windows installers with OpenSSL 1.1.1.
Agreed that this makes sense as people (on forums for example) already
take 2.4.x and replace the OpenSSL libraries forcibly. Mattock tested
openvpn-build with OpenSSL 1.1.1b and there were no issues - a NSI
installer was produced. The next Windows installer release will thus
have latest OpenSSL 1.1.1 version. If serious issues are found we can
always have separate installer releases for OpenSSL 1.1.0 and 1.1.1
versions.

--

Talked about the auto-gen-token patch set. The consensus seems to be
that the --tls-crypt-v2-genkey option should be renamed. Dazo or
plaistohs will send a rename patch soon.

--

Agreed to start having weekly meetings again. Hopefully this helps the
OpenVPN 2.5 release move forward at a quicker pace.

--

Full chatlog attached.
(12:30:13) rozmansi: hi
(12:31:12) mattock: hi!
(12:32:08) dazo: Hey!
(12:32:55) mattock2 ha abbandonato la stanza (quit: Quit: IRC for Sailfish 0.9).
(12:33:32) mattock: cron2?
(12:35:45) mattock: in any case, here's the topic 
list:https://community.openvpn.net/openvpn/wiki/Topics-2019-03-12
(12:35:47) vpnHelper: Title: Topics-2019-03-12 – OpenVPN Community (at 
community.openvpn.net)
(12:36:02) mattock: while we're waiting and discussing I will retry the msi 
build
(12:36:19) mattock: the last time I ran into completely unrelated samba issues
(12:40:51) cron2_: I'm here
(12:40:52) cron2_: sorry
(12:40:57) cron2_: got stuck in a *cough* meeting
(12:41:04) mattock: hi!
(12:41:57) mattock: so: 
https://community.openvpn.net/openvpn/wiki/Topics-2019-03-12
(12:41:59) vpnHelper: Title: Topics-2019-03-12 – OpenVPN Community (at 
community.openvpn.net)
(12:42:11) mattock: gcoxmoz requested updating 
https://community.openvpn.net/openvpn/wiki/StatusOfOpenvpn25
(12:42:12) vpnHelper: Title: StatusOfOpenvpn25 – OpenVPN Community (at 
community.openvpn.net)
(12:42:19) mattock: I think that makes perfect sense
(12:42:44) mattock: maybe start with 2.5 status update and go on from there?
(12:43:13) cron2_: well, nothing has really changed since that page was 
written, except that we slightly missed the schedule
(12:43:32) cron2_: so I'd remove the details from "Schedule" and replace this 
by "should happen this year"...
(12:43:37) mattock: ok
(12:43:44) mattock: objections?
(12:44:04) dazo: ack
(12:44:51) mattock: I shall get rid of the schedule
(12:48:09) dazo: lets just remove the dates  the release process looks 
reasonable
(12:48:30) cron2_: +1
(12:49:50) mattock: updated
(12:50:34) mattock: tap-windows6 updates next?
(12:50:42) mattock: "almost there, but not quite"
(12:50:54) cron2_: haven't heard anything new from Stephen
(12:51:22) cron2_: so, yes, what mattock1 said :-) - "almost there, but it's 
software, so 'not quite' could easily take a while"
(12:53:49) cron2_: so... rozmansi: using the time :-) - what's the current 
status of the MSI work?  Are we waiting for you, are you waiting for us?
(12:53:56) cron2_: (everybody waiting for mattock1)
(12:53:56) rozmansi: Just a quick status update - MSI support for 2.5 is more 
or less finished. Few things still missing are user manual and 
testing-testing-testing. I am struggling to find time to address those.
(12:54:47) dazo: rozmansi: could you just add that into the status field of the 
2.5 status page?  And put you alongside with the mattock?  (It's the first 
"must have" item for 2.5)
(12:54:58) mattock: I'll try to do smoke-testing of the openvpn-build part of 
MSI now
(12:55:07) dazo: but this is quite good progress after all on the MSI stuff
(12:55:08) mattock: I have vagrantified the msibuilder setup
(12:55:30) mattock: the last time I failed because of dependency issues 
(gzip.exe etc.)
(12:55:30) cron2_: rozmansi: which of the bits are waiting on us?  
openvpn-build PRs?
(12:55:34) cron2_: for us
(12:55:40) mattock: at least those cron2
(12:56:18) eworm [~eworm@archlinux/developer/eworm] è entrato nella stanza.
(12:56:50) rozmansi: dazo: status page updated
(12:56:53) dazo: thx!
(12:58:12) rozmansi: cron2_: yep, openvpn-build PR is still waiting to get 
merged. Probably after mattock1 (an

Re: [Openvpn-devel] Summary of the community meeting (Wed, 12th Mar 2019)

Re: [Openvpn-devel] Summary of the community meeting (Wed, 12th Mar 2019)

[Openvpn-devel] Summary of the community meeting (Wed, 12th Mar 2019)

3 matches

Site Navigation

Mail list logo

Footer information