Acked-by: Gert Doering
"Because it makes sense" :-) - and of course I've tested that it
works - built a new plugin, ran with the previously-used openvpn
binary, and it nicely fails
AUTH-PAM: This plugin is incompatible with the running version of OpenVPN
Wed Aug 8 09:25:43 2018 us=345993
Like 'proto', a mismatch in key-method, keydir or tls-auth would fail
before we ever get to the point where we can print this warning.
This prepares for removing these from the occ string later on, but also
prepares for tls-crypt-v2, which allows a server to support tls-auth and
tls-crypt-v2
Your patch has been applied to the master branch.
(I have not run extra tests - no buildbot explosions are to be expected,
and if Antonio says "key generation has been tested" that is about all
the function does today. The code looks good, visually :) )
The "Thu" comment has been changed to
Acked-by: Gert Doering
Looks good and passes my use case ("PIN set, OTP empty"). So it was
not a bug in the openvpn client at all, I just misread the logs.
Since I join PIN+OTP into one string passed to PAM anyway, I also tested
"PIN empty, OTP set" and that works just as well. Thanks.
Your
Hi,
Thanks for the v2.
On Wed, Aug 8, 2018 at 7:35 AM, Jonathan K. Bullard via Openvpn-devel
wrote:
> Clarify and expand the documentation for the management interface:
>
> * Add examples of static and dynamic challenge/response sequences in
> the "COMMAND -- password and username" section.
>
>
Hi,
just a reminder about \- in openvpn.8
and one missing space
hope this helps :-)
On 08/08/18 14:36, Steffan Karger wrote:
To allow rejecting incoming connections very early in the handshake,
add a --tls-crypt-v2-verify option that allows administators to
run an external command to verify
Thanks, Selva. I agree with all of your comments except two, details below:
On August 2, 2018 11:32 AM, Selva Nair wrote:
> > >NEED-OK:Need 'token-insertion-request' confirmation MSG:Please insert
> > your cryptographic token
> >
> >
> > - The management client, if it is a GUI, can
Clarify and expand the documentation for the management interface:
* Add examples of static and dynamic challenge/response sequences in
the "COMMAND -- password and username" section.
* Expand the "Challenge/Response" section with more detail.
* Use "management interface client" throughout
Hi,
I have had my arm twisted into doing some spell checking of docs.
There is one spelling error (an old over looked one)
which you could fix with this patch. (inline)
On 08/08/18 12:35, Jonathan K. Bullard via Openvpn-devel wrote:
Clarify and expand the documentation for the management
Add helper functions to unwrap tls-crypt-v2 client keys.
Signed-off-by: Steffan Karger
---
v3: Include length in WKc
v4: Rebase on v4 patch set
src/openvpn/buffer.h | 7 +
src/openvpn/tls_crypt.c | 120 ++
As a first step towards a full tls-crypt-v2 implementation, add
functionality to generate tls-crypt-v2 client keys.
Signed-off-by: Steffan Karger
---
v3: Include length in WKc
v4: Fix option verification (use ce->tls_*, not options->ce.tls_*)
doc/openvpn.8 | 51 +
This makes clients send-and-use, and servers receive-unwrap-and-use
tls-crypt-v2 client keys, which completes the on-the-wire work.
Signed-off-by: Steffan Karger
---
v3: include length in WKc, rebase on curent master / v3 patch set
v4: resolve merge conflict (fixes memory leak)
To allow rejecting incoming connections very early in the handshake,
add a --tls-crypt-v2-verify option that allows administators to
run an external command to verify the metadata from the client key.
See doc/tls-crypt-v2.txt for more details.
Because of the extra dependencies, this requires
13 matches
Mail list logo