[Openvpn-devel] [PATCH applied] Re: Propagate route error to initialization_completed()

Acked-by: Gert Doering We discussed this previously, and it makes sense to take "route addition errors" into account, even if we consciously decided (long before I got involved...) that we consider these non-fatal, unlike ifconfig errors. I have stared at the code, and it looks reasonable (we

Re: [Openvpn-devel] [PATCH v4] Introduce dynamic tls-crypt for secure soft_reset/session renegotiation

On Mon, Jan 09, 2023 at 05:36:06PM +0100, Arne Schwabe wrote: > Am 09.01.23 um 16:01 schrieb Frank Lichtenheld: > > On Mon, Dec 12, 2022 at 12:27:45PM +0100, Arne Schwabe wrote: > > > Currently we have only one slot for renegotiation of the session/keys. > > > If a replayed/faked packet is

[Openvpn-devel] [PATCH] xkey_pkcs11h_sign: fix dangling pointer

Warning by GCC 12: pkcs11_openssl.c:237:22: warning: dangling pointer ‘tbs’ to ‘enc’ may be used [-Wdangling-pointer=] Signed-off-by: Frank Lichtenheld --- src/openvpn/pkcs11_openssl.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/openvpn/pkcs11_openssl.c

[Openvpn-devel] [PATCH applied] Re: Update copyright year to 2023

Acked-by: Gert Doering "Automatic and really easy to verify" ("git show -I Copyright") The patch seems to be too big for mail-archive.com to archive it (wat?) - it's not visible there, so pointing URL: to patchwork. Your patch has been applied to the master and release/2.6 branch. commit

[Openvpn-devel] [PATCH applied] Re: xkey_pkcs11h_sign: fix dangling pointer

Haven't tested this beyond "does it compile on Github?" - it looks correct, though :-) Your patch has been applied to the master branch. commit 202b34da386c8574692111bad23814602d0e09f5 (master) commit 71f3a109f9f73f0d978f58e08caed896c064767f (release/2.6) Author: Frank Lichtenheld Date: Tue

Re: [Openvpn-devel] [PATCH v2 4/4] Log peer-id if loglevel is D_DCO_DEBUG and dco is enabled

Hi, On Tue, Dec 27, 2022 at 11:12:44AM +0100, Gert Doering wrote: > Playing around with the patch a bit, the offending piece seems to be > "mi->context.options.verbosity >= D_DCO_DEBUG" - which is unsurprising, > as D_DCO_DEBUG is not "6" but "LOGLEV(6, 69, M_DEBUG)", which translates > to > >

[Openvpn-devel] [PATCH] check_engine_keys: make pass with OpenSSL 3

Not enabled by default with OpenSSL 3, so we don't see this in our builds. While here add missing entries to .gitignore (which is what made me look at engine-key test in the first place). Signed-off-by: Frank Lichtenheld --- .gitignore | 4

Re: [Openvpn-devel] [PATCH] xkey_pkcs11h_sign: fix dangling pointer

Hi, On Tue, Jan 10, 2023 at 8:21 AM Frank Lichtenheld wrote: > Warning by GCC 12: > pkcs11_openssl.c:237:22: warning: > dangling pointer ‘tbs’ to ‘enc’ may be used [-Wdangling-pointer=] > > Signed-off-by: Frank Lichtenheld > --- > src/openvpn/pkcs11_openssl.c | 6 +++--- > 1 file changed, 3

Re: [Openvpn-devel] [PATCH v15] Add DNS SRV remote host discovery support

Hi, On Thu, Dec 29, 2022 at 12:27:46PM +0500, Vladislav Grishenko wrote: > client will move on to the next connection entry. > > v15: > rebase to master (Dec 2022) > add optional port argument to --remote and --remote-srv usage message > fix --proto option coexisting with

Re: [Openvpn-devel] [PATCH] Reduce logspam about 'dco_update_keys: peer_id=-1' in p2p server mode

Hi, On 09/01/2023 21:00, Gert Doering wrote: p2p --tls-server with no active client/peer logs once per second "dco_update_keys: peer_id=-1" which does exactly nothing, except fill the disk. So skip the call to dco_update_keys() if peer_id == -1. Signed-off-by: Gert Doering ---

[Openvpn-devel] [PATCH applied] Re: Reduce logspam about 'dco_update_keys: peer_id=-1' in p2p server mode

Antonio, thanks for the review. Fixed the whitespace. (Uncrustify did not see it since the patch was ad-hoc written on a system that does not have the hook - but my pre-merge hook would have caught it). Patch has been applied to the master and release/2.6 branch. commit

[Openvpn-devel] [PATCH v2] Log peer-id if loglevel is D_DCO_DEBUG and dco is enabled

This enables logging the peer id in p2mp mode if dco is enabled and the log level is high enough Patch v2: use check_debug_level to check current log level Signed-off-by: Arne Schwabe --- src/openvpn/multi.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/src/openvpn/multi.c

[Openvpn-devel] [PATCH applied] Re: Log peer-id if loglevel is D_DCO_DEBUG and dco is enabled

Acked-by: Gert Doering Works and helps with DCO debugging. Some of the messages look a bit stupid now... so we might want to go and polish :-) .. gremlin14943/194.97.140.21:12404 peer-id=9 dco_update_keys: peer_id=9 .. gremlin14833/194.97.140.21:11036 peer-id=11 dco_update_keys: peer_id=11 ..

Re: [Openvpn-devel] Conditions under which a connection entry could be disabled

Hi, On Tue, Jan 10, 2023 at 04:42:50PM -0500, Selva Nair wrote: > I'm trying to get this info into the GUI for handling > "--management-query-remote". Selecting a disabled entry from the UI would > lead to erratic behaviour. Ideally this info (CE_DISABLED state) should be > included in the

Re: [Openvpn-devel] Conditions under which a connection entry could be disabled

On Tue, Jan 10, 2023 at 4:56 PM Gert Doering wrote: > Hi, > > On Tue, Jan 10, 2023 at 04:42:50PM -0500, Selva Nair wrote: > > I'm trying to get this info into the GUI for handling > > "--management-query-remote". Selecting a disabled entry from the UI > would > > lead to erratic behaviour.

Re: [Openvpn-devel] Conditions under which a connection entry could be disabled

correction: > (i) --proto-force is in effect : configs not matching with the forced protocol are disabled configs --> connection entries > (ii) --http-proxy-override : UDP profiles get disabled. profiles --> connection entries On Tue, Jan 10, 2023 at 4:42 PM Selva Nair wrote: > Hi, > > I

Re: [Openvpn-devel] [PATCH v15] Add DNS SRV remote host discovery support

Hi, sure, will do. Yes, I’ve noticed undesired code dup in v14 and have fixed everything found in v15 rebase, same will be rechecked in v16 of course. Thanks! Ср, 11 янв. 2023 г. в 01:05, Gert Doering : > Hi, > > On Thu, Dec 29, 2022 at 12:27:46PM +0500, Vladislav Grishenko wrote: > > client

[Openvpn-devel] Conditions under which a connection entry could be disabled

Hi, I see two situations under which a connection-entry (remote) could be disabled while iterating through the list of remotes: (i) --proto-force is in effect : configs not matching with the forced protocol are disabled (ii) --http-proxy-override : UDP profiles get disabled. This looks like an

[Openvpn-devel] [PATCH] Include CE_DISABLED status of remote in "remote-entry-get" response

From: Selva Nair - The response to the management command "remote-entry-get" is amended to include the status of the remote entry. The status reads "disabled" if (ce->flag & DISABLED) is true, "enabled" otherwise. - Update and correct the description of this option in

Re: [Openvpn-devel] [PATCH] Include CE_DISABLED status of remote in "remote-entry-get" response

Error in commit message: 0,vpn.example.org,udp,enabled > 2,vpn.example.net,tcp-client,disabled > 1,vpn.example.com,udp,enabled > That should have been 0,vpn.example.org,udp,enabled 1,vpn.example.net,tcp-client,disabled 2,vpn.example.com,udp,enabled with indices 0, 1, 2 ordered.

[Openvpn-devel] [PATCH applied] Re: Include CE_DISABLED status of remote in remote-entry-get response

Acked-by: Gert Doering This is really straightforward. Tested with my .ovpn full with generated "remote" lines, some of them changed to "tcp", and "--proto-force tcp-client" .. 190,1185.server.org,1185,udp,disabled 191,1186.server.org,1186,udp,disabled 192,1187.server.org,1187,udp,disabled

Re: [Openvpn-devel] [PATCH] check_engine_keys: make pass with OpenSSL 3

Hi, On Tue, Jan 10, 2023 at 06:02:57PM +0100, Frank Lichtenheld wrote: > @@ -27,7 +27,7 @@ ${top_builddir}/src/openvpn/openvpn --cd > ${top_srcdir}/sample --config sample-co > # first off check we died because of a key mismatch. If this doesn't > # pass, suspect openssl of returning different