Re: [Openvpn-devel] [PATCH] Have the same username/password length regardless of PKCS#11 enablement

2016-09-22 Thread Jonathan K. Bullard
On Thu, Sep 22, 2016 at 6:04 AM, David Sommerseth wrote: > If running an OpenVPN client with --enable-pkcs11 and a server without > and having a username and/or password with more than 128 characters, > the authentication will fail as the server truncates the password > to 128

Re: [Openvpn-devel] Preview of OpenVPN 2.1.4 Debian and Ubuntu packages

2010-11-05 Thread Jonathan K. Bullard
(I'm the primary developer of Tunnelblick, the OS X GUI for OpenVPN, having taken over from Angelo Laub.) Can someone make sure the release notes get updated when a release is made? It's hard to decide whether/when to include a new version of OpenVPN into Tunnelblick without knowing what is in

Re: [Openvpn-devel] [PATCH] Add --route-pre-down/OPENVPN_PLUGIN_ROUTE_PREDOWN script/plug-in hook

2012-01-25 Thread Jonathan K. Bullard
Hi. On Tue, Jan 24, 2012 at 6:38 AM, David Sommerseth wrote: > > This patchs adds a script/plug-in hook which is called right before the > network routes are taken down.  This is give external processes a > possibility to tear down communication over the VPN before the VPN >

Re: [Openvpn-devel] [PATCH] Add --route-pre-down/OPENVPN_PLUGIN_ROUTE_PREDOWN script/plug-in hook

2012-01-26 Thread Jonathan K. Bullard
On Wed, Jan 25, 2012 at 5:18 PM, Gert Doering wrote: >> If so, shouldn't patches that >> change the interface include appropriate changes to the man page? > > ... and so does the patch.  At least my copy of it had a section starting > with My apologies. I didn't connect that

Re: [Openvpn-devel] OpenVPN 2.3-alpha1 preview 1 installer now available

2012-02-22 Thread Jonathan K. Bullard
2012/2/21 Samuli Seppänen > A preview of OpenVPN 2.3-alpha1 installer for Windows is now available > here: > > I realize that this post was aimed at Windows, but building on OS X 10.6.8

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

2012-02-29 Thread Jonathan K. Bullard
> > > I never used script with openvpn. I've no idea which are real world > > applications for it. > > Scripts are for creative uses that the programmers of openvpn have not > foreseen. Like "after the VPN is up, auto-sync all your git repositories" > or "open up a few xterms with ssh's to

[Openvpn-devel] 2.3alpha1 fails on OS X when the --up argument contains more than an execution path

2012-03-07 Thread Jonathan K. Bullard
I'm the developer for Tunnelblick (open source GUI for OS X), having taken over from Angelo Laub a couple of years ago. I'd like to make a beta of Tunnelblick with OpenVPN 2.3alpha1 available for testing, but the alpha has a bug that makes it useless for most users of Tunnelblick. Lots of people

Re: [Openvpn-devel] 2.3alpha1 fails on OS X when the --up argument contains more than an execution path

2012-03-08 Thread Jonathan K. Bullard
On Wed, Mar 7, 2012 at 9:10 AM, David Sommerseth wrote: [skipped] > > OpenVPN 2.3alpha1 fails when the argument to "--up" contains more > > than an execution path. The problem also occurs for the "--down" > > option and the new "--route-pre-down" option (and

Re: [Openvpn-devel] 2.3alpha1 fails on OS X when the --up argument contains more than an execution path

2012-03-28 Thread Jonathan K. Bullard
On Fri, Mar 23, 2012 at 10:18 AM, Gert Doering wrote: > Hi, Thank you, Gert, for your detailed comments on my first attempt at this patch. The patch is meant to fix problems in the new-in-2.3 checking of options before trying to create the connection. Options that accept

Re: [Openvpn-devel] 2.3alpha1 fails on OS X when the --up argument contains more than an execution path

2012-03-28 Thread Jonathan K. Bullard
On Wed, Mar 28, 2012 at 9:57 AM, Fabian Knittel wrote: gc_arena instances are used by explicitly passing a pointer to it. So, > unless one of the functions takes an instance of gc_arena as a > parameter, you don't need to prepare one. As many functions in OpenVPN > take

[Openvpn-devel] OpenVPN 3.3_alpha2 build problem

2012-07-07 Thread Jonathan K. Bullard
I'm trying to include OpenVPN 3.3_alpha2 in Tunnelblick (OS X GUI for OpenVPN), but get the following error when compiling OpenVPN on OS X: configure: error: lzo enabled but missing I am not familiar with the new OpenVPN build process, but I assume this is

[Openvpn-devel] New build system questions

2012-07-16 Thread Jonathan K. Bullard
I'm in the process of trying to build 2.3_alpha2 into Tunnelblick. It's slow going because of my unfamiliarity with make/automake, etc. I have several questions: (1) Is there a way to disable building "openvpnserv" and the "auth-pam" plugin? (Other than modifying src/Makefile.am and

Re: [Openvpn-devel] OpenVPN 3.3_alpha2 build problem

2012-07-16 Thread Jonathan K. Bullard
;-Lxxx -Lyyy -Lzzz" doesn't build. It gets "ld: library not found for -llzo2". On Mon, Jul 16, 2012 at 7:24 PM, Jonathan K. Bullard > <jkbull...@gmail.com> wrote: > > Thank you, Arne and Alon -- I finally managed to get Tunnelblick > > more-or-less built us

Re: [Openvpn-devel] [PATCH] plugin: load plugin relative to plugindir

2012-07-18 Thread Jonathan K. Bullard
On Tue, Jun 26, 2012 at 1:05 PM, Alon Bar-Lev wrote: > Currently openvpn requires/endorses specifying full path in plugin > parameter. As build system already aware of plugin location, it is > possible to load plugin relative to this directory, so full path is not >

Re: [Openvpn-devel] New build system questions

2012-07-18 Thread Jonathan K. Bullard
On Mon, Jul 16, 2012 at 12:45 PM, Alon Bar-Lev wrote: > > (1) Is there a way to disable building "openvpnserv" and the "auth-pam" > > plugin? > --disable-plugin-auth-pam > Thanks. I have found the configure documentation. However, I can't get it to do what I want it to do:

Re: [Openvpn-devel] [PATCH] plugin: load plugin relative to plugindir

2012-07-18 Thread Jonathan K. Bullard
On Wed, Jul 18, 2012 at 9:37 AM, Alon Bar-Lev wrote: > Nobody disables the absolute path use. > This patch permits relative use. > I'm sorry, I misunderstood. So a relative path will now be interpreted as relative to the plugins directory specified a build time, rather

Re: [Openvpn-devel] [PATCH] plugin: load plugin relative to plugindir

2012-07-18 Thread Jonathan K. Bullard
On Wed, Jul 18, 2012 at 10:10 AM, David Sommerseth < openvpn.l...@topphemmelig.net> wrote: > * The computer is configured to allow OpenVPN to run without root > password > Yes. The vulnerability requires configuring the computer to allow *the user*to start OpenVPN *as root* without entering

[Openvpn-devel] Bug in program, bug in documentation, or something else?

2012-10-21 Thread Jonathan K. Bullard
A Tunnelblick user has reported odd behavior with name resolution failures. I can't tell if it is a bug in OpenVPN, a bug in the documentation, or something else. The behavior is apparently the same in OpenVPN 2.2.1 and 2.3alpha1. The 2.3 man page says: > --resolv-retry n > If hostname

Re: [Openvpn-devel] Bug in program, bug in documentation, or something else?

2012-10-22 Thread Jonathan K. Bullard
On Sun, Oct 21, 2012 at 7:03 PM, Eric Crist wrote: > This sounds like a Tunnelblick failure. I'd suggest checking with them > first, they do all sorts of things with scripts and such. > Thanks, but *I'm* the current Tunnelblick developer! You're correct that Tunnelblick does a lot in its

Re: [Openvpn-devel] Bug in program, bug in documentation, or something else?

2012-10-22 Thread Jonathan K. Bullard
if this behavior was introduced in 2.2) and post them on this thread. On Mon, Oct 22, 2012 at 6:11 AM, David Sommerseth < openvpn.l...@topphemmelig.net> wrote: > On 22/10/12 10:48, Gert Doering wrote: > > Hi Jonathan, > > > > On Sun, Oct 21, 2012 at 06:40:08PM -0400

Re: [Openvpn-devel] [PATCH] Add support of utun devices under Mac OS X

2013-04-01 Thread Jonathan K. Bullard
On Mon, Apr 1, 2013 at 7:12 AM, Gert Doering wrote: > Hi, > > On Sun, Mar 31, 2013 at 10:43:29PM +0200, Arne Schwabe wrote: >> Mac OS X 10.7+ natively supports tun devices (called utun). The "standard" >> utun.ko driver is sometimes problematic (e.g. VmWare Fusion 5 and

Re: [Openvpn-devel] [PATCH] Add support of utun devices under Mac OS X

2013-04-01 Thread Jonathan K. Bullard
On Mon, Apr 1, 2013 at 10:29 AM, Arne Schwabe <a...@rfc2549.org> wrote: > > Am 01.04.13 15:26, schrieb Jonathan K. Bullard: > >> On Mon, Apr 1, 2013 at 7:12 AM, Gert Doering <g...@greenie.muc.de> wrote: >>> >>> Hi, >>> >>> On Sun, Mar

Re: [Openvpn-devel] [PATCH] Add support of utun devices under Mac OS X

2013-04-01 Thread Jonathan K. Bullard
On Mon, Apr 1, 2013 at 11:06 AM, Arne Schwabe wrote: > > >> The "standard" utun.ko driver is sometimes problematic (e.g. VmWare >> Fusion 5 and tun.ko do not work together). >> >> If it is the other way around (use tun if it is available and if not, >> try utun) then

Re: [Openvpn-devel] [PATCH] Add support of utun devices under Mac OS X

2013-04-01 Thread Jonathan K. Bullard
49.org> wrote: > Am 01.04.13 17:18, schrieb Jonathan K. Bullard: > > On Mon, Apr 1, 2013 at 11:06 AM, Arne Schwabe <a...@rfc2549.org> wrote: >> >>> >>> The "standard" utun.ko driver is sometimes problematic (e.g. VmWare >>>>>>&g

Re: [Openvpn-devel] building on OSX (for Tunnelblick) (was: [PATCH] Add support of utun devices under Mac OS X)

2013-04-01 Thread Jonathan K. Bullard
On Mon, Apr 1, 2013 at 2:48 PM, Gert Doering <g...@greenie.muc.de> wrote: > On Mon, Apr 01, 2013 at 09:26:04AM -0400, Jonathan K. Bullard wrote: > > I don't have an opinion about including it in 2.3.2 vs. 2.4 -- I still > > can't get anything after 2.3alpha1 to build pro

Re: [Openvpn-devel] building on OSX (for Tunnelblick)

2013-04-02 Thread Jonathan K. Bullard
On Tue, Apr 2, 2013 at 9:46 AM, Arne Schwabe wrote: > > Tunnelblick is still being built on OS X 10.6.8 with Xcode 3.2.2 > > because it still supports PowerPC, which later versions of Xcode > > (which are required for use on 10.7+) don't support. > Is there a specific reason

Re: [Openvpn-devel] [Patch v2] Add support of utun devices under Mac OS X

2013-06-20 Thread Jonathan K. Bullard
On Tue, Jun 18, 2013 at 1:23 AM, Arne Schwabe wrote: > > Mac OS X 10.7+ natively supports tun devices (called utun). The "standard" > utun.ko driver is sometimes problematic (e.g. VmWare Fusion 5 and tun.ko do > not work together). > > When OpenVPN is compiled with utun

Re: [Openvpn-devel] [Patch v3.1] Add support of utun devices under Mac OS X

2013-06-20 Thread Jonathan K. Bullard
On Thu, Jun 20, 2013 at 4:58 AM, Arne Schwabe wrote: > I have a OS X 10.6 VM with Xcode 3.2.6 installed and this VM has the > if/utun.h header. I probably was added somewhere between 10.6.0 and 10.6.8. Ah. Thanks for mentioning this. That makes sense. > I changed the M_ERR to

Re: [Openvpn-devel] [Patch v6] Add support of utun devices under Mac OS X

2013-06-20 Thread Jonathan K. Bullard
On Thu, Jun 20, 2013 at 1:28 PM, Gert Doering wrote: > > Hi, > > On Thu, Jun 20, 2013 at 04:38:43PM +0200, Arne Schwabe wrote: > > v6: add commit message change log, replace strstr with strncmp, move > > #includes to the top of the file > > > > This looks good to me. It

Re: [Openvpn-devel] [Patch v7] Add support of utun devices under Mac OS X

2013-06-27 Thread Jonathan K. Bullard
On Fri, Jun 21, 2013 at 6:48 AM, Arne Schwabe wrote: > Mac OS X 10.7+ natively supports tun devices (called utun). The "standard" > utun.ko driver is sometimes problematic (e.g. VmWare Fusion 5 and tun.ko do > not work together). > > When OpenVPN is compiled with utun support

Re: [Openvpn-devel] English language? Re: [PATCH] Support non-ASCII characters in Windows tmp path

2013-12-04 Thread Jonathan K. Bullard
On Wed, Dec 4, 2013 at 4:35 AM, Matthias Andree wrote: > Am 19.11.2013 18:36, schrieb Heiko Hund: > > + msg (M_WARN, "Could not get temporary directory. Path is too > long." > > + " Consider to use --tmp-dir"); > > I think when touching the code, we ought to

Re: [Openvpn-devel] [Openvpn-users] [PATCH] Add support for specifying the syslog facility, as requested in trac #188.

2014-05-02 Thread Jonathan K. Bullard
On Fri, May 2, 2014 at 11:20 AM, David Sommerseth < openvpn.l...@topphemmelig.net> wrote: > The core principle in OpenVPN's option > parsing is that the last argument wins. So if you have f.ex. --ping-exit > 3 > times in a command line and two times in a config file, it's the last one > which

[Openvpn-devel] Recently-disclosed LZO vulnerability and OpenVPN's use of LZO

2014-06-29 Thread Jonathan K. Bullard
A recent *"Lab Mouse Security research blog" entry* claimed that a bug exists in several implementations of the LZO algorithm commonly used by OpenVPN and that the bug causes a security vulnerability. A rebuttal on

Re: [Openvpn-devel] Easy-RSA v3 release planning

2014-07-15 Thread Jonathan K. Bullard
On Tue, Dec 17, 2013 at 9:05 PM, Josh Cepek wrote: > The notable fix since -rc1 has been support for OpenSSL-0.9.8 (commit > 8b1fe01.) While I hope this isn't a common need, the fix was simple > enough, and this is still a supported OpenSSL version. > Any update on the

Re: [Openvpn-devel] Easy-RSA v3 release planning

2014-07-15 Thread Jonathan K. Bullard
22:57:29, Jonathan K. Bullard <jkbull...@gmail.com> > wrote: > > > On Tue, Dec 17, 2013 at 9:05 PM, Josh Cepek <josh.ce...@usa.net> wrote: > > The notable fix since -rc1 has been support for OpenSSL-0.9.8 (commit > > 8b1fe01.) While I hope this isn't a common

Re: [Openvpn-devel] New OpenVPN Windows installers (I004 and I604) released

2014-10-21 Thread Jonathan K. Bullard
On Tue, Oct 21, 2014 at 5:11 AM, Gert Doering wrote: > This will hopefully be fixed in 2.4 with the interactive service, we just > need to find time for Heiko to find the code and send it to us :-) (but > I've already seen it last year) Is there any documentation for the new

Re: [Openvpn-devel] New OpenVPN Windows installers (I004 and I604) released

2014-10-21 Thread Jonathan K. Bullard
On Tue, Oct 21, 2014 at 6:43 AM, Gert Doering wrote: > Yes, exactly. In essence, you have a windows service running with full > privileges, which is instructed by the GUI to run an openvpn.exe process > (with user privs, so OpenVPN can't do damage) and OpenVPN communicates >

[Openvpn-devel] [PATCH] Fix mismatch of fprintf format specifier and argument type

2015-02-06 Thread Jonathan K. Bullard
This fixes a warning about a mismatch between a fprintf format string and an argument type on Darwin-64-bit builds: %lu specifies type 'unsigned long' but the argument has type '__darwin_suseconds_t' (aka 'int') --- openvpn/src/openvpn/error.c 2015-01-23 13:17:50.0 -0500 +++

Re: [Openvpn-devel] [PATCH v3] Mac OS X Keychain management client

2015-02-23 Thread Jonathan K. Bullard
On Mon, Feb 23, 2015 at 4:00 AM, Gert Doering wrote: > > On Mon, Feb 23, 2015 at 09:28:31AM +0100, Arne Schwabe wrote: > > > What do you think of the change? > > I like the idea. You could make the macos-keychain in the string optional. > > What Arne said (both parts of it)

Re: [Openvpn-devel] [PATCH v3] Mac OS X Keychain management client

2015-02-23 Thread Jonathan K. Bullard
On Mon, Feb 23, 2015 at 8:10 AM, David Woodhouse wrote: > On Mon, 2015-02-23 at 13:59 +0100, Arne Schwabe wrote: >> >> All fine. My rationale was like, if I want a certificate with a certain >> SUBJECT (e.g. CN=schw...@mycoolca.com) etc. it should not matter for men >> wether

[Openvpn-devel] OpenVPN argument parsing of most options ignores "extra" parameters

2015-04-17 Thread Jonathan K. Bullard
I would like to propose a patch which complains if OpenVPN options include parameters that are not expected. If possible, I would like to get a "feature ACK" consensus before I create the patch. (If I get a "feature NAK" then I won't create the patch.) The patch would be to reject options that

Re: [Openvpn-devel] OpenVPN argument parsing of most options ignores "extra" parameters

2015-05-04 Thread Jonathan K. Bullard
On Sun, May 3, 2015 at 12:33 PM, Steffan Karger <stef...@karger.me> wrote: > On 17-04-15 11:28, Jonathan K. Bullard wrote: > > I would like to propose a patch which complains if OpenVPN options > > include parameters that are not expected. > > I agree that silentl

Re: [Openvpn-devel] Request peer review of modified OpenVPN client software

2015-05-12 Thread Jonathan K. Bullard
On Tue, May 12, 2015 at 7:27 AM, Lisa Minogue wrote: > Can I conclude from your above statements that applying obfuscation > patches to the standard OpenVPN client software may actually introduce > security vulnerabilities? > The openvpn_xorpatch

Re: [Openvpn-devel] OpenVPN argument parsing of most options ignores "extra" parameters

2015-05-18 Thread Jonathan K. Bullard
On Mon, May 4, 2015 at 9:26 AM, Jonathan K. Bullard wrote: > If I have a > configuration that has worked for many years I might be more likely to > not notice one warning among all the output in a typical log at the > default "verb 3" setting. Correction: the defa

[Openvpn-devel] [Patch] Fix null pointer dereference in options.c

2015-05-23 Thread Jonathan K. Bullard
(At Gert's request, I am posting this to openvpn-devel.) This patch fixes a null pointer dereference in options.c. Below are versions for openvpn-master and openvpn-2.3; they differ only in the line number reference. 2.3 branch diff -U 4 -r

[Openvpn-devel] [Patch] Fail if options have extra parameters

2015-05-29 Thread Jonathan K. Bullard
The attached patch causes an error if an option has are extra parameters; previously they were ignored. This feature was discussed on the openvpn-devel mailing list: http://thread.gmane.org/gmane.network.openvpn.devel/9599 The patch is for the master branch only -- the consensus of the mailing

Re: [Openvpn-devel] [Patch] Fail if options have extra parameters

2015-05-29 Thread Jonathan K. Bullard
Sorry, forgot to add a link to the ticket for this: https://community.openvpn.net/openvpn/ticket/557 On Fri, May 29, 2015 at 11:38 AM, Jonathan K. Bullard <jkbull...@gmail.com> wrote: > The attached patch causes an error if an option has are extra > parameters; previously they

Re: [Openvpn-devel] [Patch] Fail if options have extra parameters

2015-05-30 Thread Jonathan K. Bullard
Please ignore this patch; it is an old version. I will resubmit. Sorry for the noise. On Fri, May 29, 2015 at 11:54 AM, Jonathan K. Bullard <jkbull...@gmail.com> wrote: > Sorry, forgot to add a link to the ticket for this: > > https://community.openvpn.net/openvpn/ticket/557 >

[Openvpn-devel] [Patch] Version 2: Fail if options have extra parameters

2015-06-02 Thread Jonathan K. Bullard
This is a new thread with version 2 of the patch; the first submission included the wrong .patch file and was withdrawn. The attached patch causes an error if an option has extra parameters; previously they were ignored (ticket #557 at https://community.openvpn.net/openvpn/ticket/557). This

Re: [Openvpn-devel] [Patch] Version 2: Fail if options have extra parameters

2015-06-03 Thread Jonathan K. Bullard
On Wed, Jun 3, 2015 at 2:33 AM, Arne Schwabe wrote: > ACK. But some things I noticed (should go into separate patch) > > We do not catch > > --connection foo, it is silently ignored I noticed a few such problems, mostly in options that I couldn't find consistent documentation

Re: [Openvpn-devel] [PATCH] Add TFTP and WPAD DHCP options

2015-07-02 Thread Jonathan K. Bullard
On Thu, Jul 2, 2015 at 2:56 AM, Jan Just Keijser wrote: > Attached is the patch to add the TFTP and WPAD DHCP options. The patch > is based on openvpn 2.3.7 as I did not know how to do a windows mingw > build of the git version ... > The patch was tested on Windows XP 32bit and

Re: [Openvpn-devel] [PATCH v2] Add TFTP and WPAD DHCP options

2015-07-03 Thread Jonathan K. Bullard
On Thu, Jul 2, 2015 at 6:24 AM, Jan Just Keijser wrote: > I fully agree. Here's v2 with Jonathan's remarks addressed as well. ACK as to my concerns, thanks!

Re: [Openvpn-devel] Docs or Bug: --push options no longer require double quotes

2015-07-25 Thread Jonathan K. Bullard
On Sat, Jul 25, 2015 at 3:45 PM, Gert Doering wrote: > Hi, > > On Sat, Jul 25, 2015 at 01:34:46PM +0100, debbie...@gmail.com wrote: >> As the title states --push no longer requires options to be double quoted. > > Well, *did* it require double quotes at some point? If yes,

[Openvpn-devel] Options that are "safe" for users to modify?

2015-12-12 Thread Jonathan K. Bullard
Inspired by Gert, I am considering adding a new feature to Tunnelblick (FOSS GUI for OpenVPN on OS X) and would like your reactions. In an earlier thread on openvpn-users, my original more grandiose idea was (with good reason) NAKed. It was also suggested that openvpn-devel was a better place for

Re: [Openvpn-devel] Options that are "safe" for users to modify?

2015-12-12 Thread Jonathan K. Bullard
Hi. On Sat, Dec 12, 2015 at 5:23 PM, Arne Schwabe wrote: > Might not really be related to this but have looked into the work that > provides the certificates and keys via the managment console? We have > even have a contrib program that gets certificates from the Mac OS X >

Re: [Openvpn-devel] Options that are "safe" for users to modify?

2015-12-13 Thread Jonathan K. Bullard
Thanks, Selva. On Sat, Dec 12, 2015 at 5:43 PM, Selva Nair wrote: > I suppose, not just adding but also removing options will be allowed. There > could be more options that are ok (i.e not unsafe) to remove but not change. What I'm proposing isn't to allow

Re: [Openvpn-devel] [PATCH 3/7] vlan: Add global, per-client 802.1q-based options

2016-04-03 Thread Jonathan K. Bullard
On Sun, Apr 3, 2016 at 2:51 PM, Mike Auty wrote: > > This patch add the new global "--vlan-tagging" boolean switch. This specifies > whether openvpn should handle 802.1q tagged packets in any way. > > This patch also adds the new global '--vlan-accept tagged|untagged|all'

[Openvpn-devel] The end of the Gmane archive

2016-07-29 Thread Jonathan K. Bullard
Yesterday Lars Ingebrigtsen, who established and has run Gmane since 2002, posted an article saying that Gmane might go away [1]. He posted an update [2] which says the Gmane archive *has* gone away and unless someone steps up to take it over, it is gone for good. The OpenVPN mailing list

[Openvpn-devel] What changes were made from 2.1.2 to 2.1.3?

2010-09-09 Thread Jonathan K. Bullard
The downloads page, http://openvpn.net/index.php/open-source/downloads.html, has release 2.1.3 (2010.08.27). However, the release notes linked to on that page, http://openvpn.net/changelog-beta.html, only include changes up through 2.1.2 (2010.08.09). (The Documentation page,

Re: [Openvpn-devel] Intelligent OpenVPN service?

2010-10-18 Thread Jonathan K. Bullard
You might want to look at the client GUI. For example, Tunnelblick (OS X GUI which also includes imbedded tun/tap kexts, OpenVPN and OpenSSL binaries) has just such a "pre-connnection" feature. People can call a script before OpenVPN is started, and when OpenVPN finishes. It is used to do such

Re: [Openvpn-devel] Topics for today's (Monday, 10th Oct 2016) community meeting

2016-10-10 Thread Jonathan K. Bullard
On Mon, Oct 10, 2016 at 8:56 AM, Samuli Seppänen wrote: > > We're going to have an IRC meeting today starting at 20:00 CEST (18:00 > UTC) on #openvpn-meeting irc.freenode.net. You do not have to be > logged in to Freenode to join the channel. I can't attend the meeting, so

Re: [Openvpn-devel] Summary of today's (Monday, 10th Oct 2016) community meeting

2016-11-02 Thread Jonathan K. Bullard
On Mon, Oct 10, 2016 at 4:26 PM, Samuli Seppänen wrote: > Discussed OpenVPN 2.3.13 release. Three things are missing: > > 1. recursive routing > 2. block-outside-dns v2 > 3. 64MB renegotiation for 64-bit block ciphers > > Cron2 will take care of 1-2, and syzzer will tackle 3.

Re: [Openvpn-devel] Summary of today's (Monday, 10th Oct 2016) community meeting

2016-11-03 Thread Jonathan K. Bullard
Hi, On Thu, Nov 3, 2016 at 8:26 AM, Gert Doering <g...@greenie.muc.de> wrote: > > On Wed, Nov 02, 2016 at 06:19:26AM -0400, Jonathan K. Bullard wrote: > > On Mon, Oct 10, 2016 at 4:26 PM, Samuli Seppänen <sam...@openvpn.net> > wrote: > > > Discussed

Re: [Openvpn-devel] [PATCH v4] Remove tun-ipv6 Option. Instead assume that IPv6 is always supported.

2016-10-12 Thread Jonathan K. Bullard
Hi. On Wed, Oct 12, 2016 at 5:13 AM, Arne Schwabe wrote: > > This option was useful when Ipv6 tun support was > non standard and was an internal/user specified flag > that tracked the Ipv6 capability of the tun device. > > All supported OS support IPv6. Also tun-ipv6 is >

Re: [Openvpn-devel] [PATCH v4] Remove tun-ipv6 Option. Instead assume that IPv6 is always supported.

2016-10-12 Thread Jonathan K. Bullard
Thanks, Arne. Sorry if I wasn't a clear as I should have been. On Wed, Oct 12, 2016 at 8:08 AM, Arne Schwabe <a...@rfc2549.org> wrote: > > Am 12.10.16 um 13:17 schrieb Jonathan K. Bullard: > > Hi. > > > > On Wed, Oct 12, 2016 at 5:13 AM, Arne Schwabe <a...@rfc

Re: [Openvpn-devel] [PATCH v4] Remove tun-ipv6 Option. Instead assume that IPv6 is always supported.

2016-10-12 Thread Jonathan K. Bullard
Thanks to both Gert and Arne for their answers. On Wed, Oct 12, 2016 at 9:12 AM, Arne Schwabe wrote: >> What I should have asked is: with this patch will an OpenVPN client >> still send out IPv4 packets if there are no IPv6 options specified or >> pulled from the server?

Re: [Openvpn-devel] [PATCH] Use SHA256 for the internal digest, instead of MD5

2016-12-25 Thread Jonathan K. Bullard
On Sun, Dec 25, 2016 at 6:20 PM, Steffan Karger wrote: > Hi, > > On 18-12-16 22:26, Gert Doering wrote: >> On Sun, Dec 18, 2016 at 05:40:55PM +0100, Steffan Karger wrote: >>> Our internal options digest uses MD5 hashes to store the state, instead of >>> storing the full options

Re: [Openvpn-devel] [PATCH] Implement block-ipv6

2017-07-07 Thread Jonathan K. Bullard
Hi. I have one small nit-pick. On Thu, Jul 6, 2017 at 11:33 AM, Arne Schwabe wrote: > This can be used to redirect all IPv6 traffic to the tun interface, > effectively black holing the IPv6 traffic. Without ICMPv6 error messages this > will result in timeouts when the server

Re: [Openvpn-devel] [PATCH] contrib: Remove keychain-mcd code

2017-07-25 Thread Jonathan K. Bullard
On Tue, Jul 25, 2017 at 9:03 AM, David Sommerseth wrote: > After the security audits performed by Cryptography Engineering the > spring of 2017 [1], there were several concerns about the contrib code > for the macOS keychain support. After more careful review of this > code

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

2017-06-21 Thread Jonathan K. Bullard
On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen wrote: > The OpenVPN community project team is proud to release OpenVPN 2.4.3. It > can be downloaded from here: > > Hi. Thanks for this release. Verifying the PGP

Re: [Openvpn-devel] ***UNCHECKED*** Re: OpenVPN 2.4.3 released (with security fixes)

2017-06-21 Thread Jonathan K. Bullard
On Wed, Jun 21, 2017 at 8:40 AM, David Sommerseth <open...@sf.lists.topphemmelig.net> wrote: > On 21/06/17 14:30, David Sommerseth wrote: >> On 21/06/17 13:48, Jonathan K. Bullard wrote: >>> On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen <sam...@openvpn.net> wro

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

2017-06-21 Thread Jonathan K. Bullard
On Wed, Jun 21, 2017 at 12:48 PM, Matthias Andree wrote: > > Am 21.06.2017 um 16:33 schrieb Samuli Seppänen: > > On 21/06/2017 17:06, Simon Matter wrote: > >>> On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen > >>> wrote: > The OpenVPN community

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

2017-06-21 Thread Jonathan K. Bullard
On Wed, Jun 21, 2017 at 7:48 AM, Jonathan K. Bullard <jkbull...@gmail.com> wrote: > On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen <sam...@openvpn.net> > wrote: > > The OpenVPN community project team is proud to release OpenVPN 2.4.3. It > > can be downl

Re: [Openvpn-devel] OpenVPN 2.3.16 released

2017-05-19 Thread Jonathan K. Bullard
On Fri, May 19, 2017 at 5:29 AM, Samuli Seppänen wrote: > > The OpenVPN community project team is proud to release OpenVPN 2.3.16. > It can be downloaded from here: > > > > This is a minor release that fixes a few bugs.

Re: [Openvpn-devel] Problem with sig for 2.3.16?

2017-05-20 Thread Jonathan K. Bullard
On Fri, May 19, 2017 at 6:41 PM, David Sommerseth <open...@sf.lists.topphemmelig.net> wrote: > On 19/05/17 21:23, Jonathan K. Bullard wrote: [snip] > > OK, I get that, but the key file from the link David provided (and > > which was also in his reply to the email announcing 2.

Re: [Openvpn-devel] Problem with sig for 2.3.16?

2017-05-19 Thread Jonathan K. Bullard
On Fri, May 19, 2017 at 1:44 PM, Samuli Seppänen <sam...@openvpn.net> wrote: > On 19/05/2017 17:50, David Sommerseth wrote: >> On 19/05/17 16:28, Jonathan K. Bullard wrote: >>> When I try to verify the signature on openvpn-2.3.16.tar.gz (using >>> openvpn-2.3.1

Re: [Openvpn-devel] The future of contrib/keychain-mcd

2017-05-06 Thread Jonathan K. Bullard
Hi. Several weeks ago "kaloprominat" submitted PR #369 [1] to Tunnelblick. It incorporates the keychain-mcd code into Tunnelblick. (I don't know if that triggered your scrutiny of keychain-mcd or if that is a coincidence.) I have not finished reviewing the PR, but it includes fixes for several

[Openvpn-devel] Problem with sig for 2.3.16?

2017-05-19 Thread Jonathan K. Bullard
When I try to verify the signature on openvpn-2.3.16.tar.gz (using openvpn-2.3.16.tar.gz.asc) from the "Downloads" page [1], I get the following: gpg: assuming signed data in `XXX/openvpn-2.3.16.tar.gz' gpg: Signature made Thu May 18 16:56:48 2017 EDT using RSA key ID 8CC2B034 gpg:

Re: [Openvpn-devel] Follow up on sending messages to the GUI

2017-11-30 Thread Jonathan K. Bullard
Thanks, Selva, On Wed, Nov 29, 2017 at 9:03 PM, Selva Nair wrote: > > I have made a draft implementation of this feature that was discussed in a > previous thread. A test executable (GUI only) is in this pre-release: > >

Re: [Openvpn-devel] Follow up on sending messages to the GUI

2017-11-30 Thread Jonathan K. Bullard
Hi, On Thu, Nov 30, 2017 at 10:26 PM, Selva Nair <selva.n...@gmail.com> wrote: > Hi Jon, > > On Thu, Nov 30, 2017 at 8:41 PM, Jonathan K. Bullard <jkbull...@gmail.com> > wrote: > >> Thanks, Selva, >> >> On Wed, Nov 29, 2017 at 9:03 PM, Selva Nair &

Re: [Openvpn-devel] Follow up on sending messages to the GUI

2017-12-14 Thread Jonathan K. Bullard
Hi, On Sat, Dec 2, 2017 at 7:08 AM, Jonathan K. Bullard <jkbull...@gmail.com> wrote: > Hi, > > On Fri, Dec 1, 2017 at 10:58 AM, Selva Nair <selva.n...@gmail.com> wrote: >> >> Hi, >> >> On Fri, Dec 1, 2017 at 8:53 AM, Arne Schwabe <a...@rfc2549.or

Re: [Openvpn-devel] [PATCH] Implement "status 4" (JSON) for management interface

2017-11-14 Thread Jonathan K. Bullard
Hi, On Tue, Nov 14, 2017 at 3:31 AM, Gert Doering wrote: > Hi, > > On Mon, Nov 13, 2017 at 01:16:46PM +0100, David Sommerseth wrote: >> But we should consider if we want to make use of a JSON library >> producing the JSON streams. The reason is to ensure the output is >>

Re: [Openvpn-devel] [PATCH] Implement "status 4" (JSON) for management interface

2017-11-15 Thread Jonathan K. Bullard
Hi, On Tue, Nov 14, 2017 at 7:40 AM, David Sommerseth wrote: > > On 14/11/17 12:02, Gert Doering wrote: >> JSON is very trivial to produce (unlike XML, or netlink). The escaping >> rules on producing are also very easy - basically, encode things in double >>

Re: [Openvpn-devel] Follow up on sending messages to the GUI

2017-12-02 Thread Jonathan K. Bullard
Hi, On Fri, Dec 1, 2017 at 10:58 AM, Selva Nair wrote: > > Hi, > > On Fri, Dec 1, 2017 at 8:53 AM, Arne Schwabe wrote: >> >> Am 30.11.2017 um 03:03 schrieb Selva Nair: >> >> Cross-posting to users and devel as this may be of interest to both. >> >> Hi, >>

Re: [Openvpn-devel] [PATCH v5] Add Interactive Service developer documentation

2018-06-09 Thread Jonathan K. Bullard
Hi, On Sat, Jun 9, 2018 at 12:23 PM, Selva Nair wrote: > > Hi, > > On Thu, Apr 19, 2018 at 7:23 AM, Simon Rozman wrote: > > The OpenVPN Interactive Service documentation from > > https://community.openvpn.net/openvpn/wiki/OpenVPNInteractiveService was > > upgraded with a description of the

Re: [Openvpn-devel] [PATCH] Make up/down script errors not FATAL

2018-07-02 Thread Jonathan K. Bullard
Hi. On Mon, Jul 2, 2018 at 9:24 PM, wrote: > > From: Selva Nair > > Instead log only a warning. > > This helps user interfaces enforce a safer script-security setting > without causing a FATAL error. Can you expand on that? What "safer script secuity settings' do you have in mind? Tunnelblick

[Openvpn-devel] Fwd: [PATCH 2/3] Allow external EC key through --management-external-key

2018-01-25 Thread Jonathan K. Bullard
Hi. On Mon, Jan 22, 2018 at 12:31 PM, Selva Nair wrote: > What about extending the current "version" command with an argument > where the client states the version of "management-speak" that it > supports. Current management version is 1, we increase it to 1.1 and > unless

Re: [Openvpn-devel] [PATCH] Properly respond to SIGTERM received during DNS resolution.

2018-02-05 Thread Jonathan K. Bullard
lem, right? > > (I'm not sure I'm reading the description right, to understand the > actual issue this is fixing - but if I'm reading it right, then this > makes sense :-) - what about SIGINT?) On Tue, Apr 12, 2016 at 11:48 AM, Fish Wang <fish.t...@gmail.com> wrote: > > Right

[Openvpn-devel] Dynamic challenge/response questions

2018-07-18 Thread Jonathan K. Bullard
I'm trying to implement dynamic challenge/response in Tunnelblick and have some questions. I've been using the management-interface documentation [1] as my guide. 1. Is what the management interface sends something like (all on one line): >PASSWORD:Verification Failed: 'Auth'

Re: [Openvpn-devel] Dynamic challenge/response questions

2018-07-23 Thread Jonathan K. Bullard
Thanks, Selva, On Mon, Jul 23, 2018 at 1:30 PM, Selva Nair wrote: > > Hi, > > > On Sat, Jul 21, 2018 at 1:21 PM, Jonathan K. Bullard > wrote: > > Hi, > > > > On Thu, Jul 19, 2018 at 2:38 PM, Selva Nair wrote: > >> Jon: I have a se

Re: [Openvpn-devel] Dynamic challenge/response questions

2018-07-23 Thread Jonathan K. Bullard
Hi, On Mon, Jul 23, 2018 at 10:31 PM, Selva Nair wrote: > On Sat, Jul 21, 2018 at 1:21 PM, Jonathan K. Bullard > wrote: > >> Some, perhaps including Selva's $payingCustomer, may not want to use >> Tunnelblick betas or use OpenVPN 2.5 until it is released. > > I missed

Re: [Openvpn-devel] Dynamic challenge/response questions

2018-07-23 Thread Jonathan K. Bullard
t 02:38:55PM -0400, Selva Nair wrote: >>> On Thu, Jul 19, 2018 at 1:52 PM, Gert Doering wrote: >>> > On Thu, Jul 19, 2018 at 11:43:17AM -0400, Jonathan K. Bullard wrote: >>> >> Thank you, Selva! (Now all I need to do is get it working!) >>> > >>

Re: [Openvpn-devel] Dynamic challenge/response questions

2018-07-24 Thread Jonathan K. Bullard
Hi, On Tue, Jul 24, 2018 at 12:02 AM, Selva Nair wrote: > Hi, > > On Mon, Jul 23, 2018 at 10:58 PM, Jonathan K. Bullard > wrote: >> I was testing Tunnelblick with Selva's C/R server and config (thanks >> again for that) and there was a problem. Maybe I'm (still) >&

Re: [Openvpn-devel] Dynamic challenge/response questions

2018-07-21 Thread Jonathan K. Bullard
Hi, On Thu, Jul 19, 2018 at 2:38 PM, Selva Nair wrote: > Jon: I have a server for testing static and dynamic challenge. If > interested I can send you a config. Or use access server with a free > test license. Mine will just challenge with 1 + 1 = ? kind of > questions, nothing fancy. Thanks,

Re: [Openvpn-devel] Dynamic challenge/response questions

2018-07-19 Thread Jonathan K. Bullard
Thank you, Selva! (Now all I need to do is get it working!) Best regards, Jon On Thu, Jul 19, 2018 at 11:39 AM, Selva Nair wrote: > Hi, > > On Thu, Jul 19, 2018 at 10:48 AM, Jonathan K. Bullard > wrote: >> Thank you very much, Selva. >> >> On Wed, Jul 18, 2018

Re: [Openvpn-devel] Dynamic challenge/response questions

2018-07-19 Thread Jonathan K. Bullard
Thank you very much, Selva. On Wed, Jul 18, 2018 at 10:48 PM, Selva Nair wrote: > There are two messages involved: > > 1. First comes the fake auth failure message which contains the > challenge string. The format of this is as you have quoted above. The > single quoted string between the

Re: [Openvpn-devel] Dynamic challenge/response questions

2018-07-19 Thread Jonathan K. Bullard
Hi, Selva, On Thu, Jul 19, 2018 at 2:38 PM, Selva Nair wrote: >> Jon: I have a server for testing static and dynamic challenge. If > interested I can send you a config. Or use access server with a free > test license. Mine will just challenge with 1 + 1 = ? kind of > questions, nothing fancy.

Re: [Openvpn-devel] Dynamic challenge/response questions

2018-07-19 Thread Jonathan K. Bullard
Hi Arne, (For some reason Gmail put your post in my spam folder, so I just saw it now.) On Thu, Jul 19, 2018 at 11:49 AM, Arne Schwabe wrote: > Am 19.07.18 um 17:43 schrieb Jonathan K. Bullard: >> Thank you, Selva! (Now all I need to do is get it working!) >> > > If

Re: [Openvpn-devel] [OpenVPN/openvpn-gui] UI showing green connected status despite not beeing able to create a route (#9)

2018-07-06 Thread Jonathan K. Bullard
Hi, On Fri, Jul 6, 2018 at 3:24 PM, Selva Nair wrote: > > Hi, > > Copying the devel list as a reminder that "we" have been asking for this > change for a long time :) > > On Fri, Jul 6, 2018 at 2:48 PM, Gert Doering wrote: >> >> Hi, >> >> On Fri, Jul 06, 2018 at 08:25:02AM -0700, Selva Nair

Re: [Openvpn-devel] On testing with openssl 0.9.8

2018-01-22 Thread Jonathan K. Bullard
Hi, On Mon, Jan 22, 2018 at 7:33 AM, David Sommerseth wrote: > Let me rather twist this question around ... Do we want to support OpenSSL > 0.9.8? Are there any Linux distributions or other OSes out there in the wild > which is still supported which are also

  1   2   >