> Am 02.04.21 um 15:26 schrieb Max Fillinger:
> > From: Uipko Berghuis
> >
> > In mbedtls 2.16.0 mbedtls_ctr_drbg_update() changed to
> > mbedtls_ctr_drbg_update_ret(). Change the function name and handle the
> > new return value error code.
> > ---
> > src/openvpn/ssl_mbedtls.c | 5 -
> > 1
> > }
> >
> > void
> > +make_empty_crl(struct tls_root_ctx *ctx)
> > +{
> > +if (ctx->crl == NULL)
> > +{
> > +ALLOC_OBJ_CLEAR(ctx->crl, mbedtls_x509_crl);
> > +}
> > +else
> > +{
> > +mbedtls_x509_crl_free(ctx->crl);
> > +}
> > +}
> > +
>
> This function
Hi Antonio,
Thanks for taking a look!
> Mh... I have tried to reproduce this issue, but I was not able to.
> Would you be able to provide me with the exact steps to hit this
> situation?
This bug happens only if the CRL file can't be opened in init_ssl().
(Un-openable CRL files and un-parseable
> From: Arne Schwabe [mailto:a...@rfc2549.org]
> Sent: dinsdag 10 augustus 2021 12:12
> To: Maximilian Fillinger ; openvpn-
> de...@lists.sourceforge.net
> Subject: Re: [Openvpn-devel] [PATCH] Replace deprecated mbedtls DRBG
> update function
>
> Am 10.08.21 um 08:
> Normally we have patch v2 here and also a patch v2 in the subject (use
> -v 2 when doing git format-patch) but for this small patch it is not a
> problem.
I'll keep it in mind for next time!
> Apart from the fact that we might want to abort (M_FATAL) if this fails
> instead basically ignoring
> ... so why is "did_ifconfig_setup" true, if ifconfig wasn't done?
>
> Or, phrased differently, what is did_ifconfig_setup used for, across the
> code, and can we just "not set it to true" if ifconfig-noexec is in
> effect? Or does it have nasty side effects?
tt->did_ifconfig_setup is set in
> but they think the revamped OpenSSL 3.0 way of calculating the TLS1 PRF
> might actually not be in 2.5 yet, so they do not need a patch for that.
In 2.5, openssl_compat.h also doesn't try to define X509_OBJECT_free(), so
there's nothing to backport there.
> -Original Message-
> From: Arne Schwabe [mailto:a...@rfc2549.org]
> Sent: donderdag 18 augustus 2022 22:16
> To: Maximilian Fillinger ; openvpn-
> de...@lists.sourceforge.net
> Subject: Re: [Openvpn-devel] [PATCH v2 1/2] Update openssl_compat.h for
> newer LibreSSL
&
> I'm a bit unsure if we need this for 2.5 - it's "long term compat"
> and not very intrusive, but on the other hand, not too many people
> seem to care about LibreSSL.
OpenBSD has packaged 2.5.7 for snapshots, so they must already have a
workaround.
> -Original Message-
> From: Arne Schwabe [mailto:a...@rfc2549.org]
> Sent: donderdag 11 augustus 2022 14:21
> To: Maximilian Fillinger ; openvpn-
> de...@lists.sourceforge.net
> Subject: Re: [Openvpn-devel] [PATCH 2/2] Handle EVP_MD_CTX as an opaque
> struct
>
Hi!
> -Original Message-
> From: Gert Doering [mailto:g...@greenie.muc.de]
> Sent: maandag 12 december 2022 13:03
> To: Maximilian Fillinger
> Cc: openvpn-devel@lists.sourceforge.net
> Subject: Re: [Openvpn-devel] [PATCH 2/2] Fix message for too long tls-
> cryp
> So if you have a limit like 733, you need to actually decode the base64
> to check if it is short enough. The alternative would be to only allow
> 732 bytes, so we could check the base64 length again or use 735 bytes
> and use a maximum tls-crypt wrapped key size of 1026 bytes (which sounds
> a
The grammar in the 3rd sentence in the comment below is messed up. (I think I
understand it, but I'm not sure.)
> +if (session->opt->verify_hash_no_ca)
> +{
> +/*
> + * If we decide to verify the peer certificate based on the
> fingerprint
> + * we ignore wrong
Hi!
I'm currently preparing the OpenVPN-NL 2.5 release at Fox-IT. (We're a
bit behind the times...) I thought that one of our patches, by Steffan
Karger, could be useful in regular OpenVPN. He said that he hadn't
submitted it yet, and thought it would be a good idea to ask.
The patch increases
Sorry about that! I'll send it again from my personal account later.
-Original Message-
From: Gert Doering [mailto:g...@greenie.muc.de]
Sent: vrijdag 19 maart 2021 18:30
To: Maximilian Fillinger
Cc: openvpn-devel@lists.sourceforge.net
Subject: Re: [Openvpn-devel] [Patch] Wipe Socks5
Socks5 plaintext authentication is not exactly high security, but we
might as well memzero the credentials before leaving the function.
---
src/openvpn/socks.c | 23 ++-
1 file changed, 14 insertions(+), 9 deletions(-)
diff --git a/src/openvpn/socks.c b/src/openvpn/socks.c
16 matches
Mail list logo