Hi,
Here's the summary of the previous IRC meeting / sprint.
---
COMMUNITY MEETING
Place: #openvpn-devel on irc.freenode.net
List-Post: openvpn-devel@lists.sourceforge.net
Date: Thursday 6th Oct 2011
Time: 18:00 UTC
Planned meeting topics for this meeting were on this page:
<https://community.openvpn.net/openvpn/wiki/Topics-2011-10-06>
Next meeting will be announced in advance, but will probably be on the same
weekday and at the same time. Your local meeting time is easy to check
from services such as
<http://www.timeanddate.com/worldclock>
or with
$ date -u
SUMMARY
andj, cron2, ecrist, jamesyonan, krzie, mattock and SviMik participated
in this meeting.
--
Reviewed andj's "PolarSSL addition" patches. Their status before and
after the meeting:
<https://community.openvpn.net/openvpn/wiki/PolarSSLintegration?version=65#PolarSSLaddition>
<https://community.openvpn.net/openvpn/wiki/PolarSSLintegration?version=73#PolarSSLaddition>
--
Discussed the "UNDEF user with big uptime" bug:
<https://community.openvpn.net/openvpn/ticket/167>
Preliminary analysis from the meeting has been added to ticket comments.
---
Discussed the "GUI: broken log encoding on non-english Windows":
<https://community.openvpn.net/openvpn/ticket/165>
Mattock will try to reproduce this on his test VMs.
---
Full chatlog as an attachment
--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc
irc freenode net: mattock
andj 21:27:56
hello
SviMik 21:28:18
do we have a meeting today?
andj 21:28:29
we should have, but mattock is a tad late
cron2 21:28:31
supposedly yes
andj: how many of your patches are still pending? 21:28:51
andj 21:28:55
I guess we could get started with the patches now that james is here
not many, we should be able to get through them this evening 21:29:04
shall we get started with the patches then? 21:29:38
jamesyonan, cron2? 21:31:06
jamesyonan 21:31:36
hi andj
SviMik 21:31:39
I have 2 bugreports, but they are not in agenda, don't know why
previous bugreport was is agenda 21:32:21
cron2 21:32:37
andj: yep
L'utente mattock_ è entrato nella stanza 21:32
cron2 21:32:51
the mattock has returned!
mattock_ 21:32:54
hi
krzie 21:32:56
ecrist, i messaged a nice update to that script
andj 21:33:09
ah, hi mattock
mattock_ 21:33:09
was I missing for a long?
or just briefly? 21:33:19
SviMik 21:33:19
a meeting?
andj 21:33:25
about 40 mins
SviMik 21:33:34
andj 21:34:04
the first patch is the big one:
https://github.com/andj/openvpn-ssl-refactoring/commit/0ef8d44cc4b9b10f174101cf420af0a5b2150809
vpnHelper 21:34:05
Title: Commit 0ef8d44cc4b9b10f174101cf420af0a5b2150809 to
andj/openvpn-ssl-refactoring - GitHub (at github.com)
andj 21:34:28
shall we go through it file-by file, skipping the *_polarssl.[ch]
ones, as discussed last week? 21:34:36
cron2 21:35:08
fine with me
andj 21:35:21
Makefile.am adds the new files
ecrist 21:35:35
krzie: looking
andj 21:36:00
README.polarssl adds some extra instructions, and some things that are missing
mattock_ 21:36:18
oh
andj 21:38:24
do you guys prefer doing an ack per file? or just for the whole patch?
cron2 21:40:13
well, the autoconf related stuff looks reasonable to me. The crypto_polarssl.c
needs testing, I'd say, or review from someone who understands polar ssl
andj 21:40:46
yeah, we decided last week that the _polarssl stuff could be reviewed at a
slower pace, as it isn't part of the default build
it's just the files that already exist that are important 21:41:02
https://github.com/andj/openvpn-ssl-refactoring/commit/0ef8d44cc4b9b10f174101cf420af0a5b2150809#diff-8
21:41:20
vpnHelper 21:41:21
Title: Commit 0ef8d44cc4b9b10f174101cf420af0a5b2150809 to
andj/openvpn-ssl-refactoring - GitHub (at github.com)
jamesyonan 21:41:21
yes, it seems reasonable in the way that it touches the default build
andj 21:41:39
that bit is the only one that modifies stuff
but it's just ifdefs 21:41:55
ok, is that an ack? 21:42:02
cron2 is still scrolling 21:42
andj 21:42:41
ok
cron2 21:43:13
looks reasonable to me, too
andj 21:43:32
ok, the next one is a minor bug fix:
https://github.com/andj/openvpn-ssl-refactoring/commit/511691b09e2ac739482260267a0a1b97cd870d36
vpnHelper 21:43:35
Title: Commit 511691b09e2ac739482260267a0a1b97cd870d36 to
andj/openvpn-ssl-refactoring - GitHub (at github.com)
mattock_ 21:45:02
andj: are you updating the wiki too?
andj 21:45:14
I am now
mattock_ 21:45:27
ah, nice!
cron2 21:45:49
andj: ack on that, looks like a separation oversight
mattock_ 21:45:58
(using my mobile)
andj 21:46:07
https://github.com/andj/openvpn-ssl-refactoring/commit/f43e33e4abb961a85cd67234c57bf16157b4d764
https://github.com/andj/openvpn-ssl-refactoring/commit/0f3bb68db10ce4aa029501092dc36cddd48d41ed
vpnHelper 21:46:09
Title: Commit f43e33e4abb961a85cd67234c57bf16157b4d764 to
andj/openvpn-ssl-refactoring - GitHub (at github.com)
cron2 21:46:26
which one?
andj 21:46:31
both together
jamesyonan 21:47:12
looks fine
andj 21:47:43
which ones, jamesyonan?
cron2 21:47:43
who is free()ing the memory?
ecrist 21:48:00
dazo's not here today?
andj 21:48:18
cron2: let me check for you
mattock_ 21:48:20
apparently not
andj 21:49:11
ssl_verify.c
jamesyonan 21:49:14
andj: the trivial patches for SHA_DIGEST_SIZE definition and Fixed a bug in the
hash generation
andj 21:49:17
is freeing the memory
cron2 21:49:32
then ack
andj 21:49:51
https://github.com/andj/openvpn-ssl-refactoring/commit/8d4360d179cb176803e330e3a947e6c34315b225
vpnHelper 21:49:53
Title: Commit 8d4360d179cb176803e330e3a947e6c34315b225 to
andj/openvpn-ssl-refactoring - GitHub (at github.com)
andj 21:50:14
that one migrates to a newer version of PolarSSL, which uses (correctly) size_t
instead of int
and has different return values on 1 or 2 functions 21:50:36
cron2 21:52:10
guessed something like that, yeah. Not exactly pretty, but obviously needed
andj 21:52:28
what happened is that I wrote some patches for PolarSSL
to add some extra functionality 21:52:33
and those got integrated into Polar 0.99 21:52:42
jamesyonan 21:52:46
yeah, OpenSSL uses ints in a lot of places where modern code would use a size_t
andj 21:53:01
There'll be a similar patch from 0.99->1.0 soon
yeah, Polar modernised the code base before 1.0 21:53:17
now they still had the chance 21:53:24
next one:
https://github.com/andj/openvpn-ssl-refactoring/commit/a6ce24ef2999fcc73ee1590fdc4518842c228f4e
21:54:09
vpnHelper 21:54:12
Title: Commit a6ce24ef2999fcc73ee1590fdc4518842c228f4e to
andj/openvpn-ssl-refactoring - GitHub (at github.com)
andj 21:54:18
same story, but for the SSL bit
jamesyonan 21:55:13
andj: how does PolarSSL deal with external private keys -- I noticed you didn't
implement most of the OpenVPN external private key functions like
management-external-key and crypto API
andj 21:55:46
at the moment, it doesn't
the RSA code is pretty static 21:55:55
and doesn't play all to well with other providers 21:56:06
it's something that will come up, probably together with elliptic curve crypto
21:56:46
jamesyonan 21:56:54
these days, most people in a high-security environment are going to want
multifactor auth which often requires external key support
cron2 21:57:39
andj: patch doesn't make sense to me, but it does not have to "if it works with
polarssl, it will be fine"
andj 21:58:28
jamesyonan: it's going to happen in PolarSSL at some point, ECC is the most
requested feature atm anyway, but I'm leaving that up to them.
and that's the perfect moment to modularise the asymmetric code further 21:58:54
cron2: indeed, it's just some API changes 21:59:10
ack on that one? 21:59:22
next one is a printf fix:
https://github.com/andj/openvpn-ssl-refactoring/commit/3bff5d3dc0cd62e24269ad8f1cb1588c9e47b433
21:59:58
vpnHelper 21:59:59
Title: Commit 3bff5d3dc0cd62e24269ad8f1cb1588c9e47b433 to
andj/openvpn-ssl-refactoring - GitHub (at github.com)
cron2 22:00:08
given last week's plan on not looking very close at the *polarssl* files, ACK
huh, what is %zd? 22:00:43
andj 22:00:57
special value for size_t
we had a similar discussion a few meetings ago for %p 22:01:17
cron2 22:01:20
is that portable, like, to Solaris, *BSD, Windows?
now %p *is* (for pointer values) 22:01:28
but I've never seen %zd 22:01:32
jamesyonan 22:01:34
does windows/visual-studio support %zd?
cron2 22:02:23
FreeBSD 7 has %zd
andj 22:02:35
MS doesn't: http://msdn.microsoft.com/en-us/library/tcxf1dw6.aspx
vpnHelper 22:02:37
Title: Size Specification (at msdn.microsoft.com)
cron2 22:03:13
FreeBSD 6 doesn't
andj 22:03:32
ok, point taken, I'll write a patch for it
cron2 22:03:33
I'd tend to nack that change, and use a cast
%ld and (long) or %d and (int), whatever is reasonable 22:03:54
jamesyonan 22:04:19
OpenVPN actually has a .h file where we define various platform-specific format
specifiers
andj 22:04:31
thanks, I'll look for it
jamesyonan 22:04:35
we use it for printing 64-bit byte counters
andj 22:04:53
next one:
https://github.com/andj/openvpn-ssl-refactoring/commit/bc2dbfc7e9cf9d0552374e49750012a444e2a70f
vpnHelper 22:04:54
Title: Commit bc2dbfc7e9cf9d0552374e49750012a444e2a70f to
andj/openvpn-ssl-refactoring - GitHub (at github.com)
andj 22:04:57
disable pkcs12
cron2 22:06:22
ack
andj 22:07:03
same, but for capath:
https://github.com/andj/openvpn-ssl-refactoring/commit/74ca0110269a46607e3211f8d7c6b1d250361d99
vpnHelper 22:07:04
Title: Commit 74ca0110269a46607e3211f8d7c6b1d250361d99 to
andj/openvpn-ssl-refactoring - GitHub (at github.com)
jamesyonan 22:08:19
both look fine
andj 22:08:26
cool, next is disable CrAPI:
https://github.com/andj/openvpn-ssl-refactoring/commit/f79f1556902d1c73416858813cc75594d3d2fdf6
vpnHelper 22:08:27
Title: Commit f79f1556902d1c73416858813cc75594d3d2fdf6 to
andj/openvpn-ssl-refactoring - GitHub (at github.com)
ecrist 22:08:58
heh, CrAPI
andj 22:09:04
ecrist 22:09:34
><{{{*>
cron2 22:09:50
looks good to me (though I can't say whether you caught all places)
andj 22:09:57
external keys:
https://github.com/andj/openvpn-ssl-refactoring/commit/09f156a99ac16c1157392818d43b6dd4b898d659
vpnHelper 22:09:58
Title: Commit 09f156a99ac16c1157392818d43b6dd4b898d659 to
andj/openvpn-ssl-refactoring - GitHub (at github.com)
jamesyonan 22:10:23
that's the kind of patch that will usually give you a compile error if you get
it wrong
andj 22:10:38
yeah, and I double checked using grep
jamesyonan 22:10:46
CryptoAPI patch looks fine
cron2 22:11:07
yep, but only if you compile on windows - so this is something that certainly
needs testing after the merge
(*extra* testing) 22:11:14
andj 22:11:34
I compile on both windows and linux btw
cron2 22:11:41
andj: oh? cool
jamesyonan 22:11:54
mingw or visual studio?
andj 22:11:56
I've got a cute little build farm set up for the polarssl build
cron2 22:11:58
ACK, then
andj 22:11:59
visual studio
jamesyonan 22:12:11
ack as well
andj 22:12:20
but it's currently 2.1.4 & polarssl 0.14.3
https://github.com/andj/openvpn-ssl-refactoring/commit/b28532360c4ddf2d2bec62b5c7b62d2ae05c9ce1
22:12:30
vpnHelper 22:12:31
Title: Commit b28532360c4ddf2d2bec62b5c7b62d2ae05c9ce1 to
andj/openvpn-ssl-refactoring - GitHub (at github.com)
jamesyonan 22:14:04
looks fine
andj 22:14:27
https://github.com/andj/openvpn-ssl-refactoring/commit/2b018cc88744bf580e62e3a403b58deba267a798
vpnHelper 22:14:28
Title: Commit 2b018cc88744bf580e62e3a403b58deba267a798 to
andj/openvpn-ssl-refactoring - GitHub (at github.com)
andj 22:14:31
more external cert stuff
jamesyonan 22:17:08
why do you need to write a certificate?
(to a file) 22:17:18
andj 22:17:24
It's for external scripts
jamesyonan 22:17:35
ah, ok
andj 22:18:05
basically, it's not yet possible in Polar
so it's openssl-only 22:18:11
again, a feature that's imminent in PolarSSL 22:18:27
jamesyonan 22:19:33
just curious, what's the rough size of the built PolarSSL libs
andj 22:20:59
depends on what you include
not exactly sure though 22:21:17
400k or so I think 22:21:36
but that might be with debug symbols 22:21:59
and static 22:22:23
jamesyonan 22:22:35
yeah, that's definitely smaller than OpenSSL
andj 22:22:55
think libcrypto is about 4-5 MB
jamesyonan 22:23:07
no, not that large
andj 22:23:10
ack on externel cert?
1.6 MB 22:23:43
jamesyonan 22:23:46
yes, ack
andj 22:23:46
the dynamic one
ok, only 3 small ones left:
https://github.com/andj/openvpn-ssl-refactoring/commit/60890102b755390e704a74ee2962780480b50c80
22:24:02
vpnHelper 22:24:03
Title: Commit 60890102b755390e704a74ee2962780480b50c80 to
andj/openvpn-ssl-refactoring - GitHub (at github.com)
jamesyonan 22:24:53
looks fine
andj 22:24:55
Add a tag for a build:
https://github.com/andj/openvpn-ssl-refactoring/commit/5f5eca00f31199571450cceee1f4469154bd4d38
vpnHelper 22:24:56
Title: Commit 5f5eca00f31199571450cceee1f4469154bd4d38 to
andj/openvpn-ssl-refactoring - GitHub (at github.com)
jamesyonan 22:25:27
ack
andj 22:25:32
and, finally disable x509 track:
https://github.com/andj/openvpn-ssl-refactoring/commit/7c18f7cd1ef7e79a489bf116a4ca33c97227dc08
vpnHelper 22:25:33
Title: Commit 7c18f7cd1ef7e79a489bf116a4ca33c97227dc08 to
andj/openvpn-ssl-refactoring - GitHub (at github.com)
cron2 22:25:54
ack for the build tag
andj 22:26:17
build tag?
ah, that one 22:26:23
what header file contained the size_t defines, can't seem to find it? 22:26:46
jamesyonan 22:28:58
ack for Disabled X.509 track
andj 22:29:13
whee
that's the last one 22:29:17
cron2 22:29:21
cool
andj 22:29:25
aside from the fix for the nack
from just now 22:29:27
jamesyonan 22:29:31
common.h
cron2 22:29:33
yep
jamesyonan 22:30:33
you can probably leverage on counter_format
andj 22:30:44
yeah, I was think the same thing
patch incoming, give me 2 minutes compile time 22:32:36
mattock_ 22:33:21
almost there
andj 22:36:36
anyway, there will be some smaller patches in the next few weeks, to move to
PolarSSL 1.0, and perhaps a few Windows build fixes
cron2 22:37:22
sounds good
mattock_ 22:37:31
andj: for python build system?
andj 22:37:46
yeah,
but that'll be in a few weeks 22:37:58
mattock_ 22:39:37
ok
andj 22:40:43
https://github.com/andj/openvpn-ssl-refactoring/commit/88d639630cd319882be05a29bcc5ac49cb79d1bc
vpnHelper 22:40:44
Title: Commit 88d639630cd319882be05a29bcc5ac49cb79d1bc to
andj/openvpn-ssl-refactoring - GitHub (at github.com)
andj 22:40:53
ok, moved to counter_type and counter_format
cron2 22:41:57
that should be "(counter_type) 8* ...", not (long long int)
andj 22:42:10
oops, mistake in my commit, sec
https://github.com/andj/openvpn-ssl-refactoring/commit/82e745b6e4c81b5fa5f0d0793383a292696d2991
22:47:03
vpnHelper 22:47:04
Title: Commit 82e745b6e4c81b5fa5f0d0793383a292696d2991 to
andj/openvpn-ssl-refactoring - GitHub (at github.com)
andj 22:47:15
fixed it, accidently pushed the wrong local commit
cron2 22:48:19
well, formal ack, but looking at the code that prints numbers well in the
16-bit range, I really wonder why people think that "size_t" is a good idea here
with all the extra complication that brings 22:48:31
but that's just the ramblings of an old man... 22:49:29
andj 22:49:30
point taken
anyway, that should be ok now 22:49:41
cron2 22:49:49
yep, the code is fine
andj is very happy 22:49
andj 22:50:44
what's next for the meeting? SviMik's bug reports?
jamesyonan 22:50:52
yeah, size_t sort of came into fashion with the rise of 64-bit architectures
cron2 22:51:35
for this meeting, I'm done - need to break a few customer networks now
andj 22:51:46
ok, have fun
we could call it a day then? 22:52:01
cron2 22:52:02
my next agenda items are "get mattock to make the freebsd 8.2 buildslave work"
mattock_ 22:52:09
summary will follow tomorrow
andj 22:52:11
Thanks everyone
mattock_ 22:52:28
andj: thanks for managing things!
SviMik is here, if somebody is going to look at my bug reports 22:53
andj 22:53:30
mattock: np
svimik, which ones? 22:54:48
SviMik 22:55:29
first is https://community.openvpn.net/openvpn/ticket/167
vpnHelper 22:55:30
Title: #167 (UNDEF user with big uptime) â OpenVPN Community (at
community.openvpn.net)
SviMik 22:55:54
the log with many errors is here: http://svimik.com/ovpnundef.txt
andj 22:57:17
svimik: I'll take a peek at the log file, see if I can find anything
SviMik 22:58:59
the second bug is log encoding... I wonder if anybody tested openvpn with
non-english Windows?
andj 22:59:27
looks like there's a rejected initial packet: PF:
/etc/openvpn/tmp/openvpn_pf_3c0125880e28cd24b297f70c42a6940c.tmp rejected due
to 1 error(s)
SviMik 23:01:17
andj that's normal I think. when pf file is ignored, openvpn just using some
default settings
so it's not related with this bug 23:01:43
mattock_ 23:01:53
SviMik: I have not, it's all english
can you change windows language without buying a separate version? 23:02:46
SviMik 23:03:30
don't understand last question. why I need change it?
L'utente krzie si è disconnesso (Quit: Leaving) 23:03
SviMik 23:04:46
andj that user's certificate has expired, so I don't know even how he got
connected and why the connection was not rejected
andj 23:05:52
I'm a little surprised about all of the replay errors too
mattock_ 23:05:53
I mean can _I_ change the language if I want?
andj 23:06:40
then at midnight his session expires
and he can't connect anymore 23:06:46
SviMik 23:07:02
mattock_ you can. but you have to install MUI:
http://en.wikipedia.org/wiki/Multilingual_User_Interface
vpnHelper 23:07:03
Title: Multilingual User Interface - Wikipedia, the free encyclopedia (at
en.wikipedia.org)
SviMik 23:10:09
for XP there was also MUI, which translates most user interface (but not all,
so the result may be slightly different comparing with originally non-english
XP).
L'utente mattock_ si è disconnesso (Ping timeout: 252 seconds) 23:10
SviMik 23:10:54
in my case, I found 2 bugs in XP (didn't tested in 7 yet)
andj 23:12:13
svimik: I think the following happened
certificate expired at some point, and the control channel still existed
23:12:31
but a new control channel can't be set up 23:12:41
the session then still exists but can't be used anymore 23:13:42
SviMik 23:14:38
so the user should be kicked in that case
because session is not usable anyway 23:15:00
andj 23:15:27
yeah, and the error should be a little clearer as well
failed TLS connections could be handled more cleanly 23:16:42
SviMik 23:17:36
actually in my previous tests connection was working well even after
certificate expiration (upon first reconnect)
mattock 23:17:46
SviMik: I'll check out MUI, it makes sense to do some basic tests with
non-English languages
SviMik 23:18:28
andj so, the expired certificate may be only a part of condition to reproduce
this bug
andj 23:19:41
hmm, it's something that needs looking at, but I'm afraid I haven't got time
right now (getting late here)
SviMik 23:20:17
about encoding:
1. if adapter's name contains non-english characters, the encoding in CLI is
wrong. in GUI it appears correctly though. I suppose the windows CLI and
openvpn GUI are using different encoding to display text 23:20:17
2. but "route add" errors vice versa are not readable in openvpn GUI 23:20:17
andj 23:21:07
see you all soon
SviMik 23:21:37
ok
L'utente krzee è entrato nella stanza 23:21
SviMik 23:29:15
mattock I can also make tests if somebody writes a patch for it
I see there is encoding mess both in openvpn and its GUI 23:30:29
because nobody tested it 23:30:41
SviMik 23:38:41
mattock I can set up a virtual machine with windows for you if you need, with
remote desktop access
