Hi, On Thu, Apr 24, 2014 at 04:05:20AM -0400, Timothe Litt wrote: > >Uh, this is a double misinformation :-) > It's good to know that cross-compiling is an option, though > cross-debugging (e.g. with an interactive debugger) can be an adventure too. > > Source of my comment was: > > http://community.openvpn.net/openvpn/wiki/BuildingOnWindows, which says > >his new build system allows building OpenVPN on Windows more easily, > >but some parts of the build may r*equire a commercial version of the > >Visual Studio development environment.* > >/Visual Studio 2008 Professional/is used to build OpenVPN on Windows. > >Note that the free Express edition might not work. > >Full installation installs*/x86 cross-tools/*which *may cause nasty, > >hard to debug issues*. > (The professional tools are > $1,000 US, which is not in my budget.) > > You may want to reword that after validating your comment. M$'s name > for the 'free' tools is 'express edition'. The license terms vary based > on M$'s whims, the current statement is: > >http://www.visualstudio.com/products/visual-studio-express-vs > >Visual Studio Express products are available at no charge and may be > >used for commercial, production usage subject to the license terms > >provided with each product. For example, you can use Express for > >Windows to create apps that you can then submit for sale in the > >Windows Store.
Yeah, I think that page needs clarification (I think you need the commercial edition to do code signing, which is not strictly required if you use the pre-signed tap driver bundle), *and* it needs a pointer to the other build system page. Samuli...? > The current version requires at least windows 7 and a 2.2GHz+ > processor. (My XP laptop won't do.) > The 2008 Express edition > (http://www.microsoft.com/en-us/download/confirmation.aspx?id=7940) is > also a resource hog. > It doesn't include all of the templates and other files needed to make > many kinds of applications, though it is serviceable. > > I do run these on a windows 7 machine, but can't reconfigure them just > for debugging OpenVPN. No, I wasn't suggesting that you do that, I was just trying to clarify what build options we have. I find "add msg() calls, build on linux, run on windows, see what breaks" more natural to me than "build on windows" :-) > In any case, I think that we have found root cause of this issue the > old-fashioned way - code inspection based on some debugging I did on the > server and a hint from Steffan. > > It seems that the cryptoapi interface (and probably other external key > loaders, such as pkcs11 according to James) has not be updated for > TLS1.2. TLS1.2 adds some new signatures. The error that I saw comes - > I believe - from code that sanity checks the requested hash size against > the generated hash size; cryptoapi only knows how to generate md5/sha1 > signatures. Yep, I saw the mail exchange, and I'm quite happy that we know where *your* issues are coming from. George Ross' issues are something else, though, as he's not using windows at all... > > This makes it clear that: > - the key loaders need to be updated for TLS1.2 This includes the > cryptoAPI on windows, pkcs11, and the cert stores on other platforms > (IOS, Android, Mac - if that's ever merged). > - There does need to be a way to specify a maximum TLS version (1.1 > will do in this case) [..] Good points. We're having an IRC meeting tonight, and I hope that James, Steffan and Arne can agree on a short-term approach for 2.3.4, and a long-term approach for master/2.4 - what you describe sounds good to me, but I'm not the one who is going to implement and maintain it, so I'm not deciding. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
pgpno53dDhwfI.pgp
Description: PGP signature
