Hi,
Here's the summary of the IRC meeting.
---
COMMUNITY MEETING
Place: #openvpn-meeting on libera.chat
Date: Wed 1st June 2022
Time: 10:30 CEST (9:30 UTC)
Planned meeting topics for this meeting were here:
<https://community.openvpn.net/openvpn/wiki/Topics-2022-06-01>
Your local meeting time is easy to check from services such as
<http://www.timeanddate.com/worldclock>
SUMMARY
cron2, dazo, lev, mattock, MaxF and plaisthos participated in this meeting.
---
Talked about Windows snapshot building. Lev has implemented GitHub
Actions that produce unsigned MSI installers on a daily schedule. The
installers have signed kernel drivers so they're fully usable by normal
people. Agreed that such installers are enough for most purposes, so we
don't necessarily need the Windows Buildbot worker, which is quite an
effort to maintain. That said, we still want to have a template for
creating Windows build boxes, as well as the capability to do release
builds, which means maintaining msibuilder / msibuilder25 in
openvpn-vagrant.
Agreed that it would be nice to be able to push the MSI snapshots to
build.openvpn.net. Mattock will first switch over to the new
build.openvpn.net (DNS + some tweaks), then this automatic pushing can
be implemented.
---
Talked about OpenVPN 2.5.7. It is now in testing repos of Fedora and
EPEL and will eventually trickle down to the official repos.
Ubuntu 20.04 package maintainer has expressed interest in the OpenSSL
3.0 support, but nothing concrete has happened yet.
Noted that OpenVPN 2.5.7 Windows installers still bundle EasyRSA 3.0.8
and we should upgrade it in a separate Windows installer release.
---
Talked about the next hackathon. According to MaxF hosting it at Fox-IT
_might_ be more difficult than previously because security on weekends
has been tightened.
---
Cron2 has been whacking the DCO branch on an Ubuntu 20.04 test server,
and found interesting and amazing things. For example:
- NCP cipher fail leads to server fatal error -> exit()
- Connect to a DCO enabled server with "--cipher 3DES" on the client,
server aborts
- Connect in P2P mode, works exactly once, then the server will never
again respond to new TLS packets coming in
These are being worked on.
--
Full chatlog attached
(11.29.35) dazo: hey!
(11.29.53) mattock: hi
(11.30.06) cron2: yo
(11.31.50) MaxF: hi!
(11.33.17) plaisthos: hey
(11.36.11) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2022-06-01
(11.36.35) mattock: I have about 30 minutes before lunch
(11.36.42) MaxF: go go go!
(11.36.47) mattock: let's get this thing going
(11.37.00) cron2: this is not a way to run a meeting
(11.37.08) cron2: when finally everyone has arrived, the first runs away
(11.37.27) mattock: not yet!
(11.37.56) mattock: Sync up on OpenVPN 2.5 and 2.6?
(11.38.04) cron2: not everyone has arrived... it would be very useful to have
word from ordex...
(11.38.20) mattock: what if we start with the second topic
(11.38.25) cron2: go!
(11.38.31) mattock: snapshot building & publishing
(11.38.38) cron2: want! :)
(11.38.42) plaisthos: he is onn vacation iirc
(11.38.48) dazo: ordex is on holiday
(11.38.56) cron2: I thought only last week?
(11.39.34) dazo: a few days more
(11.39.42) mattock: so, we now have GitHub Actions configs that generate
Windows installers on every commit and PR
(11.39.54) mattock: those MSI installers are unsigned, but the kernel-mode
stuff (drivers) are signed
(11.40.06) mattock: so those are fully usable for testing/use by normal people
(11.40.36) mattock: the second part of this is that maintaining Windows
automation (buildbot worker) is really time-consuming (for me)
(11.40.44) cron2: nice. Can we get them published somewhere where people can
find them, like, on build.openvpn.net, with a time stamp + commit id?
(11.41.21) mattock: having documentation might be enough, but it is probably
possible to automatically sync those from github to somewhere else
(11.41.31) mattock: using some custom script
(11.41.50) cron2: sounds good (emphasis on "useful filename")
(11.43.04) mattock: there's one piece missing though: GHA only launches on
commits to openvpn-build, not to openvpn
(11.43.14) mattock: lev might know if that can be fixed somehow
(11.43.57) cron2: we can add github actions to openvpn main repo
(11.44.07) mattock: yeah, true
(11.44.26) cron2: (we have all the test builds for ubuntu and everything, so
adding windows is "just" a matter of adding the proper lines)
(11.44.55) mattock: related to this I would still like to keep the
msibuilder/msibuilder25 in openvpn-vagrant, for two reasons:
(11.44.55) mattock: - release builds
(11.44.55) mattock: - for other people who may want to build on Windows
(11.45.05) lev__: we can add step to GHA to upload MSIs to somewhere
(11.45.21) cron2: mattock: yes, that is very useful to have
(11.45.34) mattock: so, we'd end up with
(11.45.34) mattock: - GHA building MSIs
(11.45.34) mattock: - msibuilder/msibuilder25 for building official (signed)
installers
(11.45.38) lev__: or just point to
https://github.com/OpenVPN/openvpn-build/actions?query=event%3Aschedule++
(11.46.07) lev__: there we have nightly builds from master branch
(11.46.11) mattock2 [~ya...@mobile-access-bcee29-127.dhcp.inet.fi] è entrato
nella stanza.
(11.46.21) cron2: lev__: this is particularily not what I consider "msi with
reasonable file names that people can find"
(11.47.01) lev__: so let's add step to copy those to build.openvpn.net
(11.47.17) lev__: but in this case we need to store ssh key into github
(11.47.20) cron2: why not build on commit to openvpn main repo?
(11.47.53) lev__: we could do that too, so far I just scheduled nightly builds
(11.48.17) cron2: yeah, this should work as well
(11.48.27) lev__: we already have GHA in openvpn mail repo though
(11.48.31) lev__: *main
(11.48.31) cron2: some weeks, all nightlies will be the same...
(11.48.42) cron2: some days, 10 commits in one day
(11.48.51) lev__: which builds windows binaries
(11.48.52) cron2: but for "having something to test", this is still good enough
(11.49.19) lev__: would executable be enough?
(11.49.25) cron2: giving GH a SSH key that has restricted access only to
"publish nightly build" section of build sounds OK for me
(11.50.49) lev__: so here are GHA on openvpn main build which produce various
artifacts https://github.com/OpenVPN/openvpn/actions/runs/2414750281 I think
this is enough for testing
(11.51.07) lev__: but we could also build MSI
(11.51.57) cron2: building & uploading msi to build/swupdate/... would be
perfect
(11.52.32) lev__: also MSI from dco branch (including latest and greatest
dco-win driver) is also one click away - it doesn't happen automatically, one
needs to trigger a build job
(11.52.47) lev__: okay, I can so that if someone provides me a key
(11.53.20) ***cron2 looks at mattock :-) (mattock: can you please provide
access for djpig as well?)
(11.54.37) mattock2: I think I'll do the migration of build.openvpn.net first,
but yeah
(11.55.12) mattock2: new build is all done, just need DNS switch + a few
touchups
(11.55.16) cron2: nice
(11.57.01) mattock2: next topic?
(11.59.11) cron2: 2.5
(11.59.58) cron2: I've seen dazo push 2.5.7 to FC* repos, m-a has updated the
FreeBSD port
(12.00.51) cron2: Ubuntu maintainer has signalled interest in the OSSL 3
related patches (but I have not seen further activity)
(12.01.15) dazo: Fedora 34 + 35 + 36 and EPEL-9 are in the testing repos
already, will move automatically to stable repos once Fedora testers does the
duties (or ignores it for too long, where it moves to stable anyhow). Fedora
Copr repos (EPEL-7 + EPEL-8) are built and published.
(12.01.36) dazo: Fedora 36 and EPEL-9 are affected by OpenSSL 3 issues
(12.01.55) cron2: wiscii has asked to bump bundled EasyRSA to "something
newer"... he knows how to send PRs though :)
(12.02.47) cron2: dazo: what sort of issues have people seen? I know about
.p12/RC2 (--providers legacy)
(12.02.57) dazo: that's it
(12.03.17) cron2: (debian testing has also uncovered "my remote can only do
TLSv1" issues with 2.6...)
(12.03.55) cron2: do "we" have contacts to the pfsense/opnsense folks? I know
kp is working on pfsense (but he's also busy elsewhere)
(12.04.06) cron2: raise the RC2 issue
(12.04.44) lev__: speaking of easyrsa - we bumped version in master, what about
2.5 ? it is still 3.0.8
https://github.com/OpenVPN/openvpn-build/blob/release/2.5/windows-msi/version.m4#L23
(12.04.54) cron2: 11:01 <@cron2> wiscii has asked to bump bundled EasyRSA
(12.05.07) dazo: perhaps we can notify opnsense via nitrokey folks .... ordex
might know
(12.06.13) lev__: ah ok, I was confused. well since he did it for master, he
can do it for 2.5
(12.06.24) cron2: this :)
(12.06.44) cron2: (we discussed this yesterday in #openvpn-devel)
(12.07.12) cron2: ((the discussion deteriorated somewhat into "can we do a
rewrite in a reasonable language" and "what language would that be" :) ))
(12.08.17) lev__: heh
(12.12.21) cron2: so, nothing more on 2.5, it seems :-)
(12.12.25) cron2: 2.6
(12.12.26) plaisthos: You can write it in python ;)
(12.12.28) mattock2: yeah
(12.12.42) cron2: plaisthos: there we go again, "reasonable language" and
"python"...
(12.13.04) plaisthos: hehe
(12.13.19) cron2: every time something explodes in my gentoo systems, it's
related to "there are 3 python versions installed and something wants a 4th"
(12.13.21) plaisthos: write it in C!
(12.14.15) MaxF: Rust!
(12.14.35) mattock2: it seems meeting time is being spent well!
(12.15.37) MaxF: 2.6 ... do we need to wait for ordex to review the patch I
sent?
(12.15.38) mattock2: any real topics left? :)
(12.16.04) cron2: MaxF: I would have hoped to get some assistance in
review/test this, as it's his code...
(12.16.26) lev__: what is the status of linux dco patch review (4/7) ? where is
the ball at?
(12.16.27) MaxF: hackathon? I've not received a definite answer about Fox
hosting it, but what I heard doesn't make me optimistic
(12.16.47) cron2: mattock2: you put many topics on the agenda page :-)
(12.16.55) cron2: MaxF: :-(
(12.16.59) mattock2: I copied many topics
(12.17.04) MaxF: apparently it got more difficult to do stuff there on weekends
(12.17.13) mattock2: not sure which are still relevant
(12.17.15) cron2: mattock2: they are all there because they are real
(12.17.54) cron2: lev__: well, I have no idea how to proceed with DCO, which is
why I wanted to bring it up
(12.18.07) cron2: https://community.openvpn.net/openvpn/wiki/Topics-2022-06-01
#5 :-)
(12.18.41) cron2: so, I've been whacking the DCO branch on an Ubuntu 20.04 test
server, and found interesting and amazing wonders
(12.18.42) lev__: it is already split into 7 patches
(12.19.16) lev__: but yeah 4/7 is the main one
(12.19.18) cron2: lev__: but the first one is 4000 lines long, and unless that
one is in, later ones cannot be reasonably reviewed - and it's changing all the
time, so it's unclear what we are looking at
(12.19.48) cron2: NCP cipher fail leads to server fatal error -> exit(), for
example...
(12.20.23) lev__: do we have a list of those things somewhere?
(12.20.56) lev__: maybe freeze the current state, fix things you and other have
found and send next version?
(12.21.01) cron2: not in a well-organized way... and this was my attempt to get
things organized
(12.21.03) lev__: *others
(12.21.26) cron2: I'd really like to get stuff merged, we know what we are
testing against, and what gets changed
(12.21.48) cron2: so I do not have to redo the 4000-lines patch review because
something got shuffled around for some case
(12.22.20) lev__: the things you've found, how critical they are?
(12.22.27) cron2: "b?m!"
(12.22.39) cron2: connect to a DCO enabled server with "--cipher 3DES" on the
client, server aborts
(12.22.58) lev__: if we got it merged, we might have more people to test and
report bugs (especially with snapshots being published _soon_)
(12.23.09) cron2: connect in P2P mode, works exactly once, then the server will
never again respond to new TLS packets coming in
(12.23.58) cron2: but... this needs ordex.
(12.24.09) cron2: Can we jump to #3 for the moment, p2p and
--explicit-exit-notify?
(12.24.22) cron2: there is a question for the group - "shall we change this?"
(12.26.22) dazo: I think it makes sense to enable that by default for clients
with TLS .... OpenVPN 3 already does that by default, IIRC
(12.26.35) cron2: "enable that"?
(12.26.44) dazo: --explicit-exit-notify
(12.26.49) cron2: that is not the question :-)
(12.27.03) cron2: the question is "why does the peer exit, if
explicit-exit-notify comes in in p2p mode?"
(12.27.05) dazo: that's how I understood #3 ;-)
(12.27.11) cron2: and "do we want to change *that* behaviour?"
(12.27.35) cron2: the question was not "shall we enable it by default" (which
we could do, and kill all p2p setups with a pre-2.6 peer...)
(12.28.45) dazo: so ... then I'm not fully understanding the problem we're
trying to solve .... what is the P2P issue with --explicit-exit-notify?
(12.29.03) cron2: the peer exits if receiving an --explicit-exit-notify message
(12.29.09) cron2: like, "exit(), program end"
(12.29.19) dazo: ahh!
(12.29.30) cron2: "it has been that way forever"
(12.29.58) cron2: so the question is "do we want to make reception of
--explicit-exit-notify in p2p TLS mode behave like in p2mp mode =
SIGUSR1/SIGHUP, instead of SIGTERM"
(12.30.31) cron2: (ignoring --secret mode)
(12.30.42) dazo: right .... yeah, I think that makes sense .... why would you
want to "kill" the remote end by exiting on the local side?
(12.30.52) dazo: (--secret/static key mode must die)
(12.30.59) cron2: yes, and yes :)
(12.33.26) dazo: So to try to answer "is there a specific reason why it is the
way it is" .... I think it's just an unconsidered (untested?) scenario since
--explicit-exit-notify has never been enabled by default
(12.35.02) cron2: plaisthos wanted to send a patch - so let's do that, then :-)
(12.35.16) dazo: +1
(12.35.22) plaisthos: well I said we can have a patch but didn't say I would
send it ;)
(12.35.40) plaisthos: BUt yeah I can making a patch that replaces SIGTERM with
SIGUSR1 on my todo list
(12.35.50) dazo: +1
(12.40.18) cron2: (as a side note, i'm out, have another meeting since 11:30)
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
