[Openvpn-devel] Summary of the community meeting (17th November 2021)

2021-11-18 Thread Samuli Seppänen 

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on libera.chat
Date: Wed 17th November 2021
Time: 14:00 CET (12:00 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, d12fk, lev, mattock, MaxF, novaflash, ordex, Pippin and rob0 
participated in this meeting.


---

Talked about hackathon T-shirts. Cron2 will send them out both 
individually and in larger bunches for further distribution. Agreed that 
the T-shirts look good.


--

Full chatlog attached



(14:59:51) mattock: howdy
(15:00:04) dazo: yo!
(15:02:05) lev__: hallo
(15:02:16) d12fk: hi
(15:04:49) cron2: hoi
(15:04:55) cron2: had to feed the monsters first...
(15:05:01) ordex: hy
(15:05:04) novaflash: goedendag
(15:05:22) dazo: plaisthos is on a holiday, so I don't expect him here today
(15:05:35) MaxF [~m...@cust-95-128-91-242.breedbanddelft.nl] è entrato nella 
stanza.
(15:05:47) MaxF: hi!
(15:06:03) cron2: yo!
(15:06:03) mattock: ok let's start
(15:06:24) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2021-11-17
(15:06:45) cron2: indeed
(15:07:20) cron2: so, T-Shirts.  I have received a box full of T-Shirts, and 
extracted an XL one for me
(15:07:27) mattock: do the T-shirt look ok?
(15:07:31) mattock: T-shirts
(15:07:34) cron2: yes
(15:07:35) cron2: wait
(15:07:38) mattock: \o/
(15:07:43) mattock: too bad they were sol ate
(15:08:13) cron2: https://demo.vct.spacenet.de/o
(15:08:28) cron2: I don't want to do a video meeting, just show the t-shirt :-)
(15:08:49) novaflash: sorry don't have any microphone or camera on this ancient 
thing!
(15:08:54) cron2: ah
(15:08:55) mattock: I'll join but keep the video off as I look like shit (flu, 
running nose, etc) :)
(15:09:04) novaflash: looks good!
(15:09:37) mattock: +1
(15:10:00) dazo: +1
(15:10:23) cron2: indeed, they are black :-) - wasn't my doing
(15:10:26) novaflash: thanks for showing
(15:10:33) novaflash: yeah i know, grey wasn't an option
(15:10:39) novaflash: or too light
(15:10:44) cron2: ah
(15:10:52) cron2: *I* am fine with black :-)
(15:11:08) dazo: :-D
(15:11:12) novaflash: tradition must not be broken!
(15:11:26) cron2: so - I can send around a few boxes to aggregation points, 
like "one box to syzzer, with T-Shirts and headphones", and "another to qaware"
(15:11:40) ***rob0 warms up as Tevye in Fiddler on the Roof
(15:11:40) cron2: mattock: how many T-Shirts have you planned for QA?
(15:11:54) mattock: QAware I assume - five
(15:11:59) mattock: five times XL
(15:12:15) MaxF: and then they can all fight over it?
(15:12:30) cron2: ok, so I take out 5x XL, send to qaware.  Then take out all 
the dutch T-Shirts and send to Syzzer (and you can sort this out locally).
(15:12:34) mattock: that's pretty much the plan MaxF :)
(15:13:01) cron2: but what to do with the rest?  I do not think I can manage 
"send individually to the world" in reasonable time
(15:14:06) MaxF: sending them to USA must be crazy expensive
(15:14:08) cron2: do you foresee a "corp people meeting" in the next few 
months?  So I could ship to plaisthos/d12fk, and he can bring it along
(15:14:18) cron2: MaxF: plus customs declarations and stuff...
(15:14:21) mattock: MaxF: sending to the USA is not that expensive
(15:14:23) novaflash: i think we probably will now that travel is somewhat 
possible again
(15:14:29) mattock: I can't recall getting a stroke when I did it the last time
(15:14:36) novaflash: but likely not with USA people
(15:16:07) ***cron2 suggests that corp people sort this out internally and let 
me know where to ship the "corp" part of the box :-)
(15:16:39) mattock: yeah, one corp box sounds reasonable
(15:16:50) mattock: we can ask around to figure out where that box should go
(15:16:58) cron2: let me know :-)
(15:17:22) cron2: for the non-hackathon-attendees - we have a few 
T-Shirt-Requests in the wiki.  Have these been part of the order?
(15:17:52) d12fk: I don't mind bringing the shirts, however if someone else 
want their shirt urgently, I'll pass, as I do not
(15:18:47) mattock: yes, there are shirts for the non-participants 
(15:20:01) cron2: ok... so maybe I can ship those direct (otherwise too much 
shipping and delay).  Can you e-mail me the addresses?
(15:20:56) mattock: I only have wiscii's address
(15:21:00) mattock: the rest will have to be dug out
(15:21:27) mattock: I'll send that address to you now
(15:21:49) cron2: thanks
(15:24:09) mattock: done
(15:24:41) Pippin_: @mattock you have my address too
(15:24:53) Pippin_: mattock: ^
(15:24:54) mattock: mm, let me try to find that one
(15:26:52) mattock: can't find it - care to send it again?
(15:28:21) mattock: or send it to cron2 rather
(15:28:30) mattock: if he's going to ship the T-shirt
(15:28:36) Pippin_: Ah just send it
(15:28:40) Pippin_: :)
(15:28:40) cron2: yeah
(15:29:49) Pippin_: done...

[Openvpn-devel] [PATCH master+release/2.5] Tune down verbosity for suspected retransmits

2021-11-18 Thread Lev Stipakov 
From: Lev Stipakov 

There are cases when control packet is not acked fast enough,
for example when handling PUSH_REPLY, which requires setting up
tunnel. In those cases packet will be retransmitted.

OpenVPN 2 changes packet-id on retransmission, so it passes
replay protection and got rejected as a replay by reliability layer,
which checks another packet-id (sequence id) which is used to assemble
our TCP-like stream.

OpenVPN 3, however, doesn't change packet-id on retransmission,
which triggers replay protection and causes level 1 nonfatal errors
in logs.

When replay protection sees the packet with the same timestamp
and packet-id as previously received one, this is likely retransmission
from OpenVPN 3. To not to scare users, tune verbosity down in this case.

Signed-off-by: Lev Stipakov 
---
 src/openvpn/crypto.c| 5 -
 src/openvpn/packet_id.c | 3 +++
 src/openvpn/packet_id.h | 1 +
 src/openvpn/ssl.c   | 6 --
 4 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 1dfc760f..5a0775c1 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -335,7 +335,10 @@ crypto_check_replay(struct crypto_options *opt,
 {
 if (!(opt->flags & CO_MUTE_REPLAY_WARNINGS))
 {
-msg(D_REPLAY_ERRORS, "%s: bad packet ID (may be a replay): %s -- "
+/* openvpn3 doesn't change packet-id on retransmit, this is
+ * likely the case so tune verbosity down */
+int verb = opt->packet_id.rec.retransmit ? D_PID_DEBUG : 
D_REPLAY_ERRORS;
+msg(verb, "%s: bad packet ID (may be a %s): %s -- "
 "see the man page entry for --no-replay and --replay-window 
for "
 "more info or silence this warning with 
--mute-replay-warnings",
 error_prefix, packet_id_net_print(pin, true, gc));
diff --git a/src/openvpn/packet_id.c b/src/openvpn/packet_id.c
index 19bf3c51..09434bbb 100644
--- a/src/openvpn/packet_id.c
+++ b/src/openvpn/packet_id.c
@@ -201,6 +201,8 @@ packet_id_test(struct packet_id_rec *p,
 {
 packet_id_type diff;
 
+p->retransmit = false;
+
 packet_id_debug(D_PID_DEBUG, p, pin, "PID_TEST", 0);
 
 ASSERT(p->initialized);
@@ -250,6 +252,7 @@ packet_id_test(struct packet_id_rec *p,
 }
 else
 {
+p->retransmit = true;
 /* raised from D_PID_DEBUG_LOW to reduce verbosity */
 packet_id_debug(D_PID_DEBUG_MEDIUM, p, pin, "PID_ERR 
replay", diff);
 return false;
diff --git a/src/openvpn/packet_id.h b/src/openvpn/packet_id.h
index 8f705964..e47d671f 100644
--- a/src/openvpn/packet_id.h
+++ b/src/openvpn/packet_id.h
@@ -141,6 +141,7 @@ struct packet_id_rec
 struct seq_list *seq_list; /* packet-id "memory" */
 const char *name;
 int unit;
+bool retransmit;  /* true if last packet is suspected retransmit */
 };
 
 /*
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index b2dc48be..10f227d1 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1531,8 +1531,10 @@ read_control_auth(struct buffer *buf,
 openvpn_decrypt(buf, null, &ctx->opt, NULL, BPTR(buf));
 if (!buf->len)
 {
-msg(D_TLS_ERRORS,
-"TLS Error: incoming packet authentication failed from %s",
+/* openvpn3 doesn't change packet-id on retransmit, this is
+ * likely the case so tune verbosity down */
+int verb = ctx->opt.packet_id.rec.retransmit ? D_TLS_DEBUG : 
D_TLS_ERRORS;
+msg(verb, "TLS Error: incoming packet authentication failed from 
%s",
 print_link_socket_actual(from, &gc));
 goto cleanup;
 }
-- 
2.23.0.windows.1



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel