[Openvpn-devel] [PATCH 1/2] Remove x509-username-fields uppercasing
The uppercasing was first introduced together with the
x509-username-field option in commit 935c62be, and first released with
v2.2.0 in 2011. The uppercasing was later deprecated with commit
f4e0ad82 and release v2.4.0 in 2016. It think it is time to finally
remove it.
This deprecated feature prevents you from using non-extension
all-lowercase fieldnames like `name`, because these are converted to
uppercase and then cause an error. The deprecation warning is also shown
in cases where there is no actual uppercasing happening, for example
with numerical forms (aka oids) like `2.5.4.41` (oid of `name`).
Signed-off-by: Corubba Smith
---
Changes.rst | 5 +
doc/man-sections/tls-options.rst | 6 --
src/openvpn/options.c| 27 +--
3 files changed, 6 insertions(+), 32 deletions(-)
diff --git a/Changes.rst b/Changes.rst
index e0118111..bcc64fca 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -92,6 +92,11 @@ Compression on send
``--allow-compression yes`` is now an alias for
``--allow-compression asym``.
+User-visible Changes
+
+- ``--x509-username-field`` will no longer automatically convert fieldnames to
+ uppercase. This is deprecated since OpenVPN 2.4, and has now been removed.
+
Overview of changes in 2.6
==
diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst
index cdb85716..7882e924 100644
--- a/doc/man-sections/tls-options.rst
+++ b/doc/man-sections/tls-options.rst
@@ -763,12 +763,6 @@ If the option is inlined, ``algo`` is always
:code:`SHA256`.
Only the :code:`subjectAltName` and :code:`issuerAltName` X.509
extensions and :code:`serialNumber` X.509 attribute are supported.
- **Please note:** This option has a feature which will convert an
- all-lowercase ``fieldname`` to uppercase characters, e.g.,
- :code:`ou` -> :code:`OU`. A mixed-case ``fieldname`` or one having the
- :code:`ext:` prefix will be left as-is. This automatic upcasing feature is
- deprecated and will be removed in a future release.
-
Non-compliant symbols are being replaced with the :code:`_` symbol, same as
the field separator, so concatenating multiple fields with such or :code:`_`
symbols can potentially lead to username collisions.
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 3ae44dbe..6b2dfa58 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -9395,37 +9395,12 @@ add_option(struct options *options,
#ifdef ENABLE_X509ALTUSERNAME
else if (streq(p[0], "x509-username-field") && p[1])
{
-/* This option used to automatically upcase the fieldnames passed as
the
- * option arguments, e.g., "ou" became "OU". Now, this "helpfulness" is
- * fine-tuned by only upcasing Subject field attribute names which
consist
- * of all lower-case characters. Mixed-case attributes such as
- * "emailAddress" are left as-is. An option parameter having the "ext:"
- * prefix for matching X.509v3 extended fields will also remain
unchanged.
- */
VERIFY_PERMISSION(OPT_P_GENERAL);
for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
{
char *s = p[j];
-if (strncmp("ext:", s, 4) != 0)
-{
-size_t i = 0;
-while (s[i] && !isupper(s[i]))
-{
-i++;
-}
-if (strlen(s) == i)
-{
-while ((*s = toupper(*s)) != '\0')
-{
-s++;
-}
-msg(M_WARN, "DEPRECATED FEATURE: automatically upcased the
"
-"--x509-username-field parameter to '%s'; please
update your "
-"configuration", p[j]);
-}
-}
-else if (!x509_username_field_ext_supported(s+4))
+if (strncmp("ext:", s, 4) == 0 &&
!x509_username_field_ext_supported(s+4))
{
msg(msglevel, "Unsupported x509-username-field extension: %s",
s);
}
--
2.48.1
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH 2/2] Document x509-username-fields oid usage
When built against OpenSSL, the parameters of the x509-username-fields option are in extract_x509_field_ssl() fed through OBJ_txt2obj() [0] which accepts "long names and short names [...] as well as numerical forms." Because of this, you can for example use `x509-username-field 2.5.4.41` to make OpenVPN read the `name` field [1]. x509-username-fields is currently not implemented for mbed TLS, so that can be ignored. [0] https://docs.openssl.org/1.1.1/man3/OBJ_nid2obj/ [1] https://oidref.com/2.5.4.41 Signed-off-by: Corubba Smith --- doc/man-sections/tls-options.rst | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst index 7882e924..0638d095 100644 --- a/doc/man-sections/tls-options.rst +++ b/doc/man-sections/tls-options.rst @@ -744,11 +744,13 @@ If the option is inlined, ``algo`` is always :code:`SHA256`. :: x509-username-field emailAddress + x509-username-field 1.2.840.113549.1.9.1 x509-username-field ext:subjectAltName x509-username-field CN serialNumber - The first example uses the value of the :code:`emailAddress` attribute - in the certificate's Subject field as the username. The second example + The first two examples use the value of the :code:`emailAddress` attribute + in the certificate's Subject field as the username, where the first example + uses the name while the second example uses the oid. The third example uses the :code:`ext:` prefix to signify that the X.509 extension ``fieldname`` :code:`subjectAltName` be searched for an rfc822Name (email) field to be used as the username. In cases where there are -- 2.48.1 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: Always use a 0.0.0.0/0 default on Android instead of def1
Attention is currently required from: flichtenheld, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/890?usp=email ) Change subject: Always use a 0.0.0.0/0 default on Android instead of def1 .. Patch Set 1: Code-Review-1 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/890?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I22e4b73e744c765a43bdb29f6e18813d103ea757 Gerrit-Change-Number: 890 Gerrit-PatchSet: 1 Gerrit-Owner: plaisthos Gerrit-Reviewer: cron2 Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Sat, 15 Feb 2025 15:37:20 + Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: Reconnect when TCP is on use on network-change management command
cron2 has uploaded a new patch set (#2) to the change originally created by
plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/891?usp=email )
The following approvals got outdated and were removed:
Code-Review+2 by cron2
Change subject: Reconnect when TCP is on use on network-change management
command
..
Reconnect when TCP is on use on network-change management command
On some newer Android handsets, changing to a different network
often does not trigger a TCP reset but continues using the old
connection (e.g. using mobile connection when WiFi becomes available)
Force a reconnect in these situation to have a more expected beheaviour.
Change-Id: Id4febcceecab33ee5189cd67b249a15d12b84799
Signed-off-by: Arne Schwabe
Acked-by: Gert Doering
Message-Id: <20250215152456.5691-1-g...@greenie.muc.de>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30908.html
Signed-off-by: Gert Doering
---
M src/openvpn/init.c
1 file changed, 9 insertions(+), 0 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/91/891/2
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index da20241..920f8d7 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -4412,6 +4412,15 @@
return -1;
}
+/* On some newer Android handsets, changing to a different network
+ * often does not trigger a TCP reset but continue using the old
+ * connection (e.g. using mobile connection when WiFi becomes available */
+struct link_socket_info *lsi = get_link_socket_info(c);
+if (lsi && proto_is_tcp(lsi->proto) && !samenetwork)
+{
+return -2;
+}
+
socketfd = c->c2.link_sockets[0]->sd;
if (!c->options.pull || c->c2.tls_multi->use_peer_id || samenetwork)
{
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/891?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Id4febcceecab33ee5189cd67b249a15d12b84799
Gerrit-Change-Number: 891
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos
Gerrit-Reviewer: cron2
Gerrit-Reviewer: flichtenheld
Gerrit-CC: openvpn-devel
Gerrit-MessageType: newpatchset
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Reconnect when TCP is on use on network-change management command
Tab-vs-Space fixed on the fly. Your patch has been applied to the master branch. commit 43abb412dd211836086e27b55f1bcd77626ad6f2 Author: Arne Schwabe Date: Sat Feb 15 16:24:56 2025 +0100 Reconnect when TCP is on use on network-change management command Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20250215152456.5691-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30908.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: Reconnect when TCP is on use on network-change management command
cron2 has submitted this change. (
http://gerrit.openvpn.net/c/openvpn/+/891?usp=email )
Change subject: Reconnect when TCP is on use on network-change management
command
..
Reconnect when TCP is on use on network-change management command
On some newer Android handsets, changing to a different network
often does not trigger a TCP reset but continues using the old
connection (e.g. using mobile connection when WiFi becomes available)
Force a reconnect in these situation to have a more expected beheaviour.
Change-Id: Id4febcceecab33ee5189cd67b249a15d12b84799
Signed-off-by: Arne Schwabe
Acked-by: Gert Doering
Message-Id: <20250215152456.5691-1-g...@greenie.muc.de>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30908.html
Signed-off-by: Gert Doering
---
M src/openvpn/init.c
1 file changed, 9 insertions(+), 0 deletions(-)
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index da20241..920f8d7 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -4412,6 +4412,15 @@
return -1;
}
+/* On some newer Android handsets, changing to a different network
+ * often does not trigger a TCP reset but continue using the old
+ * connection (e.g. using mobile connection when WiFi becomes available */
+struct link_socket_info *lsi = get_link_socket_info(c);
+if (lsi && proto_is_tcp(lsi->proto) && !samenetwork)
+{
+return -2;
+}
+
socketfd = c->c2.link_sockets[0]->sd;
if (!c->options.pull || c->c2.tls_multi->use_peer_id || samenetwork)
{
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/891?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Id4febcceecab33ee5189cd67b249a15d12b84799
Gerrit-Change-Number: 891
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos
Gerrit-Reviewer: cron2
Gerrit-Reviewer: flichtenheld
Gerrit-CC: openvpn-devel
Gerrit-MessageType: merged
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: [TEST-ONLY] Mess with internal logic to test epoch data
Attention is currently required from: flichtenheld, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/818?usp=email ) Change subject: [TEST-ONLY] Mess with internal logic to test epoch data .. Patch Set 8: Code-Review-2 (1 comment) Patchset: PS8: not sure if this is still needed, as we have epoch / AEAD limit unit tests now - as it is it can't go in (but never wasn't intended for "real merge" anyway) -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/818?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I7cdf992eb6031315c4978c6a1fbbecfa723fca91 Gerrit-Change-Number: 818 Gerrit-PatchSet: 8 Gerrit-Owner: plaisthos Gerrit-Reviewer: cron2 Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Sat, 15 Feb 2025 15:43:08 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: Reconnect when TCP is on use on network-change management command
Attention is currently required from: flichtenheld, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/891?usp=email ) Change subject: Reconnect when TCP is on use on network-change management command .. Patch Set 1: Code-Review+2 (1 comment) Patchset: PS1: the code has a where it should have spaces, but I can fix that on apply. I can't really test the functionality, but it compiles with the new android GHA build :-) and is in a TARGET_ANDROID block so won't affect anything else. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/891?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Id4febcceecab33ee5189cd67b249a15d12b84799 Gerrit-Change-Number: 891 Gerrit-PatchSet: 1 Gerrit-Owner: plaisthos Gerrit-Reviewer: cron2 Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Sat, 15 Feb 2025 15:23:21 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] Reconnect when TCP is on use on network-change management command
From: Arne Schwabe
On some newer Android handsets, changing to a different network
often does not trigger a TCP reset but continues using the old
connection (e.g. using mobile connection when WiFi becomes available)
Force a reconnect in these situation to have a more expected beheaviour.
Change-Id: Id4febcceecab33ee5189cd67b249a15d12b84799
Signed-off-by: Arne Schwabe
Acked-by: Gert Doering
---
This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/891
This mail reflects revision 1 of this Change.
Acked-by according to Gerrit (reflected above):
Gert Doering
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index a7f7db4..b5eeeb8 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -4390,6 +4390,15 @@
return -1;
}
+/* On some newer Android handsets, changing to a different network
+ * often does not trigger a TCP reset but continue using the old
+ * connection (e.g. using mobile connection when WiFi becomes available */
+struct link_socket_info *lsi = get_link_socket_info(c);
+if (lsi && proto_is_tcp(lsi->proto) && !samenetwork)
+{
+return -2;
+}
+
socketfd = c->c2.link_sockets[0]->sd;
if (!c->options.pull || c->c2.tls_multi->use_peer_id || samenetwork)
{
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH 0/2] x509-username-fields improvements
This patchset contains two small improvements for the x509-username-fields option. The first patch removes the long-deprecated and only for backwards-compatibility kept uppercasing of the fieldnames. The second patch documents a long available but until now undocumented way to specify fields by their oids. I ran into several issue with the uppercasing, and while coming up with a bugfix, I figured its easier to instead just finally remove it. Corubba Smith (2): Remove x509-username-fields uppercasing Document x509-username-fields oid usage Changes.rst | 5 + doc/man-sections/tls-options.rst | 12 src/openvpn/options.c| 27 +-- 3 files changed, 10 insertions(+), 34 deletions(-) -- 2.48.1 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
