[Openvpn-devel] [PATCH 2/2] Add table output formatting to t_client.sh
From: Jens Neuhalfen
Test results will be printed in a tabular format, e.g.
| ID | TEST| RESULT |
| -- | --- | |
| 1 | testing tun/udp/ipv4| [SUCCESS]|
| 2 | testing tun/udp/ipv4 with pam | [FAIL: 5 fails] |
| -- | --- | |
Test sets succeded: 1.
Test sets failed: 2.
Signed-off-by: Jens Neuhalfen
---
tests/t_client.sh.in | 18 ++
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/tests/t_client.sh.in b/tests/t_client.sh.in
index 9f0c8f6..e026dee 100755
--- a/tests/t_client.sh.in
+++ b/tests/t_client.sh.in
@@ -361,18 +361,26 @@ print_test_results(){
# see here for an explanation on the calling convention:
#
http://stackoverflow.com/questions/1063347/passing-arrays-as-parameters-in-bash
local -a test_ids=("${!1}")
-local -a test_number_of_fails=("${!2}")
+local -a test_names=("${!2}")
+local -a test_number_of_fails=("${!3}")
local summary_ok=""
local summary_fail=""
-for (( i = 0 ; i < ${#test_ids[@]} ; i++ )) do
-if [ ${test_number_of_fails[$i]} == 0 ]; then
+local fmt="| %2s | %-35s | %-20s |\n"
+
+printf "$fmt" "ID" "TEST" "RESULT"
+printf "$fmt" "--" "---"
""
+for (( i = 0 ; i < ${#test_names[@]} ; i++ )) do
+if [ ${test_number_of_fails[$i]} = 0 ]; then
summary_ok="$summary_ok ${test_ids[$i]}"
+printf "$fmt" "${test_ids[$i]}" "${test_names[$i]}" "[OK]"
else
summary_fail="$summary_fail ${test_ids[$i]}"
+printf "$fmt" "${test_ids[$i]}" "${test_names[$i]}" "[FAIL:
${test_number_of_fails[$i]} fails]"
fi
done
+printf "$fmt" "--" "---"
""
if [ -z "$summary_ok" ] ; then summary_ok=" none"; fi
if [ -z "$summary_fail" ] ; then summary_fail=" none"; fi
@@ -389,6 +397,7 @@ run_test_loop() {
local -i any_test_failed=0
local -i number_of_fails_in_test=0
local -a test_ids
+local -a test_names
local -a test_number_of_fails
local -i current_test_index=0
@@ -405,6 +414,7 @@ run_test_loop() {
eval ping6_hosts=\"\$PING6_HOSTS_$SUF\"
test_ids[$current_test_index]="$SUF"
+test_names[$current_test_index]="$test_run_title"
run_test "$test_prep" "$test_cleanup" "$test_run_title"
"$openvpn_conf" "$expect_ifconfig4" "$expect_ifconfig6" "$ping4_hosts"
"$ping6_hosts"
number_of_fails_in_test=$?
@@ -416,7 +426,7 @@ run_test_loop() {
current_test_index=$((current_test_index + 1))
done
-print_test_results test_ids[@] test_results[@]
+print_test_results test_ids[@] test_names[@] test_results[@]
return $any_test_failed
}
--
2.8.2
[Openvpn-devel] [PATCH 1/2] Refactor t_client.sh
From: Jens Neuhalfen
Move global code into seperate functions. Fixup formatting of code.
Signed-off-by: Jens Neuhalfen
---
tests/t_client.sh.in | 433 ++-
1 file changed, 255 insertions(+), 178 deletions(-)
diff --git a/tests/t_client.sh.in b/tests/t_client.sh.in
index 9a0af93..9f0c8f6 100755
--- a/tests/t_client.sh.in
+++ b/tests/t_client.sh.in
@@ -12,6 +12,12 @@
# - for "ping6" checks: fping6 binary in $PATH
#
+#
+# Tests are configured via t_client.rc in this direcotry or the top
+# level source directroy.
+#
+
+
srcdir="${srcdir:-.}"
top_builddir="${top_builddir:-..}"
if [ -r "${top_builddir}"/t_client.rc ] ; then
@@ -85,7 +91,18 @@ else
exit 1
fi
-exit_code=0
+# --
+# global variables
+# --
+
+# list of succeeded tests (e.g. 1 2 3)
+declare SUMMARY_OK=""
+
+# list of failed tests
+declare SUMMARY_FAIL=""
+
+# number of failed checks for a test (# of calls to fail())
+declare -i fail_count=0
# --
# helper functions
@@ -105,46 +122,46 @@ get_ifconfig_route()
# linux / iproute2? (-> if configure got a path)
if [ -n "@IPROUTE@" ]
then
- echo "-- linux iproute2 --"
- @IPROUTE@ addr show | grep -v valid_lft
- @IPROUTE@ route show
- @IPROUTE@ -o -6 route show | grep -v ' cache' | sed -E -e 's/ expires
[0-9]*sec//' -e 's/ (mtu|hoplimit|cwnd|ssthresh) [0-9]+//g' -e 's/ (rtt|rttvar)
[0-9]+ms//g'
- return
+echo "-- linux iproute2 --"
+@IPROUTE@ addr show | grep -v valid_lft
+@IPROUTE@ route show
+@IPROUTE@ -o -6 route show | grep -v ' cache' | sed -E -e 's/ expires
[0-9]*sec//' -e 's/ (mtu|hoplimit|cwnd|ssthresh) [0-9]+//g' -e 's/ (rtt|rttvar)
[0-9]+ms//g'
+return
fi
# try uname
case `uname -s` in
- Linux)
- echo "-- linux / ifconfig --"
- LANG=C @IFCONFIG@ -a |egrep "( addr:|encap:)"
- LANG=C @NETSTAT@ -rn -4 -6
- return
- ;;
- FreeBSD|NetBSD|Darwin)
- echo "-- FreeBSD/NetBSD/Darwin [MacOS X] --"
- @IFCONFIG@ -a | egrep "(flags=|inet)"
- @NETSTAT@ -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$NF }'
- return
- ;;
- OpenBSD)
- echo "-- OpenBSD --"
- @IFCONFIG@ -a | egrep "(flags=|inet)" | \
- sed -e 's/pltime [0-9]*//' -e 's/vltime [0-9]*//'
- @NETSTAT@ -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$NF }'
- return
- ;;
- SunOS)
- echo "-- Solaris --"
- @IFCONFIG@ -a | egrep "(flags=|inet)"
- @NETSTAT@ -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$6 }'
- return
- ;;
- AIX)
- echo "-- AIX --"
- @IFCONFIG@ -a | egrep "(flags=|inet)"
- @NETSTAT@ -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$6 }'
- return
- ;;
+Linux)
+ echo "-- linux / ifconfig --"
+ LANG=C @IFCONFIG@ -a |egrep "( addr:|encap:)"
+ LANG=C @NETSTAT@ -rn -4 -6
+ return
+ ;;
+FreeBSD|NetBSD|Darwin)
+ echo "-- FreeBSD/NetBSD/Darwin [MacOS X] --"
+ @IFCONFIG@ -a | egrep "(flags=|inet)"
+ @NETSTAT@ -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$NF }'
+ return
+ ;;
+OpenBSD)
+ echo "-- OpenBSD --"
+ @IFCONFIG@ -a | egrep "(flags=|inet)" | \
+sed -e 's/pltime [0-9]*//' -e 's/vltime [0-9]*//'
+ @NETSTAT@ -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$NF }'
+ return
+ ;;
+SunOS)
+ echo "-- Solaris --"
+ @IFCONFIG@ -a | egrep "(flags=|inet)"
+ @NETSTAT@ -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$6 }'
+ return
+ ;;
+AIX)
+ echo "-- AIX --"
+ @IFCONFIG@ -a | egrep "(flags=|inet)"
+ @NETSTAT@ -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$6 }'
+ return
+ ;;
esac
echo "get_ifconfig_route(): no idea how to get info on your OS. FAIL." >&2
@@ -164,11 +181,11 @@ check_ifconfig()
for expect in $expect_list
do
- if get_ifconfig_route | fgrep "$expect" >/dev/null
- then :
- else
- fail "check_ifconfig(): expected IPv$proto address '$expect' not
found in ifconfig output."
- fi
+if get_ifconfig_route | fgrep "$expect" >/dev/null
+then :
+else
+fail "check_ifconfig(): expected IPv$proto address '$expect' not
found in ifconfig output."
+fi
done
}
@@ -186,166 +203,226 @@ run_ping_tests()
if [ -z "$targetlist" ] ; then return ; fi
case $proto in
- 4) cmd=fping ;;
- 6) cmd=fping6 ;;
- *) echo "internal error in run_ping_tests arg 1: '$proto'" >&2
- exit 1 ;;
+4) cmd=fping ;;
+6) cmd=fping6 ;;
+*) echo "internal error in run_ping_tests arg 1: '$proto'" >&2
+
[Openvpn-devel] Refactor t_client.sh & improve output formatting
Ratio: * Cleanup code * Prepare for better automated integration tests (future) Move global code into separate functions. Fixup formatting of code. Also add table output formatting to t_client.sh: | ID | TEST| RESULT | | -- | --- | | | 1 | testing tun/udp/ipv4| [SUCCESS]| | 2 | testing tun/udp/ipv4 with pam | [FAIL: 5 fails] | | -- | --- | | Test sets succeded: 1. Test sets failed: 2. For easier review these patches have also been provided via GitHub pull request: https://github.com/OpenVPN/openvpn/pull/49 Due to moving code around and intention changes this patch looks rather large: 1 file changed, 267 insertions(+), 180 deletions(-).
[Openvpn-devel] Add unit testing support
This is a series of two patches that add unit testing support to openvpn. See https://github.com/OpenVPN/openvpn/pull/44 for a discussion. Thanks to syzzer for his nitty-gritty review! Jens
[Openvpn-devel] [PATCH 1/2] Add unit testing support via cmocka
From: Jens Neuhalfen cmocka [1,2] is a testing framework for C. Adding unit test capabilities to the openvpn repository will greatly ease the task of writing correct code. cmocka source code is added as git submodule in ./vendor. A submodule approach has been chosen over a classical library dependency because libcmocka is not available, or only available in very old versions (e.g. on Ubuntu). cmocka is build during 'make check' and installed in vendor/dist/. [1] https://cmocka.org/ [2] https://lwn.net/Articles/558106/ Signed-off-by: Jens Neuhalfen --- .gitmodules | 4 +++ Makefile.am | 2 +- configure.ac | 16 +++ tests/Makefile.am | 3 +- tests/unit_tests/.gitignore | 1 + tests/unit_tests/Makefile.am | 3 ++ tests/unit_tests/README.md| 40 ++ tests/unit_tests/example_test/Makefile.am | 13 + tests/unit_tests/example_test/README.md | 3 ++ tests/unit_tests/example_test/test.c | 47 +++ tests/unit_tests/example_test/test2.c | 22 +++ vendor/.gitignore | 2 ++ vendor/Makefile.am| 24 vendor/README.md | 9 ++ vendor/cmocka | 1 + 15 files changed, 188 insertions(+), 2 deletions(-) create mode 100644 .gitmodules create mode 100644 tests/unit_tests/.gitignore create mode 100644 tests/unit_tests/Makefile.am create mode 100644 tests/unit_tests/README.md create mode 100644 tests/unit_tests/example_test/Makefile.am create mode 100644 tests/unit_tests/example_test/README.md create mode 100644 tests/unit_tests/example_test/test.c create mode 100644 tests/unit_tests/example_test/test2.c create mode 100644 vendor/.gitignore create mode 100644 vendor/Makefile.am create mode 100644 vendor/README.md create mode 16 vendor/cmocka diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 000..e9c6388 --- /dev/null +++ b/.gitmodules @@ -0,0 +1,4 @@ +[submodule "vendor/cmocka"] + path = vendor/cmocka + url = git://git.cryptomilk.org/projects/cmocka.git + branch = master diff --git a/Makefile.am b/Makefile.am index 66d9f23..364785c 100644 --- a/Makefile.am +++ b/Makefile.am @@ -54,7 +54,7 @@ BUILT_SOURCES = \ config-version.h endif -SUBDIRS = build distro include src sample doc tests +SUBDIRS = build distro include src sample doc vendor tests dist_doc_DATA = \ README \ diff --git a/configure.ac b/configure.ac index 97ad856..fb3fa3c 100644 --- a/configure.ac +++ b/configure.ac @@ -1198,6 +1198,19 @@ sampledir="\$(docdir)/sample" AC_SUBST([plugindir]) AC_SUBST([sampledir]) +VENDOR_SRC_ROOT="\$(abs_top_srcdir)/vendor/" +VENDOR_DIST_ROOT="\$(abs_top_builddir)/vendor/dist" +VENDOR_BUILD_ROOT="\$(abs_top_builddir)/vendor/.build" +AC_SUBST([VENDOR_SRC_ROOT]) +AC_SUBST([VENDOR_BUILD_ROOT]) +AC_SUBST([VENDOR_DIST_ROOT]) + +TEST_LDFLAGS="-lcmocka -L\$(abs_top_builddir)/vendor/dist/lib -Wl,-rpath,\$(abs_top_builddir)/vendor/dist/lib" +TEST_CFLAGS="-I\$(top_srcdir)/include -I\$(abs_top_builddir)/vendor/dist/include" + +AC_SUBST([TEST_LDFLAGS]) +AC_SUBST([TEST_CFLAGS]) + AC_CONFIG_FILES([ version.sh Makefile @@ -1216,6 +1229,9 @@ AC_CONFIG_FILES([ src/plugins/auth-pam/Makefile src/plugins/down-root/Makefile tests/Makefile +tests/unit_tests/Makefile +tests/unit_tests/example_test/Makefile +vendor/Makefile sample/Makefile doc/Makefile ]) diff --git a/tests/Makefile.am b/tests/Makefile.am index b7980e0..2cba9e6 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -12,6 +12,8 @@ MAINTAINERCLEANFILES = \ $(srcdir)/Makefile.in +SUBDIRS = unit_tests + test_scripts = t_client.sh t_lpback.sh t_cltsrv.sh TESTS_ENVIRONMENT = top_srcdir="$(top_srcdir)" @@ -20,4 +22,3 @@ TESTS = $(test_scripts) dist_noinst_SCRIPTS = \ $(test_scripts) \ t_cltsrv-down.sh - diff --git a/tests/unit_tests/.gitignore b/tests/unit_tests/.gitignore new file mode 100644 index 000..8655de8 --- /dev/null +++ b/tests/unit_tests/.gitignore @@ -0,0 +1 @@ +*_testdriver diff --git a/tests/unit_tests/Makefile.am b/tests/unit_tests/Makefile.am new file mode 100644 index 000..18267bd --- /dev/null +++ b/tests/unit_tests/Makefile.am @@ -0,0 +1,3 @@ +AUTOMAKE_OPTIONS = foreign + +SUBDIRS = example_test diff --git a/tests/unit_tests/README.md b/tests/unit_tests/README.md new file mode 100644 index 000..ef81b23 --- /dev/null +++ b/tests/unit_tests/README.md @@ -0,0 +1,40 @@ +Unit Tests +=== + +This directory contains unit tests for openvpn. New features/bugfixes should be written in a test friendly way and come with corresponding tests. + +Run tests +-- + +Tests are run by `make check`. A failed tes
[Openvpn-devel] [PATCH 2/2] Add a test for auth-pam searchandreplace
From: Jens Neuhalfen
No functional changes.
Utility functions of auth-pam are split into a dedicated file. This allows
the test programs to easily test these functions without adding dependencies.
Add a minimal test for searchandreplace as a proof of concept.
Signed-off-by: Jens Neuhalfen
---
configure.ac | 2 +
src/plugins/auth-pam/Makefile.am | 1 +
src/plugins/auth-pam/auth-pam.c| 91 +
src/plugins/auth-pam/utils.c | 113 +
src/plugins/auth-pam/utils.h | 54 ++
tests/unit_tests/Makefile.am | 2 +-
tests/unit_tests/plugins/Makefile.am | 3 +
tests/unit_tests/plugins/auth-pam/Makefile.am | 12 +++
.../plugins/auth-pam/test_search_and_replace.c | 79 ++
9 files changed, 266 insertions(+), 91 deletions(-)
create mode 100644 src/plugins/auth-pam/utils.c
create mode 100644 src/plugins/auth-pam/utils.h
create mode 100644 tests/unit_tests/plugins/Makefile.am
create mode 100644 tests/unit_tests/plugins/auth-pam/Makefile.am
create mode 100644 tests/unit_tests/plugins/auth-pam/test_search_and_replace.c
diff --git a/configure.ac b/configure.ac
index fb3fa3c..5e69f91 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1230,6 +1230,8 @@ AC_CONFIG_FILES([
src/plugins/down-root/Makefile
tests/Makefile
tests/unit_tests/Makefile
+tests/unit_tests/plugins/Makefile
+tests/unit_tests/plugins/auth-pam/Makefile
tests/unit_tests/example_test/Makefile
vendor/Makefile
sample/Makefile
diff --git a/src/plugins/auth-pam/Makefile.am b/src/plugins/auth-pam/Makefile.am
index 2aef311..e6dc27e 100644
--- a/src/plugins/auth-pam/Makefile.am
+++ b/src/plugins/auth-pam/Makefile.am
@@ -18,6 +18,7 @@ dist_doc_DATA = README.auth-pam
endif
openvpn_plugin_auth_pam_la_SOURCES = \
+ utils.c \
auth-pam.c \
pamdl.c pamdl.h \
auth-pam.exports
diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c
index 710accc..5ad3ec8 100644
--- a/src/plugins/auth-pam/auth-pam.c
+++ b/src/plugins/auth-pam/auth-pam.c
@@ -39,7 +39,6 @@
#include
#include
#include
-#include
#include
#include
#include
@@ -48,7 +47,7 @@
#include
#include
#include
-#include
+#include "utils.h"
#include
@@ -117,94 +116,6 @@ struct user_pass {
/* Background process function */
static void pam_server (int fd, const char *service, int verb, const struct
name_value_list *name_value_list);
-/* Read 'tosearch', replace all occurences of 'searchfor' with 'replacewith'
and return
- * a pointer to the NEW string. Does not modify the input strings. Will not
enter an
- * infinite loop with clever 'searchfor' and 'replacewith' strings.
- * Daniel Johnson - progman2...@usa.net / djohn...@progman.us
- *
- * Retuns NULL when
- * - any parameter is NULL
- * - the worst-case result is to large ( >= SIZE_MAX)
- */
-static char *
-searchandreplace(const char *tosearch, const char *searchfor, const char
*replacewith)
-{
- if (!tosearch || !searchfor || !replacewith) return NULL;
-
- size_t tosearchlen = strlen(tosearch);
- size_t replacewithlen = strlen(replacewith);
- size_t templen = tosearchlen * replacewithlen;
-
- if (tosearchlen == 0 || strlen(searchfor) == 0 || replacewithlen == 0) {
-return NULL;
- }
-
- bool is_potential_integer_overflow = (templen == SIZE_MAX) || (templen /
tosearchlen != replacewithlen);
-
- if (is_potential_integer_overflow) {
- return NULL;
- }
-
- // state: all parameters are valid
-
- const char *searching=tosearch;
- char *scratch;
-
- char temp[templen+1];
- temp[0]=0;
-
- scratch = strstr(searching,searchfor);
- if (!scratch) return strdup(tosearch);
-
- while (scratch) {
-strncat(temp,searching,scratch-searching);
-strcat(temp,replacewith);
-
-searching=scratch+strlen(searchfor);
-scratch = strstr(searching,searchfor);
- }
- return strdup(temp);
-}
-
-/*
- * Given an environmental variable name, search
- * the envp array for its value, returning it
- * if found or NULL otherwise.
- */
-static const char *
-get_env (const char *name, const char *envp[])
-{
- if (envp)
-{
- int i;
- const int namelen = strlen (name);
- for (i = 0; envp[i]; ++i)
- {
- if (!strncmp (envp[i], name, namelen))
- {
- const char *cp = envp[i] + namelen;
- if (*cp == '=')
- return cp + 1;
- }
- }
-}
- return NULL;
-}
-
-/*
- * Return the length of a string array
- */
-static int
-string_array_len (const char *array[])
-{
- int i = 0;
- if (array)
-{
- while (array[i])
- ++i;
-}
- return i;
-}
/*
* Socket read/write functions.
diff --git a/src/plugins/auth-pam/utils.c b/src/plugins/auth-pam/utils.c
new file mode 100644
index 00
[Openvpn-devel] CBC mode attack
Hey guys... Was wondering if you were familiar with this: http://news.ycombinator.com/item?id=2029640 And, well... it sounded really familiar: http://www.mail-archive.com/cryptography@metzdowd.com/msg07521.html -- Good code works on most inputs; correct code works on all inputs. My emails do not have attachments; it's a digital signature that your mail program doesn't understand. | http://www.subspacefield.org/~travis/ If you are a spammer, please email j...@subspacefield.org to get blacklisted. pgpOi6GZcvStn.pgp Description: PGP signature
[Openvpn-devel] suggested config settings for wifi?
See attach. I'm wondering, with the default settings (used via Ubuntu's network-manager, though that isn't really relevant I think), why I keep getting timeouts. I can ping the box. It seems to work 1 out of every 5 times, so it's not a packet filter blocking me. Is there any setting I can set? TY -- http://www.subspacefield.org/~travis/ | A real man does not think of victory or defeat. He plunges recklessly towards an irrational death. -- Hagakure If you are a spammer, please email j...@subspacefield.org to get blacklisted. --- Begin Message --- I'm getting a lot of "timeout exceeded" responses when trying to do VPN over WiFi... sometimes it takes 4-5 attempts, especially when doing WiFi->4G->wired connections. Any suggested settings to make it more tolerant of timeouts/retransmits? -- http://www.subspacefield.org/~travis/ "Sweeney? It doesn't exactly sound like a super-villain's... y'know, cool name" If you are a spammer, please email j...@subspacefield.org to get blacklisted. pgpPztXLjGX2a.pgp Description: PGP signature -- All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct___ Openvpn-users mailing list openvpn-us...@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users --- End Message --- pgp9tsjhWJ2FB.pgp Description: PGP signature
[Openvpn-devel] Unsubscribe
Sent from ProtonMail Mobile
On Thu, Jun 15, 2017 at 8:00 PM,
wrote: Send Openvpn-devel mailing list submissions to
openvpn-devel@lists.sourceforge.net To subscribe or unsubscribe via the World
Wide Web, visit https://lists.sourceforge.net/lists/listinfo/openvpn-devel or,
via email, send a message with subject or body 'help' to
openvpn-devel-requ...@lists.sourceforge.net You can reach the person managing
the list at openvpn-devel-ow...@lists.sourceforge.net When replying, please
edit your Subject line so it is more specific than "Re: Contents of
Openvpn-devel digest..." Today's Topics: 1. Re: Bug or Feature? Username in
environment in auth-user-pass-verify (Steven Haigh) 2. Re: Bug or Feature?
Username in environment in auth-user-pass-verify (David Sommerseth) 3. Re: Bug
or Feature? Username in environment in auth-user-pass-verify (Antonio
Quartulli) 4. Re: W10 Client assigns old AND new IPv6 address to TAP with
GUI+Service but not with cmd prompt (debbie10t)
-- Message:
1 Date: Fri, 16 Jun 2017 02:11:48 +1000 From: Steven Haigh To:
openvpn-devel@lists.sourceforge.net Subject: Re: [Openvpn-devel] Bug or
Feature? Username in environment in auth-user-pass-verify Message-ID:
<1649446.b7buzjz...@dhcp-10-1-1-119.lan.crc.id.au> Content-Type: text/plain;
charset="utf-8" On Thursday, 15 June 2017 5:47:39 PM AEST Gert Doering wrote: >
Hi, > > On Thu, Jun 15, 2017 at 12:50:40PM +1000, Steven Haigh wrote: > > I'm
just trying to figure out if its expected behaviour to have the > > 'username'
set in the environment when using the auth-user-pass-verify > > script. > > The
code in question (ssl_verify.c) is older than the involvement of > any of the
currently-active developers... but JJK or Ecrist might know. > > Anyway, what
the code *says* is: > > ssl_verify.c, about line 1095: > >
verify_user_pass_script(...) > { > ... > /* Set environmental variables prior
to calling script */ > if (session->opt->auth_user_pass_verify_script_via_file)
> { > ... (no setenv here) > } > else > { > setenv_str(session->opt->es,
"username", up->username); > setenv_str(session->opt->es, "password",
up->password); > } > > > so, yes, that is what it *does* - "username" is only
ever set together > with "password", and that's only setenv'ed if you do not
use "via-file". > > Now, that is about calling the --verify-auth-user-pass, but
I think the > "es" (environment set) being affected here is the global
per-connection > es (not something local to this function), so that would
affect > --client-connect as well. > > [..] > > > The auth-user-pass-verify
documentation states: > > If method is set to "via-env", OpenVPN will call
script with the > > environmental variables username and password set to the >
> username/password strings provided by the client. Be aware that this > >
method is insecure on some platforms which make the environment of a > >
process publicly visible to other unprivileged processes. > > This "some
platforms" actually something we should eventually verify > and clearly
spell-out - because Linux and all recent BSDs do *not* show > the environment
to other unprivileged users. > > [..] > > > No mention of the username env
variable when using via-file - but this > > gives me the impression that the
username should *not* be set in the > > environment - but it should be in the
file. > > > > So - bug or feature? > > Username and Password are always handled
in tandem when talking about > --auth-user-pass-verify, so "both in
environment" or "none of them". > > Now, if you use a *plugin* (or the
management interface), the code will > always set both in the es, and delete
the password(!) afterwards, leaving > the username intact... > > > Looking from
a given distance, I'd say that this is a bug, and "username" > should propably
be always visible in the es (if present), while password > should not. > > > If
you want to experiment: go to ssl_verify.c, and move the line 1123 > (master)
outside the else {} block: > > old: > > else > { > setenv_str(session->opt->es,
"username", up->username); > setenv_str(session->opt->es, "password",
up->password); > } > > new: > > else > { > setenv_str(session->opt->es,
"password", up->password); > } > setenv_str(session->opt->es, "username",
up->username); > > ... then it should show up in
[Openvpn-devel] Openvpn
Sent from my iPhone ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] obfs4proxy-openvpn: A Bash script for obfuscating OpenVPN traffic using obfs4
Hi, I have developed a bash script to make openvpn work with obfs4. It's hosted on github: https://github.com/HRomie/obfs4proxy-openvpn It might be worth updating the obfuscation article article and include it: https://community.openvpn.net/openvpn/wiki/TrafficObfuscation Regards, Hamy___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] systemd: Change the default cipher to AES-256-GCM for server configs
Hi, Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Monday 22 June 2020 18:58, Selva Nair wrote: > On Mon, Jun 22, 2020 at 7:31 AM David Sommerseth dav...@openvpn.net wrote: > > > This change makes the server use AES-256-GCM instead of BF-CBC as the > > default cipher for the VPN tunnel when starting OpenVPN via systemd > > and the openvpn-server@.service unit file. > > To avoid breaking existing running configurations defaulting to BF-CBC, > > the Negotiable Crypto Parameters (NCP) list contains the BF-CBC in > > addition to AES-CBC. This makes it possible to migrate existing older > > client configurations one-by-one to use at least AES-CBC unless the > > client is updated to v2.4 or newer (which defaults to upgrade to > > AES-GCM automatically) > > This has been tested in Fedora 27 (released November 2017) with no > > reported issues. By making this default for all Linux distributions > > with systemd shipping with the unit files we provide, we gradually > > expand setups using this possibility. As we gather experience from > > this change, we can further move these changes into the defaults of > > the OpenVPN binary itself with time. > > > > Signed-off-by: David Sommerseth dav...@openvpn.net > > > > --- > > > > Changes.rst | 15 +++ > > distro/systemd/openvpn-ser...@.service.in | 2 +- > > 2 files changed, 16 insertions(+), 1 deletion(-) > > diff --git a/Changes.rst b/Changes.rst > > index 00dd6ed8..e76d3c73 100644 > > --- a/Changes.rst > > +++ b/Changes.rst > > @@ -14,6 +14,21 @@ ChaCha20-Poly1305 cipher support > > channel. > > +User-visible Changes > > + > > +New default cipher for systemd based Linux distributions > > > > - For Linux distributions with systemd which packages the systemd unit > > files > > - from the OpenVPN project, the default cipher is now changed to > > AES-256-GCM, > > - with BF-CBC as a fallback through the NCP feature. This change has been > > - tested successfully since the Fedora 27 release (released November > > 2017). > > - > > - WARNING This MAY break configurations where the client uses > > - ``--disable-occ`` feature where the ``--cipher`` has > > > > > > - not been explicitly configured on both client and > > > > > > - server side. It is recommended to remove the > > ``--disable-occ`` > > > > > > - option *or* explicitly add ``--cipher AES-256-GCM`` on > > the > > > > > > - client side if ``--disable-occ`` is strictly needed. > > > > > > - > > > > Overview of changes in 2.4 > > > > === > > > > diff --git a/distro/systemd/openvpn-ser...@.service.in > > b/distro/systemd/openvpn-ser...@.service.in > > index d1cc72cb..f3545ff5 100644 > > --- a/distro/systemd/openvpn-ser...@.service.in > > +++ b/distro/systemd/openvpn-ser...@.service.in > > @@ -10,7 +10,7 @@ > > Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO > > Type=notify > > PrivateTmp=true > > WorkingDirectory=/etc/openvpn/server > > -ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log > > --status-version 2 --suppress-timestamps --config %i.conf > > +ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log > > --status-version 2 --suppress-timestamps --cipher AES-256-GCM --ncp-ciphers > > AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC --config %i.conf > > This is why I keep my openvpn servers out of systemd's view -- it > keeps deciding what's good for us. I want to run my configs as is. > > Selva > > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel Sorry for the noise in advance but I agree. No idea how to keep it out of systemd's view :) but I change the line to -ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf +ExecStart=@sbindir@/openvpn --config %i.conf and do everything in %i.conf No unexpected configuration behaviour that way like missing timestamps in log. Pippin ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] Wiki: PluginOverview
Hi, Regarding radius plugin: https://community.openvpn.net/openvpn/wiki/PluginOverview The source is here: https://www.nongnu.org/radiusplugin/ Edited Wiki page. W.k.r Pippin Sent with ProtonMail Secure Email. ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] Regarding deprecation of --route-nopull
Hi, Regarding, https://community.openvpn.net/openvpn/wiki/DeprecatedOptions#Option:--route-nopull "Openvpn devs would like to know if you use this option". Many pfSense users use this option to policy route. P.S. Made a feature request at pfSense Redmine to add --pull-filter six months ago. W.k.r. Pippin _______ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] Regarding deprecation of --route-nopull
Hi, > Am 23.07.2020 um 20:14 schrieb André via Openvpn-devel: > > > Hi, > > Regarding, > > https://community.openvpn.net/openvpn/wiki/DeprecatedOptions#Option:--route-nopull > > "Openvpn devs would like to know if you use this option". > > Many pfSense users use this option to policy route. > > I would also vote for keeping this option. I did not vote ;) but ok will give my Senf :) > Yes you can emulate the > option by using a number of pull-filter lines but that feels like not a > good user experience. One could also say that, --route-nopull does more then just barring routes. --pull-filter is specific, I would prefer that. > Also route-pull works in both OpenVPN 2.x and 3.x > clients while pull-filter is currently 2.x only. Could change in 3.x too I guess. W.k.r. Pippin _______ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Document that --push-remove is generally more suitable than --push-reset
Hi, My vote would be to deprecate --push-reset (same for --route-nopull) André Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Tuesday 8 September 2020 18:41, Arne Schwabe wrote: > Am 08.09.20 um 18:35 schrieb Gert Doering: > > > Hi, > > On Tue, Sep 08, 2020 at 03:11:40PM +0200, David Sommerseth wrote: > > > > > It would be good if --push-reset would actually not remove certain > > > critical > > > options, but this is anyhow a good heads-up for our users. > > > > Well, that ticket sat there 10 years (!!) waiting for someone to go > > and implement it... 6 years it sat on your lap, 4 years on mine (or so), > > so it looks like this is not going to happen any time soon. > > It also feels like a feature from a different area when pushed options > were few and not as essential to OpenVPN. It would remove/deprecate that > feature instead of trying to figure out how it should now. > > Arne > > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel signature.asc Description: Binary data ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] Fw: Re: [Openvpn-users] Problem with service on windows server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Forwarding to openvpn-devel, as requested. CC'ing -users FTR. --- Original Message --- On Tuesday, June 28th, 2022 at 02:59, Selva Nair wrote: > Hi, > > > > > > the \\config-auto folder is only created if the 'openVPN Service' is > > selected *manually* during installation. > > > We need to install the automatic service without manual intervention. Is this > also the behaviour on a fresh install instead of an update? The logic for > installing the service was complicated from start because we wanted to detect > when automatic service should be set to autostart, migrate configs into > config-auto if required etc. during an update. But, in the process, it seems > we have somehow ended up not installing it by default. > > Actually, always installing and even setting its startup to auto should be > safe now as we have a folder exclusively meant for auto-start ones > (config-auto). This was not the case with older versions. > > Selva > > > > > > > However, the 'Interactive-Service' *is* installed by default. > > > > This feels *needlessly* complicated. > > > > As a long-time Windows user, I am much more accustomed to turning options > > which I do not want OFF than I am turning options which I do want ON. > > > > Also, the installer does not have the customary: > > * FULL (Default) > > * Standard - This could be renamed 'CLIENT ONLY', if that is the intention > > .. > > * Custom - Debugging .. > > * Advertiser sponsored - This is common enough. > > > > which I would normally "hope" to see from a well behaved .msi installer. > > > > my2c > > > > > > > > --- Original Message --- > > On Monday, June 27th, 2022 at 22:49, tincantech > > wrote: > > > > > > > Correction: 2.5.7-I602 not 2.5.5 > > > > > > --- Original Message --- > > > On Monday, June 27th, 2022 at 22:35, tincantech via Openvpn-users > > > openvpn-us...@lists.sourceforge.net wrote: > > > > > > > > > > > > > Hi, > > > > > > > > I must point this out: > > > > > > > > > > > > > > > > > > > > I am setting up an OpenVPN server on a windows server for a > > > > > > > > client, but ran into the problem where the openvpn service in > > > > > > > > services doesn’t pick up the config files I placed into the > > > > > > > > C:\Program Files\Openvpn\config folder. > > > > > > > > > > > > > > > > I can start the server from the command line just fine and also > > > > > > > > from the openvpn-gui client, but when I start the openvpn > > > > > > > > service > > > > > > > > in services, the service starts and stays running, but the > > > > > > > > server > > > > > > > > isn’t listening for incoming connections. > > > > > > > > > > > > > > > > It is not clear if the following point effects the OP, however .. > > > > > > > > The correct folder for auto-start is: > > > > C:\Program Files\Openvpn\config-auto > > > > > > > > However, this directory and the README are not installed using > > > > 2.5.5-I602. > > > > > > > > This could be due to recent changes. > > > > > > > > -- > > > > > > > > > > > -BEGIN PGP SIGNATURE- > > Version: ProtonMail > > > > wsBzBAEBCAAGBQJiujWDACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec > > 9muQuJ2LYAf/Vh4nss7ejL0d+H6gCyxryTURfwoCPL60mfdqXYWuXIBHN19c > > rB5lMr3oa9yzx3MU4ga6zBQzbXlwEw3F7wGVokqNDP1u+BSzjQIIYZsC2QBD > > wdQMa2wdAIOpwwUml3DIyuz68vFmotXYp37DcafHt/tgTyWLNcaXrLSopM7K > > ICwjKFrJ0Wd3Fz9eqMMBMeOimYFCMlqNbYqUWur3Ve9GNMuaou6pURo0X0+e > > Gqmxo7QoGDPVYR59NXL2LQTO8mCAVRkd/9oAUbmpP7d/XuKMBPoPo/gcChx6 > > k1NGhNQR8DqsyK8vA/xFCIiBhg78NfgZMY2qk0Iq4heyGi+z5KZc0A== > > =2LbF > > -----END PGP SIGNATURE- > > ___ > > Openvpn-users mailing list > > openvpn-us...@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/openvpn-users -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJiuy/qACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ0E5ggArCAVCZwbhBOt6w+JsZj76USHN7enjWo0OG24qB+BzfOjhZOx r14C1jCZmGydSS7MIjgYy0Toj3Al7N+6ZUwFwzm8h13x23KQIkyAd2lG2kIs zxMRooKIpMmoE/HYF88RCSM5whsJjPVcHJ6VV8tkNnibCnUcTj5h4Mog6TRQ EXv622Hen23tGjWUWU8GV2qXk/PRuDF31VEhs0+nQ7DitVolZe2NMawPdtVl W0Z7KBuW2c7R5TjCqWeOAzjSqSocoF/SOAY19kSTDqN2zhvsyM1DOlUgI7UC 15elTAQj2Y9H/Jp8o2mlf93rCOS5f6uRhyQ8NYYp7wc4JB00gURl/w== =7ZIh -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] New option --suppress-auth-cache-warning
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, ref: https://forums.openvpn.net/viewtopic.php?t=34461 Food for thought.. R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJiv25tACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ3+uQf8C4svn9uGUDXcjPAohtlnw0/w3WjQI1yY3cHjGTro6KhEJpmB G5og6sOD5jyT3f0wYy3sRaYxEpcA5+DR2XWKLrwtRJNfPPdAhJjs6nX8iI+e /aHvInARZ7ua8QUx07y60JLy+cXThZWWhX4KrAFCV45DQEZaHA/qYAenLL3X VcofwBNl2lXf9tr96wU8dcp3ntH0HOkB9wa1E6GpN8wyI36ZcLcx0niZUFBw 4tKa75Mix4dPEd6Oxnh0mnDD0dVSfaV9mJTL86JwtYwnCUG9dLaj2dps2alt edpjMtYwTSiQPZi5YBxqc1ICoMzNyuZxEQOb4/bGCj3DJCioYy8r1A== =AASZ -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] Possible bug?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi Magnus, can you report this as an issue on github, please ? https://github.com/OpenVPN/easy-rsa/issues My first guess would be the version of openssl 3.0.1 is at fault. Thanks, Richard Sent with Proton Mail secure email. --- Original Message --- On Thursday, August 18th, 2022 at 02:37, Magnus Larsson via Openvpn-devel wrote: > Hi, > I just moved from Ubuntu 20.04 LTS (where the exact command works fine and > does not prompt for pass phrase) to Red Hat Enterprise Linux 9 and installed > Easy-RSA via EPEL. > > When I run ./easyrsa build-ca nopass as root, it still prompts for PEM pass > phrase: > > > # ./easyrsa build-ca nopass > Using SSL: openssl OpenSSL 3.0.1 14 Dec 2021 (Library: OpenSSL 3.0.1 14 Dec > 2021) > Enter PEM pass phrase: > Enter PEM pass phrase: > Enter PEM pass phrase: > Enter PEM pass phrase: > 80DB8DBF7D7F:error:0480006D:PEM routines:PEM_def_callback:problems > getting password:crypto/pem/pem_lib.c:62: > 80DB8DBF7D7F:error:07880109:common libcrypto > routines:do_ui_passphrase:interrupted or cancelled:crypto/passphrase.c:175: > 80DB8DBF7D7F:error:1C80009F:Provider routines:p8info_to_encp8:unable to > get passphrase:providers/implementations/encode_decode/encode_key2any.c:116: > > > > > # ./easyrsa --version > EasyRSA Version Information > Version: 3.0.8 > Generated: Wed Sep 9 15:59:45 CDT 2020 > SSL Lib: OpenSSL 3.0.1 14 Dec 2021 (Library: OpenSSL 3.0.1 14 Dec 2021) > Git Commit: f12e00e53b4f486ce3d119ca429198780fa694ac > Source Repo: https://github.com/OpenVPN/easy-rsa > > > > > # ls -l > total 8 > lrwxrwxrwx 1 root root 29 Aug 17 18:56 easyrsa -> > /usr/share/easy-rsa/3/easyrsa > lrwxrwxrwx 1 root root 41 Aug 17 18:56 openssl-easyrsa.cnf -> > /usr/share/easy-rsa/3/openssl-easyrsa.cnf > drwx-- 9 root root 4096 Aug 17 20:10 pki > -rw-r--r-- 1 root root 332 Aug 17 18:56 vars > lrwxrwxrwx 1 root root 36 Aug 17 18:56 vars.example -> > /usr/share/doc/easy-rsa/vars.example > lrwxrwxrwx 1 root root 32 Aug 17 18:56 x509-types -> > /usr/share/easy-rsa/3/x509-types > > > > > # cat /etc/os-release > NAME="Red Hat Enterprise Linux" > VERSION="9.0 (Plow)" > ID="rhel" > ID_LIKE="fedora" > VERSION_ID="9.0" > PLATFORM_ID="platform:el9" > PRETTY_NAME="Red Hat Enterprise Linux 9.0 (Plow)" > ANSI_COLOR="0;31" > LOGO="fedora-logo-icon" > CPE_NAME="cpe:/o:redhat:enterprise_linux:9::baseos" > HOME_URL="https://www.redhat.com/"; > DOCUMENTATION_URL="https://access.redhat.com/documentation/red_hat_enterprise_linux/9/"; > BUG_REPORT_URL="https://bugzilla.redhat.com/"; > > > REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 9" > REDHAT_BUGZILLA_PRODUCT_VERSION=9.0 > REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux" > REDHAT_SUPPORT_PRODUCT_VERSION="9.0" > > > > > # dnf repolist > Updating Subscription Management repositories. > repo id > repo name > codeready-builder-for-rhel-9-x86_64-rpms > Red Hat CodeReady Linux Builder for RHEL 9 x86_64 (RPMs) > epel > Extra Packages for Enterprise Linux 9 - x86_64 > rhel-9-for-x86_64-appstream-rpms > Red Hat Enterprise Linux 9 for x86_64 - AppStream (RPMs) > rhel-9-for-x86_64-baseos-rpms > Red Hat Enterprise Linux 9 for x86_64 - BaseOS (RPMs) > > > > > # getenforce > Disabled > > > > > # uname -a > Linux test 5.14.0-70.22.1.el9_0.x86_64 #1 SMP PREEMPT Tue Aug 2 10:02:12 EDT > 2022 x86_64 x86_64 x86_64 GNU/Linux > > > > Let me know if you need additional information. > > Thanks, > Magnus > -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJi/gHXACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ3FpAf9FRWGhWLwzc8ONkqdMM0yts3GHGMhQ6ZqzILJjLh4Udgn5NlI IV7InwTHZZm7IE6q4IWhzSqGA/KjIc23Xydsz29Vh0BDoDDZemeXkjYdxCQd gRDIMuzMLTqCQIoI9FqeWKKQW9r5cG9qwIpUwiBh2BUmub2D0hb7P0SVEWur +moGPLU1neXIhlL2F6hbTqtl/wNxr2V5qLfODrRJpiEyKQNa1C8GvvqXJR2r BYRA2vyoFIGn+krBMBb2lcExGhioWr4gzecFolqOin9e/i3pCCii1Xl4/XI5 BqHP31VoNmc88CLmOhSn/At3kagcnou9WDsA8DbJabW1/MPeGjKpXQ== =ukTL -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v5 2/3] Allow setting control channel packet size with max-packet-size
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, Plus one more typo. Sent with Proton Mail secure email. --- Original Message --- On Thursday, October 20th, 2022 at 11:05, Arne Schwabe wrote: > diff --git a/src/openvpn/common.h b/src/openvpn/common.h > index b94680885..dce6fd01d 100644 > --- a/src/openvpn/common.h > +++ b/src/openvpn/common.h > @@ -68,6 +68,19 @@ typedef unsigned long ptr_type; > / > #define TLS_CHANNEL_BUF_SIZE 2048 > > +/ TLS control buffer minimum size. This size is not actually inherent to > + * the OpenVPN protocol. But with our current sending window being 6 and the > + * receive window being 8 or 12 depending on the OpenVPN version, the biggest > + * payload we can send is 6 * min_size. And we need to support to send > payloads > + * of TLS_CHANNEL_BUF_SIZE. Splitting this into more than > + * 6 packets (with overhead) would complicate our sending logic a lot more. > + * Diving TLS_CHANNEL_BUF_SIZE (2048) by 6 gets us ~342 byte. Allowing for Diving -> Dividing > + * ~100 bytes of overhead (in OpenVPN headers + IP headers) and rounding > + * up to the next "nice" number gives use 512. > + * > + * / -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJjUS1fACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ2mxAf/afXklJAMoPqLoelxi8mF7hq97b3Eky6iB+zqiGXhOxBjVOKC F6BpNk2uxCUkNSU9FPaLDTMurKuGe6p5+YSdHQh13EzZkx/vehBce4/+OWZ5 nInvafaUbtAI0LqHZvcNhjB2LQcci2MUyw6duok1V43LRdYFZ0ohk4/o+HZ7 6vrij4xNLO1BHhc91CKS0Gm9ZierXPHS8vmAc6ssrhhhq8eFetVq58S7dhyQ ISx8xg20MnqjynmDjpOVgbxKW00+OBTK5NWGLEXd5effQjgdz4qEv5MBoS4V sNdvCBw4tU/GrZdYlBihcQf2h6tgGJ0DxEu4qiF0Tg1h81rrEHSahw== =8tPU -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature _______ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] OpenVPN 2.6.0 released
Hi, So download link in Forum Announcement should be corrected? https://forums.openvpn.net/viewtopic.php?t=35260 Sent with Proton Mail secure email. --- Original Message --- On Friday, January 27th, 2023 at 01:53, David Sommerseth wrote: > On 25/01/2023 20:50, Frank Lichtenheld wrote: > [...snip...] > > > On Red Hat derivatives we recommend using the Fedora Copr repository. > > > > https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release/ > > > > A slight update here. The repo above will be preserved for OpenVPN 2.5 > releases. A new repository for OpenVPN 2.6 has been published: > > https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release-2.6/ > > > > -- > kind regards, > > David Sommerseth > OpenVPN Inc > > > > > ___ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] IRC community meeting summary (Feb 14th)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, On Wednesday, 14 February 2024 at 15:22, Frank Lichtenheld wrote: > Meeting summary for 14 February 2024: > * New: Easy-rsa in Windows installers > easy-rsa has included pre-built Windows binaries for a long time. But with > Windows 11 they do not seem to work correctly anymore in some cases. Just to clarify: Easy-RSA works perfectly as-is on W10 & W11 but requires Windows Admin access. Without Windows Admin Access, Easy-RSA on W11 does not work with the now 10 year old MKSH:sh.exe This is annoying but it isn't a complete deal-breaker. Regards tct -- -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJlzPXJCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAAC+Cwf+P7EBDJirKoBXV/SsOrzfNfFSR2hVOCqSN9jwFs+TIv/kD+UN eOT87L5EW3x/EpF0hRyNy0g83ePdR1ESN4C4mP1Jm9QJZzKgXX44uO4XH5C3 4FXWj/06vQRoaTO5Lk8Y+caLFn9kmpq57JCkorPOI3RjDIwcJcgZ66FweAY2 prSSCj33fzuGoJMWfdXfF4pEu55cV1Iawar2acYJOLlpn0NTFNtyqzVoC8lv k5FDHjzFuTooBvJ4g2hR8KDctaS/3tTjk4c3ZsVr+0F9n2SwsMmHz93YfONX iuvLv/vxGMrWViXv9gbYJMqqfagamWn7SZivlkFp/YxSBg+3vSPo1w== =+izN -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Fix 'compress migrate' for 2.2 clients.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Friday, 2 April 2021 19:35, Simon Matter wrote: > > Commit 8fa8a17528c001a introduces "compress migrate" to move old clients > > that have "compress" or "comp-lzo" in their config towards a connection > > without compression. This is done by looking at incoming OCC strings > > to see if the client has compression enabled, and at incoming IV_ > > strings to see whether it can do "compress stub-v2" or needs to be sent > > "comp-lzo no". > > Hi, > > What I'm still wondering is why is compression so dangerous with OpenVPN > but not so with things like SSH or SCP? > Simon, I believe the detail which you have over-looked is this: A lot of people use openvpn as a client to VPN service providers believing things which are not true. They then surf the web with over-confidence. In such a scenario, while pulling off such an attack on a compressed VPN stream may seem remote, when you have such a vast number of victims to potentially abuse, the temptation to do so and potential success rate increase dramatically. But i believe you need to have access to both the compressed VPN data and the uncompressed https packets to exploit such an attack. Still, it was shown to be a genuine attack vector none-the-less. -- Regards R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgZ7oZACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ2Qzwf9GFUFmJrJv4ny2uvbLUWKHAGsFKsD12I5YeJLQArsAsP39w7k H4chac7T/XLA2nBYLxIizioc3fiFqPTrlyx2AdwIuTpWhqf4FuU+pXt9JhqJ spI6j907aSN/G1jDjWhzltrWrjhJg/a6VQvtuTzAcBx3h1AA3WwKvRCUVhm6 r0/jqRpb5OhA05Ux6JG0uqlCfG5zTURSaFdjwhEotvHpuzg9IpzEIBx42dnU EgS+aoJPdxYSCldYbdwj9EWus1+MzNHd+JjZsxadqiGarC+I+r5q2fHC9bBA EPdlbWGIdPcASeB0edWSI9uOO18UBpuaOnU4aBN/SXQJE4wApq1wUQ== =LhbH -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Fix 'compress migrate' for 2.2 clients.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Saturday, 3 April 2021 01:43, tincantech via Openvpn-devel wrote: > > But i believe you need to have access to both the compressed VPN data > and the uncompressed https packets to exploit such an attack. > Edit: The attacker also needs to control the https website that the victim visits. It's a tall order .. but do you really want to argue with the sort of people that figured out how to do it ? > Still, it was shown to be a genuine attack vector none-the-less. > -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgZ7usACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ3yaAgAvefAvhIBj2izSl5JoOH2oPeCYunedXsrFOXjrvteC1GX/Hem gRpLgcjNjdhcWdfW8NCFhihozr1Hrb9cLIxmvNLw5zmAIf6DRtcPPaExsyYJ mDLXMFlKZmSoGc3Jh9hsXxFy5oEH2K2RtQxJevGciAHn6GSkPx0MrHLJlmCH EPhUThW+QpEq+NdqNUo9dPJe9ByUUrZ9c/eySjXG8Eo7hYSLu0AhoYUr/zY1 OqpRNg3lsH6CRFkH7LV5cJEBGLF6qZLeAZ5x7UYGjWWR1pwI02AKknF5E9bW s+4P64TLyIVerUsewJ9EbzU4kI5abf+pammwmqBHFrPaI1foNUS/dA== =s7Ma -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature _______ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2] Remove P2MP mode and check for gettimeofday
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Saturday, 3 April 2021 19:46, Arne Schwabe wrote: > Using OpenVPN without P2MP support (pull, TLS) is unrealistic and > building a binary without it is not something we realistically want > to support anyway. Building P2MP support now only depends on > HAVE_GETTIMEOFDAY or win32, which has a compat function for it. > > This also removes the ENABLE_SHAPER and TIME_BACKTRACK_PROTECTION > defines, which also depend only on the HAVE_GETTIMEOFDAY or WIN32. Is this the end of --shaper option ? -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgaMHkACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ1nmwf/efDZ8L/Py44AKHZJ90OE3WA8T16qmzbMZpScnCc3iL65QLJF vU/VU/xg636f53OKBav09SXAEhnLvcA3gGdiPb/1e9M/Y/tU6Q9nZknCRcKe 8DwNreop4+YsDY4FI9KeLS6Mnm97DhXS0ErEwgw1Wut0meGHdcKDK6wghOgW DbKsBrXZzEBN7MkmpTbzK9rYBAuGJYjWQL6sG+7ClC9wCN2Jms/SBWq92QpF ZuXecVbUp7tWa3EqxGkAnvg7CMQHwA9XmemzBAX+6EzTMTT90KTJvu88rH9H SeKcJVE1RH2Jf0XaGuqn2ZcrHWGm9R+O6SCsrsRch6Y2stgT9AaTpQ== =zXFm -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 11/14] Remove P2MP mode and check for gettimeofday
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Before this goes any further, I doubt very much that Openvpn intends to "Remove P2MP mode". Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Thursday, 1 April 2021 18:27, Arne Schwabe wrote: > Am 01.04.21 um 15:13 schrieb Arne Schwabe: > > > Using OpenVPN without P2MP support (pull, TLS) is unrealistic and > > building a binary without it is not something we realistically want > > to support anyway. > > > } > > > > > > - /* Check if we have forbidding options in the current mode */ > > - if (dco_enabled( &mi->context.options) > > Ignore this patch for now. Rebasing worked without conflicts but somehow > still pull dco bits into it (rebase is sometimes magic ) > > Arne > > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgaNsSACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ2xqwf9EbssBV+0gW+/y0bIR+3I7DFZouZTRcO+9SCftHO6AcfTBgaD Uro0ZmOa233PaGSB3B5MbJcZQ0gnIWegVeGjN0khVOU75fv332svNc2CLZtn JHwG3XYnHWxMMVaRWkcyPp72UUfxiaooZp1FjPAnhl6D/PUAxw2tU3Cl6dp1 rgHmWhNKza2B8PzhnSZ8K0RiTjdOy3bYLSdj6hKwyQkvG1+wEGpG0qJSEnKF 1Qb2qpPNftG1BfOkTQ3QVuBcpDDusR1ip+qs9LmLo87LKD2UF8DWgZlj5Ev8 pdu8+cp7Fk7G2UrLWbKy7fTPcfncaViiNEHNbm9EMtURCioaLsQwoA== =Cr8U -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 2/3] Remove --ncp-disable option
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, ‐‐‐ Original Message ‐‐‐ On Friday, 9 April 2021 10:53, Arne Schwabe wrote: > > I am not sure how you came to that conclusion. I have written a fairly > comprehensible documentation how NCP in 2.5 works for our manpage: > https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/cipher-negotiation.rst > > That should also answer your question. > sorry for the noise but I created a quick ref. guide for cipher negotiation: https://community.openvpn.net/openvpn/wiki/CipherNegotiation It may be of some value to others reading this thread. Regards R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgcES+ACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ2TPAgAuSyk329uuzmDecw9kvFBa/UDQ2C8U4ZVwXZZKXk4AL5NtM9Q Nbsi6qHMPT/WYfgVMOPbJLvWgUx2yi51rPawis5itd4Ghe7nZtBQOdjz1LZY /5VfqgOIMtfvovL+Wlg1SpwPM5Mo/ApILcec4jfrP5XJxe/6Xo8Mx4ZcYLq7 EmjVZ3gFWSX3kmBTdtQmPRKZ6qTe3gezwduZ667eRy58kK39SRFX2tsjvFT+ 2D8mtkLIQvJNDbO1KHNmW4oXxcu7YesQScAshOBpIutyU0vUyg37fp+SoTcs Q4oS2Wp2T2HZlPMkvBopbiddk6Wu1+kaP0+jDiBllSkZRrcrwCRtsQ== =8Qly -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] make --persist-key always-on and remove "off" code path
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, ‐‐‐ Original Message ‐‐‐ On Friday, 9 April 2021 17:28, Gert Doering wrote: > I do not use --persist-key, but I still restart my services after fiddling > with configs... > Same. To add weight here, I would estimate 95%+ of all posts on the forum, which include a config file, have --persist-key enabled, regardless. Regards R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgcIRiACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ2w0wgAv4Yv3T+4nsxYxocmBdlAGzZAuOOYsg6d9wWyHavY3YXCNWSh CN+8Fi4ruR3iaeEnVa98RlV/SvLkns5cyRRr2XEG/OMOthc4237o33W8BrRX 8zYkxezaYSGWB7Q8KJmyHFnAc3njrVdXRN2INMbZyn9dHUOSIYD8ZUmntxPR +ftK2/idc9ftk1wVqBL5oIngCaFCm1Y/lfG76Ae6GTAha3pEqwh0qj573IC3 Mgyu5JYCCjbYWcojM2nilOWCDPaWPQaasVmLe9Pu31yUCWbTLy4Y/nZuwLpA cSWUV9E+rqQ+C4ZObxx4MJhVPJfVmKWJtZsbN5vF6OELD/w/iQ0Sgw== =qukX -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature _______ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] --tls-crypt-v2-verify env $daemon_pid
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 hi, I am requesting that $daemon_pid be added to the --tls-crypt-v2-verify environment. FTR: $daemon_pid is currently undocumented in all three manuals. Thanks. R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJggeRlACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ3+LQgAxSKGYd1ubfyiSdl4VMNrp+y97t03OLVhBntuUiYHTZUaQlKi 33oQRxNY+ELuZUpK4ueMgeUPvG20kAB5zfpyT6imsYrze3hlbd9G6omflByh f0sAovrDSiegF8adNgdKCsGi8co7z2B3Ec0WWRnGLPPcZHQzIo8MlspYJ50l uf6EdEDZL96VQYHNDJ/RH6egj1+WZww+qk/VJsuiBTyxf/KlRNVbrC24/iM1 gHS/3HqDvwgX675vIIDlB2ZzF0QiHCPZWYlWbPAU2GqEqpzN/qn7EDuPfrFB IY/g8y9+qH+AZmD7byeRSeLSiira84oBWX6OwGJOrmLPsam9ZVTmRg== =+Hpt -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] --tls-crypt-v2-verify env $daemon_pid
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, ‐‐‐ Original Message ‐‐‐ On Friday, 23 April 2021 07:13, Gert Doering wrote: > Hi, > > On Thu, Apr 22, 2021 at 09:02:30PM +, tincantech via Openvpn-devel wrote: > > > I am requesting that $daemon_pid be added to the --tls-crypt-v2-verify > > environment. > > What for? Easy-TLS - I'll explain in more detail sometime .. > > > FTR: $daemon_pid is currently undocumented in all three manuals. > > It seems to be an obscure and not very useful feature. > > "Programs that are called from OpenVPN" can find the OpenVPN pid trivially > by calling getppid() (or $PPID in shell). Unfortunately, in Windows $PPID carries the PID of sh.exe being executed. This use case is making Linux sh scripts usable in Windows. Thanks for the PPID tip, R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJggwdgACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ0dVQf+MUWXJy3VToFwmmAsS2ILKvoec8eZH2fjDftQGZoOBDSa68Jp o2vryOtdfxxCVyXDt3O7Wjb4CkkWJM3dlf7hZEYCw47D4++BY0UzhfFRwt2o cTS7RmdqOK9OUPstTzPl6+Nydsn3uNLq/0mNgsshaTq8PoKrBhoya73VNU9d M4vdLF8d89EKaphRFArcTXgWKU363ZvmsrS90onXTNpu1wUY162yFlip5P8j swB4Ziq4+7mRzg+n6QomlForwYP30BnHo+Iaob/snCF+8UJJzWTQCvfsrAjF PCZYEumWvIRQ31a4AuQ2eTAyWzD1xHSBJez5uvmdZI2JKT1G/hcyUw== =dqrf -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature _______ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] --tls-crypt-v2-verify env $daemon_pid
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, ‐‐‐ Original Message ‐‐‐ On Friday, 23 April 2021 13:22, Antonio Quartulli wrote: > Hi, > > On 23/04/2021 14:16, tincantech wrote: > > > Hi, > > ‐‐‐ Original Message ‐‐‐ > > On Friday, 23 April 2021 08:12, Antonio Quartulli a...@unstable.cc wrote: > > > > > Hi, > > > > > On 22/04/2021 23:02, tincantech via Openvpn-devel wrote: > > > > > > hi, > > > > I am requesting that $daemon_pid be added to the --tls-crypt-v2-verify > > > > environment. > > > > > The environment for --tls-crypt-v2-verify was designed to be extremely > > > minimal. > > > Anything concerning tls-crypt verification was designed to be as minimal > > > as possible. > > > > > Indeed, differently from other scripts, the env for tls-crypt-v2 is > > > created empty and then only a very few variables are added. > > > > > Anything that was deemed not necessary for the metadata verification was > > > not passed. > > > > I understand your reasoning, however, in the case of daemon_pid would you > > not > > consider the process to be "more secure" if openvpn does provide the PID in > > the environment, rather than have the script read the PID from a file? > > Having to configure openvpn to write the PID and then read the PID is two > > steps > > which can introduce user bound misconfiguration errors. > > we can't control what the user does with the script - he could do > anything wrong and ugly, but we can't just implement shortcuts for them, no? No. This is not a shortcut, this is OpenVPN providing a guaranteed working environment. I am not expecting openvpn to "control" what the user does with the script, I am asking that ALL scripts have access to daemon_pid as an obvious and beneficial security precaution. All scripts ought to have access to daemon_pid for the simple reason of ensuring the scripts run for the same server instance. Providing daemon_pid to all scripts is the *most secure* way to do this. There are other reasons to use --writepid, such as for completely external processes. > > > > I can imagine you have a usecase for daemon_pid, but I am sure more > > > people will have other arguments for other variables as well. Hence the > > > idea to design something extremely minimal and leave more complex logics > > > to following (post-auth) steps. > > > > I reviewed all the other variables for inclusion viability and, with the > > exception of "untrusted_ip / untrusted_ip6", I came to the conclusion that > > the only variable which does come with a genuine security bonus is > > daemon_pid. > > (As outlined in my previous comment) > > As for untrusted_ip*, it definitely could be useful to --tls-crypt-v2-verify > > but I'm not asking for that here. Perhaps on reading this other members will > > see how it can be of benefit to the scripts versatility.. > > (The same goes for untrusted_port but that seems less useful over all) I notice how you conveniently skipped this entire section .. > > I would also quote that old, old expression "Security through Obscurity" > > https://en.wikipedia.org/wiki/Security_through_obscurity > > It's not security through obscurity here, but it's about keeping the > code that leads to the tls-crypt-v2-verify call as minimal as possible. .. and went straight to this comment. In my opinion this is security through obscurity. With holding daemon_pid from any script executed by openvpn is a bad decision and in the case of --tls-crypt-v2-verify, with holding ALL other data from the script is clearly S.T.O. I can understand the reason to make the env minimal but this is clearly a case of going too far. Thus .. as above. > > This said, what is deamon-pid useful for in the tls-crypt-v2-verify > script? Maybe a clear usecase with pro and cons could help understanding > where this need is coming from. You are forcing my hand: https://github.com/TinCanTech/easy-tls I can see absolutely no security benefit to with holding daemon_pid from --tls-crypt-v2-verify, for the simple reason of the extra hoops a user is forced to jump through and the security risks they are forced to take in doing so.. As a final comment here, on the one hand openvpn chooses to enforce cipher-negotiation "because it is more secure and helps unwary users to configure their vpn correctly". On the other hand openvpn cannot see the simple LOGIC of providing daemon_pid to ALL scripts launched by openvpn. Thanks R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJggtEaACEJEE+XnPZrkLidFiEE
Re: [Openvpn-devel] --tls-crypt-v2-verify env $daemon_pid
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, ‐‐‐ Original Message ‐‐‐ On Friday, 23 April 2021 08:12, Antonio Quartulli wrote: > Hi, > > On 22/04/2021 23:02, tincantech via Openvpn-devel wrote: > > > hi, > > I am requesting that $daemon_pid be added to the --tls-crypt-v2-verify > > environment. > > The environment for --tls-crypt-v2-verify was designed to be extremely > minimal. > Anything concerning tls-crypt verification was designed to be as minimal > as possible. > > Indeed, differently from other scripts, the env for tls-crypt-v2 is > created empty and then only a very few variables are added. > > Anything that was deemed not necessary for the metadata verification was > not passed. I understand your reasoning, however, in the case of daemon_pid would you not consider the process to be "more secure" if openvpn *does* provide the PID in the environment, rather than have the script read the PID from a file? Having to configure openvpn to write the PID and then read the PID is two steps which can introduce user bound misconfiguration errors. > > I can imagine you have a usecase for daemon_pid, but I am sure more > people will have other arguments for other variables as well. Hence the > idea to design something extremely minimal and leave more complex logics > to following (post-auth) steps. I reviewed all the other variables for inclusion viability and, with the exception of "untrusted_ip / untrusted_ip6", I came to the conclusion that the *only* variable which does come with a genuine security bonus is daemon_pid. (As outlined in my previous comment) As for untrusted_ip*, it definitely could be useful to --tls-crypt-v2-verify but I'm not asking for that here. Perhaps on reading this other members will see how it can be of benefit to the scripts versatility.. (The same goes for untrusted_port but that seems less useful over all) I would also quote that old, old expression "Security through Obscurity" https://en.wikipedia.org/wiki/Security_through_obscurity > > > FTR: $daemon_pid is currently undocumented in all three manuals. > > It'd be nice to have such documentation added :-) I hope that your not suggesting that I provide documentation for something which you then refuse to allow me to use ? ;-) Not only but also, "you give a little, you get a little" :D In conclusion, I request that OpenVPN review their earlier decision to be so *cruelly frugal* to --tls-crypt-v2-verify, on this one occasion. Thanks for your informed and collective consideration, R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJggrqWACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ1ZWwgAkgKYkbfa04CCrqu2pVYxYnt4bcRCvMV7qI8RM37PliG8b2Bx 6qDPMUAZ1DwIL59WKYahtKOIVcp5gLXLoAlrfJy+FMRfJodnGT3iPz3no+Ew HWTsiwTXjUozGnD3fIviVfzbcXIb082WRzKP1/IpAtTztnBv6Aq6i5vLb/mJ Ghh/YJIDsaV012dz8qLX9oVbmd8SycfyhKa8E1IwlpkbHsJlqUYo/rxOeXTY 1q4J07aNk1bwPAQU0bWbxf04ItLqeAnoWESnaTc6gWz4fXaRM3XiMuUDFzFl 6FFRQeGkrJAdY2N/ZdAwcNSY3PDkFmu5MPBoaw6lmeBMMoFxG4S/kg== =ZBp4 -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature _______ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [openvpn-devel] Feature request - Include daemon_pid in --tls-crypt-v2-verify env - V2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, I am requesting that daemon_pid be added to --tls-crypt-v2-verify env. Version 2 Justification: With the notable exception of --tls-crypt-v2-verify .. daemon_pid provides a verified process ID to All scripts. This ensures that scripts which are intended to pass data along to the following scripts have an index to which they can link that data. Example: An example is presented in Easy-TLS: https://github.com/TinCanTech/easy-tls This script passes hardware address from --tls-crypt-v2 key metadata along to --client-connect, where the pushed client variable IV_HWADDR can be matched against the fixed hardware address encrypted in the TLS Crypt V2 key metadata. Security: There are no known security concerns with regard to including the openvpn process ID (daemon_pid) in the --tls-crypt-v2-verify environment. Complexity: Ongoing support of the required code would be minimal to zero. Code: This patch is included for review purposes only. diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index 7b5016d3..23d93a6c 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -537,6 +537,7 @@ tls_crypt_v2_verify_metadata(const struct tls_wrap_ctx *ctx, setenv_str(es, "script_type", "tls-crypt-v2-verify"); setenv_str(es, "metadata_type", metadata_type_str); setenv_str(es, "metadata_file", tmp_file); + setenv_int(es, "daemon_pid", platform_getpid()); struct argv argv = argv_new(); argv_parse_cmd(&argv, opt->tls_crypt_v2_verify_script); Conclusion: Due to the OS in use and other environmental factors, the *nix built-in variable PPID may not always be available. Without including $daemon_pid in the --tls-crypt-v2-verify environment, openvpn is forcing the user to unnecessarily configure --writepid. The purpose of --writepid is to advertise the openvpn process ID to external processes which do not have access to the internals of openvpn. By including daemon_pid in the --tls-crypt-v2-verify environment all processes launched by openvpn have access to this very useful identifier. Provided there are no genuine reasons to NAK this request, I will send a correctly formatted patch. Addendum: I know this is something which helps me in the short term and I already have a working alternative but I would like you to reconsider your previous decision. In my opinion All scripts launched by openvpn should have immediate access to daemon_pid. Thank you for your time and consideration, R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJggzkmACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ0nVggAkf9tcCo7onTYoZ4WetX/6uePD2QzEYd8rHYbn1q6R8JvOqMi JrDIRIYZw06v/r4pyzq8tYUvS+1VBY9cPIm+v3uudOhZ/WUlyGw180u2tA+w eX+bx/AwA5FC4QGqgJlTEx9G5s0H5Ge2vSd1ChA52VjC5QZeorI/42nZpG2I Gg7vC0JH9rr9LqAzVNH9YfWff7vNKvXAPdmL9/itf3Eq6uFytGsD77KjZaq7 RESDSO2cOnCyoVyktPhw64d77q6bCgFtl08CVQYJOTwg07cY+ZEWa3wRCEAb bcDj6eDNDHy8e9iMzie3yrIgZsRDCbGiXCyaLk2abZtpFsqX7rP6jA== =z4PC -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature _______ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [openvpn-devel] Feature request - Include daemon_pid in --tls-crypt-v2-verify env - V2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, no complaints yet ? Sent with ProtonMail Secure Email. ProtonMail, as crap as googlemail. ‐‐‐ Original Message ‐‐‐ On Friday, 23 April 2021 22:16, tincantech via Openvpn-devel wrote: > Hi, > > I am requesting that daemon_pid be added to --tls-crypt-v2-verify env. > Version 2 > > Justification: > > With the notable exception of --tls-crypt-v2-verify .. > daemon_pid provides a verified process ID to All scripts. This ensures > that scripts which are intended to pass data along to the following scripts > have an index to which they can link that data. > > Example: > > An example is presented in Easy-TLS: > https://github.com/TinCanTech/easy-tls > > This script passes hardware address from --tls-crypt-v2 key metadata along > to --client-connect, where the pushed client variable IV_HWADDR can be > matched against the fixed hardware address encrypted in the TLS Crypt V2 > key metadata. > > Security: > > There are no known security concerns with regard to including the openvpn > process ID (daemon_pid) in the --tls-crypt-v2-verify environment. > > Complexity: > > Ongoing support of the required code would be minimal to zero. > > Code: > > This patch is included for review purposes only. > > > diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c > index 7b5016d3..23d93a6c 100644 > --- a/src/openvpn/tls_crypt.c > +++ b/src/openvpn/tls_crypt.c > @@ -537,6 +537,7 @@ tls_crypt_v2_verify_metadata(const struct tls_wrap_ctx > *ctx, > setenv_str(es, "script_type", "tls-crypt-v2-verify"); > setenv_str(es, "metadata_type", metadata_type_str); > setenv_str(es, "metadata_file", tmp_file); > + setenv_int(es, "daemon_pid", platform_getpid()); > > struct argv argv = argv_new(); > argv_parse_cmd(&argv, opt->tls_crypt_v2_verify_script); > > > > Conclusion: > > Due to the OS in use and other environmental factors, the *nix built-in > variable PPID > may not always be available. Without including $daemon_pid in the > --tls-crypt-v2-verify > environment, openvpn is forcing the user to unnecessarily configure > --writepid. > > The purpose of --writepid is to advertise the openvpn process ID to external > processes > which do not have access to the internals of openvpn. By including daemon_pid > in the --tls-crypt-v2-verify environment all processes launched by openvpn > have access > to this very useful identifier. > > Provided there are no genuine reasons to NAK this request, I will send a > correctly > formatted patch. > > Addendum: > > I know this is something which helps me in the short term and I already have > a working > alternative but I would like you to reconsider your previous decision. In my > opinion All > scripts launched by openvpn should have immediate access to daemon_pid. > > Thank you for your time and consideration, > R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgiMIMACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ2yHAf/VwSjdR6F5GQy7rfJLKkP+sbGgL1kgKPsB7bgiiSV47+GTg0J lftyAS6lxyKhJ+7Xt+xm45janjMxnsxXrzIYjJdlfQSPMEfFOn9Uw17ohW0x bO52oTqCqoR5Y/UhqlLQ+lpgUMJJalfWZtJ3uiQ1GfloJk9oKjJ1thmdnmQ+ 048pGsBf2iRnvPJEDqJ/JxoKttvEAHQhVp3wI2aO70JzYujsuq5E6gnQsAT+ roDB8W2HRt5Ycbl+Y9lnzPM4HUk+W67j0+Af6Jf0mrfuK2IC2EFRBTkaVM5C F9QICvlZ/wB9oaH4/OXfp1DXAHBHh2wf0Bw6Rxcsyg3ni8Ro0ARdsw== =TmRk -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Add daemon_pid to --tls-crypt-v2-verify script environment
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Openvpn process ID (daemon_pid) provides the most secure way for scripts to verify which process they were called by. This patch adds daemon_poid to --tls-crypt-v2-verify environment. Tested on Linux and Windows. diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index 7b5016d3..23d93a6c 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -537,6 +537,7 @@ tls_crypt_v2_verify_metadata(const struct tls_wrap_ctx *ctx, setenv_str(es, "script_type", "tls-crypt-v2-verify"); setenv_str(es, "metadata_type", metadata_type_str); setenv_str(es, "metadata_file", tmp_file); +setenv_int(es, "daemon_pid", platform_getpid()); struct argv argv = argv_new(); argv_parse_cmd(&argv, opt->tls_crypt_v2_verify_script); -- git version 2.25.1 I hope my MTA has not mangled this patch but I don't currently have access to an SMTP server port. If it is borken then please ignore this and I'll find another way. Feel free to send other feedback. eg: NAK + Reason. Thanks R # -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgiZ8TACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ3KTAf+OfRyvNNBqDTulTPHsULxhehPve6mgqsoovqlYomkFnIu20CJ 497Yiqno7Nz49Wy2Ka5nu88sTptp0CdFg6QE2yytol1H8D0vFYwNwyIIS9eq d8pPa/sI0ga8DHSF5QjbvsTJusPolIjR4H7yXPFjrqMXlXYdRgof6IT+P3+G b/ev08nhPSjS0ZlciAPymW1wL5zsttDxSWU8vy/T6NYoq+QTaNfYgqNjlW8M BR48OSAc1aTPBzHeYW8MxOkm3Si9u2qS+hSSMgT0yS8EnvpCZn0vw+tOQ2Ey WR7RmdyoQRsJYANnlY4Pqe+c3h4tuWBK9UCJRnpgz/ytIog8V1VBjg== =iX52 -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature _______ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Add daemon_pid to --tls-crypt-v2-verify script environment
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Yeah, I forgot to apply and commit -- sorry. I guess I'll send again if this is an acceptable patch and my MTA didn't screw it up ? Please let me know .. thanks ‐‐‐ Original Message ‐‐‐ On Wednesday, 28 April 2021 18:44, tincantech wrote: > Openvpn process ID (daemon_pid) provides the most secure way for > scripts to verify which process they were called by. > > This patch adds daemon_poid to --tls-crypt-v2-verify environment. > > Tested on Linux and Windows. > > diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c > index 7b5016d3..23d93a6c 100644 > --- a/src/openvpn/tls_crypt.c > +++ b/src/openvpn/tls_crypt.c > @@ -537,6 +537,7 @@ tls_crypt_v2_verify_metadata(const struct tls_wrap_ctx > *ctx, > setenv_str(es, "script_type", "tls-crypt-v2-verify"); > setenv_str(es, "metadata_type", metadata_type_str); > setenv_str(es, "metadata_file", tmp_file); > > - setenv_int(es, "daemon_pid", platform_getpid()); > > struct argv argv = argv_new(); > argv_parse_cmd(&argv, opt->tls_crypt_v2_verify_script); > > > -- > > git version 2.25.1 > > I hope my MTA has not mangled this patch but I don't currently have access > to an SMTP server port. If it is borken then please ignore this and I'll find > another way. Feel free to send other feedback. eg: NAK + Reason. > > Thanks > R > > == -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgiZ/PACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ3hPwgAk3GKzcr76rPTac1/6NMQyP3wnWpXgsmbGCvr5zVcQRbAaSbL FwN+qB01aXx8ic7u1t9xoBA83WA5BOy/Nmecg/MmTK2hWapL954b2dEHubFt j9b1wqXX46Mcg55VSvSC2gc35bZB2wXLiKIAOGFgvmH84m18CCDSePaKywrf izC5B+Ew+M6zacf1IZU64DKJdLX8yzyQt9U3zI1egFj9mK7qzm3lY79zier0 jkDQlijZrp6krAeBqlGmm1sMLERyQrCrJrCdbuEbrMbVPxbJOhYFpT8EWolE ta/OTF94IK2T8ErmNZsA3oSdXSuYriZM6gSxKqiMpSXuNjo3wKzrkg== =57ff -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Add daemon_pid to --tls-crypt-v2-verify script environment
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Looking closer, I can see that it was damaged in transit .. Please let me know if you would be willing to accept my proposed patch and then I will persist to find a way. If you will not accept the addition then please let me know. Thanks R ‐‐‐ Original Message ‐‐‐ On Wednesday, 28 April 2021 18:48, tincantech via Openvpn-devel wrote: > Yeah, I forgot to apply and commit -- sorry. > > I guess I'll send again if this is an acceptable patch and my MTA didn't > screw it up ? > Please let me know .. thanks > > ‐‐‐ Original Message ‐‐‐ > On Wednesday, 28 April 2021 18:44, tincantech tincant...@protonmail.com wrote: > > > Openvpn process ID (daemon_pid) provides the most secure way for > > scripts to verify which process they were called by. > > This patch adds daemon_poid to --tls-crypt-v2-verify environment. > > Tested on Linux and Windows. > > diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c > > index 7b5016d3..23d93a6c 100644 > > --- a/src/openvpn/tls_crypt.c > > +++ b/src/openvpn/tls_crypt.c > > @@ -537,6 +537,7 @@ tls_crypt_v2_verify_metadata(const struct tls_wrap_ctx > > *ctx, > > setenv_str(es, "script_type", "tls-crypt-v2-verify"); > > setenv_str(es, "metadata_type", metadata_type_str); > > setenv_str(es, "metadata_file", tmp_file); > > > > - setenv_int(es, "daemon_pid", platform_getpid()); > > struct argv argv = argv_new(); > > argv_parse_cmd(&argv, opt->tls_crypt_v2_verify_script); > > > > > > -- > > git version 2.25.1 > > I hope my MTA has not mangled this patch but I don't currently have access > > to an SMTP server port. If it is borken then please ignore this and I'll > > find > > another way. Feel free to send other feedback. eg: NAK + Reason. > > Thanks > > R > > == -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgiaNiACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ2FZwf/VduCykdRxUIXhDX1+owQ1wKB02tuhj/0ABu0GpK9VvyZCOx4 0BKCaZB6VPWhV4sop4AAfm24LeyT80aST/W+PQ2N5bnfHvC5/Lm6anB+ck38 K/6JkehHkyvuVdR1K2LiKdgtW9gAggdPYSn4WbKSlv+Q2HthmVZlg7/ADrZk RsRE6HYO/mNkTaLsuzkWczyH1z6ncAqg8ivZxcnOBfrjSRNJJMHsAzWzT7J7 eitX50FT387SSbiBgP2PiVUnm5XIO/rT/yJhHTM9p8wISzzOfW/5hUovMnvx wP4er/eYwp1/JbErVDbzlpT0r33MQADbVQAxKJpg4l9m0GIzmlHGIw== =0azE -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Add daemon_pid to --tls-crypt-v2-verify script environment
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Not a single comment ? Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Wednesday, 28 April 2021 19:03, tincantech wrote: > Looking closer, I can see that it was damaged in transit .. > > Please let me know if you would be willing to accept my proposed patch and > then I will persist to find a way. > > If you will not accept the addition then please let me know. > > Thanks > R > > ‐‐‐ Original Message ‐‐‐ > On Wednesday, 28 April 2021 18:48, tincantech via Openvpn-devel > openvpn-devel@lists.sourceforge.net wrote: > > > Yeah, I forgot to apply and commit -- sorry. > > I guess I'll send again if this is an acceptable patch and my MTA didn't > > screw it up ? > > Please let me know .. thanks > > ‐‐‐ Original Message ‐‐‐ > > On Wednesday, 28 April 2021 18:44, tincantech tincant...@protonmail.com > > wrote: > > > > > Openvpn process ID (daemon_pid) provides the most secure way for > > > scripts to verify which process they were called by. > > > This patch adds daemon_poid to --tls-crypt-v2-verify environment. > > > Tested on Linux and Windows. > > > diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c > > > index 7b5016d3..23d93a6c 100644 > > > --- a/src/openvpn/tls_crypt.c > > > +++ b/src/openvpn/tls_crypt.c > > > @@ -537,6 +537,7 @@ tls_crypt_v2_verify_metadata(const struct > > > tls_wrap_ctx *ctx, > > > setenv_str(es, "script_type", "tls-crypt-v2-verify"); > > > setenv_str(es, "metadata_type", metadata_type_str); > > > setenv_str(es, "metadata_file", tmp_file); > > > > > > - setenv_int(es, "daemon_pid", platform_getpid()); > > > struct argv argv = argv_new(); > > > argv_parse_cmd(&argv, opt->tls_crypt_v2_verify_script); > > > > > > > > > -- > > > git version 2.25.1 > > > I hope my MTA has not mangled this patch but I don't currently have access > > > to an SMTP server port. If it is borken then please ignore this and I'll > > > find > > > another way. Feel free to send other feedback. eg: NAK + Reason. > > > Thanks > > > R > > > > > > = -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgipHgACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ064ggAifsuMtavQAW7fBTiMjr/587lEwrO7CMFJOEhIexbeJN2tl1G tbDG5NSIRxM9Vle2rvpybaStga3Fst9Q6Gi7EDIwVFBfSNWjSeogwA30N35f T0KRWCbveSjiKRsyTS7p9zEv1Dvms0iRX0G+NClsbIJr7Fn7gUtSS2ztvj60 KfXeH1dkv1Q7EJPLC0H7zKcoEagFrYb0bNtG3g7uca5Yb7sEyetA3rKX02Z/ JpqeZN3nZe4Fvx19YOnrc+dZPtKpshws7swg7KQOz07GEEXMXe5BBjgWqQlz RTcHefU8fLaMklprpLsuOvMnOgVwQ0fwbV22IBAT4g7d5++CxCvBSQ== =ReR6 -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Add daemon_pid to --tls-crypt-v2-verify environment
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Under Windows, programmatically retrieving the parent process ID of the openvpn instance which called a script is practically impossible. The only sensible way, currently available, is to write a PID file. This patch adds a single integer variable, named daemon_pid, to the script environment. The value of which is set to the openvpn process ID that called the script. Providing this variable via the running openvpn process is more secure, faster and far less prone to user-error than using a PID file. Signed-off-by: Richard T Bonhomme tincant...@protonmail.com src/openvpn/tls_crypt.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index 7b5016d3..23d93a6c 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -537,6 +537,7 @@ tls_crypt_v2_verify_metadata(const struct tls_wrap_ctx *ctx, setenv_str(es, "script_type", "tls-crypt-v2-verify"); setenv_str(es, "metadata_type", metadata_type_str); setenv_str(es, "metadata_file", tmp_file); - setenv_int(es, "daemon_pid", platform_getpid()); struct argv argv = argv_new(); argv_parse_cmd(&argv, opt->tls_crypt_v2_verify_script); -- 2.25.1 -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgitDzACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ3tigf9GP21RvAuybG60NgMaC5t9LIyjlBjaNOcWjLgbCUh7KhFSPMu 6r48YAsdy2PB7vd753GhjoQbQuM8+JhS0+fXBIgtToOxMOSGJoSJLu0RoYL3 ScRLXgx2M0p5wbQdHD9tx3ZsVXKyLPTwRWg3w3V7viIJ2A9tmiAUuX4YflJ+ hyfhp1sT648Hb2PW3eIBvEMZNOGG9Et/jS833/Yk5WRn8Wee/nPASOYYbHGf amX51gbevtmJy67Dti0ibUNomf9uYFd95ojG9qdqJDDQaff76nbda/bRX38g SUu50B2mNpS/sHeirUAKCpuzmMxqpLl9NOxS4m3SFLk+sfeDgSJRSA== =6a1K -END PGP SIGNATURE- From 91baf93e62db2ed063a8c4cfdf5b6ff750ac6103 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Thu, 29 Apr 2021 16:17:06 +0100 Subject: [PATCH] Add daemon_pid to --tls-crypt-v2-verify environment Under Windows, programmatically retrieving the parent process ID of the openvpn instance which called a script is practically impossible. The only sensible way, currently available, is to write a PID file. This patch adds a single integer variable, named daemon_pid, to the script environment. The value of which is set to the openvpn process ID that called the script. Providing this variable via the running openvpn process is more secure, faster and far less prone to user-error than using a PID file. Signed-off-by: Richard T Bonhomme --- src/openvpn/tls_crypt.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index 7b5016d3..23d93a6c 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -537,6 +537,7 @@ tls_crypt_v2_verify_metadata(const struct tls_wrap_ctx *ctx, setenv_str(es, "script_type", "tls-crypt-v2-verify"); setenv_str(es, "metadata_type", metadata_type_str); setenv_str(es, "metadata_file", tmp_file); +setenv_int(es, "daemon_pid", platform_getpid()); struct argv argv = argv_new(); argv_parse_cmd(&argv, opt->tls_crypt_v2_verify_script); -- 2.25.1 0001-Add-daemon_pid-to-tls-crypt-v2-verify-environment.patch.sig Description: PGP signature publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Add daemon_pid to --tls-crypt-v2-verify environment
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 ‐‐‐ Original Message ‐‐‐ On Thursday, 29 April 2021 18:15, Richard T Bonhomme wrote: > From: string vest stringves...@gmail.com > > Under Windows, programmatically retrieving the parent process ID of > the openvpn instance which called a script is practically impossible. > The only sensible way, currently available, is to write a PID file. > > This patch adds a single integer variable, named daemon_pid, to the > script environment. The value of which is set to the openvpn process > ID that called the script. > > Providing this variable via the running openvpn process is more secure, > faster and far less prone to user-error than using a PID file. > > Signed-off-by: Richard T Bonhomme tincant...@protonmail.com > > src/openvpn/tls_crypt.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c > index 7b5016d3..23d93a6c 100644 > --- a/src/openvpn/tls_crypt.c > +++ b/src/openvpn/tls_crypt.c > @@ -537,6 +537,7 @@ tls_crypt_v2_verify_metadata(const struct tls_wrap_ctx > *ctx, > setenv_str(es, "script_type", "tls-crypt-v2-verify"); > setenv_str(es, "metadata_type", metadata_type_str); > setenv_str(es, "metadata_file", tmp_file); > > - setenv_int(es, "daemon_pid", platform_getpid()); > > struct argv argv = argv_new(); > argv_parse_cmd(&argv, opt->tls_crypt_v2_verify_script); > > > -- > 2.25.1 Bump. -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgkDFOACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ1Wywf/bDBG1X2K9a5NfjvSb5X2npD8VOq4d66Dy8uwDnhCkJoT5exm MFRhaLYhQXXK22GVSqX/n7aNDly6HveyMRkuUzoDnKNMhxJ9NUfgwCpgc+Ap 5nJtYfss13mcaHQzwP1CPuQWpjupKQ4nAi+OWT3tPBhc0zkKq8O/VXOjff8g KSE3WMlwCHrrXqZ5XV4Y8FqyeN0mqkVnhKfJy0UxKR1zh+E+a70cCT1mUR0x mlBAXMDoS/p+EoIW6PqJNt+4qgzSQbH8b77XmAkR1eR9LS4GoZG1OHYkwQiW e8SRm6tKLpjTIw9Ob9HTIoIt9kSjFfRVgBVyM37s2KSyeYG0YjPTAg== =DN5K -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Add daemon_pid to --tls-crypt-v2-verify environment
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi,
‐‐‐ Original Message ‐‐‐
On Tuesday, 4 May 2021 11:50, Arne Schwabe wrote:
> Am 29.04.21 um 19:15 schrieb Richard T Bonhomme:
>
> > From: string vest stringves...@gmail.com
> > Under Windows, programmatically retrieving the parent process ID of
> > the openvpn instance which called a script is practically impossible.
> > The only sensible way, currently available, is to write a PID file.
> > This patch adds a single integer variable, named daemon_pid, to the
> > script environment. The value of which is set to the openvpn process
> > ID that called the script.
> > Providing this variable via the running openvpn process is more secure,
> > faster and far less prone to user-error than using a PID file.
>
> Could you explain why you need the process ID of the daemon? I am trying
> to figure out why that is needed. I also don't understand the secure in
> this context. What are you protecting yourself against? You are not
> protecting your script being called from a malicious program as that
> could lookup the PID of openvpn and just set the daemon_id variable.
>
The reason I am using the process ID is as follows:
When --tls-crypt-v2-verify is executed, it saves a file named:
$(certificate_serial_number}.${daemon_pid}
with data from the TLS-Crypt-V2 key metadata field, which can then
be read by the following scripts: --tls-verify and --client-connect.
The --tls-verify and --client-connect script have:
$(certificate_serial_number} -> ${tls_serial_hex_0} and ${daemon_pid},
in their environment and can guarantee to pick-up the correct data file.
This is OK for one running server but when there are more than one server
instance running, using a PID file becomes messy and cumbersome.
The "secure" in this sense is that, having openvpn provide the PID is much
more reliable than relying on multiple PID files.
Also, while it is "trivial" for *nix to retrieve the Parent PID, under
Windows, programmatically doing this is not "trivial" at all:
PID:
https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/finding-the-process-id
PPID:
https://stackoverflow.com/questions/7486717/finding-parent-process-id-on-windows
Therefore, barring any known security reasons for not providing the openvpn PID
to all scripts which it executes, it makes more sense to have openvpn provide
daemon_pid. The only script currently missing this data is
--tls-crypt-v2-verify
(And probably --learn-address but I have not tested that).
Thanks
R
-BEGIN PGP SIGNATURE-
Version: ProtonMail
wsBzBAEBCAAGBQJgkUFuACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec
9muQuJ0Zcgf+MpbxgsNS/eKpPsbafA5Qmdotc1HoQuxp+4mlw+Fr7uGxJT1y
cIAf5akt6ox+y/c0tOdFAPvczNirZh0j598TISFXbQtdEFG+budjBXK6peTc
ZKTlxvUSzZNterBcnjmCYYsQBxUdWrsH65cb23nvJ6G9m3dgkAPnt8w8NLe/
Z4/xHAElwU1kOoyGcpG4DMVQM55ikvXSmdDQx6BU8ksUueBHR4m3mMtkjFgq
krvjr+ycEZNcOX5601dOgNZS0AIT8TFvdFPEvMIXrSKJsmXtFLIXhLckM+3v
cUoV65+V3nQpdkJGumWHvCA1HB9nCSh75R8MdlD4mc0efaM2IiElog==
=KHtU
-END PGP SIGNATURE-
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
_______
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Add daemon_pid to --tls-crypt-v2-verify environment
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi,
‐‐‐ Original Message ‐‐‐
On Tuesday, 4 May 2021 13:43, tincantech via Openvpn-devel
wrote:
> Hi,
>
> ‐‐‐ Original Message ‐‐‐
> On Tuesday, 4 May 2021 11:50, Arne Schwabe a...@rfc2549.org wrote:
>
> > Am 29.04.21 um 19:15 schrieb Richard T Bonhomme:
> >
> > > From: string vest stringves...@gmail.com
> > > Under Windows, programmatically retrieving the parent process ID of
> > > the openvpn instance which called a script is practically impossible.
> > > The only sensible way, currently available, is to write a PID file.
> > > This patch adds a single integer variable, named daemon_pid, to the
> > > script environment. The value of which is set to the openvpn process
> > > ID that called the script.
> > > Providing this variable via the running openvpn process is more secure,
> > > faster and far less prone to user-error than using a PID file.
> >
> > Could you explain why you need the process ID of the daemon? I am trying
> > to figure out why that is needed. I also don't understand the secure in
> > this context. What are you protecting yourself against? You are not
> > protecting your script being called from a malicious program as that
> > could lookup the PID of openvpn and just set the daemon_id variable.
>
> The reason I am using the process ID is as follows:
>
> When --tls-crypt-v2-verify is executed, it saves a file named:
> $(certificate_serial_number}.${daemon_pid}
> with data from the TLS-Crypt-V2 key metadata field, which can then
> be read by the following scripts: --tls-verify and --client-connect.
>
> The --tls-verify and --client-connect script have:
> $(certificate_serial_number} -> ${tls_serial_hex_0} and ${daemon_pid},
> in their environment and can guarantee to pick-up the correct data file.
>
> This is OK for one running server but when there are more than one server
> instance running, using a PID file becomes messy and cumbersome.
>
> The "secure" in this sense is that, having openvpn provide the PID is much
> more reliable than relying on multiple PID files.
>
> Also, while it is "trivial" for *nix to retrieve the Parent PID, under
> Windows, programmatically doing this is not "trivial" at all:
>
> PID:
> https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/finding-the-process-id
> PPID:
> https://stackoverflow.com/questions/7486717/finding-parent-process-id-on-windows
>
> Therefore, barring any known security reasons for not providing the openvpn
> PID
> to all scripts which it executes, it makes more sense to have openvpn provide
> daemon_pid. The only script currently missing this data is
> --tls-crypt-v2-verify
> (And probably --learn-address but I have not tested that).
>
Due to the inordinate resistance this patch has received, consider this my
official
withdrawal. I hereby NACK.
Thanks
R
-BEGIN PGP SIGNATURE-
Version: ProtonMail
wsBzBAEBCAAGBQJgkZoxACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec
9muQuJ1HTQf7BSnvVR9LHZTcPyn+1oHv71TOxIMuFqckmxmQk/PZDSU+yq0h
OdjDWjSLLW/ZbQwS3Zcs09h50GEWBtUM5xoghAsBtUpGLCDMtvbU37JI/mMu
IfSI04+afMqi3xSsu1N4NMlAhVJTg2u0wfB6i46/Ltf/gLr9a0w3IAR7z1l4
Ykaxl5pBkNTZjuT6AtSVuVv8VUmr5+xQGWaUAxfPLIHeNeZGfCR7iJWd2L6L
zcnM8j3lLfzz1Tx2Ry3asVU40G6kp826F2LvuBH2mSZQeFENR/74HtAG0yY9
GcZg17oMkgBUmOZJzYupgrRwU1LFRGUIgk9ygS3Ew96M13C4lV90Sw==
=9B+C
-END PGP SIGNATURE-
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Add daemon_pid to --tls-crypt-v2-verify environment
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, ‐‐‐ Original Message ‐‐‐ On Tuesday, 4 May 2021 20:41, Selva Nair wrote: > On Tue, May 4, 2021 at 3:04 PM tincantech via Openvpn-devel > openvpn-devel@lists.sourceforge.net wrote: > > > Due to the inordinate resistance this patch has received, consider this my > > official > > withdrawal. I hereby NACK. > > Resistance is a good thing -- it means people are considering your > patch seriously and are asking questions in earnest. > > I've had patches that languished for years and finally merged, > without batting an eye.. Except for an occasional gentle nudge (say > once a year), and some patience. Selva, thanks for your guidance. On this occasion I have been pushed to find a better way. Thanks to Gert for reminding me about PPID and pushing my code a little further, I now realise that I don't need daemon_pid from openvpn directly. Withdrawing this patch seems the most appropriate way to minimize the time wasted. Sometimes it's difficult to see your own mistakes but realisation is satisfying if and when you do "break on through" ;-) R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgkbBPACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ0MYwgAuFchojIT/cnf0yppB9o/WxJRZHdFaEn9jyRO+PgMYNrAJeet QUqaCbUPZ0N5UdXnwuf5DTMYcStQpDyKnQyeB/dw0r23fmlSV69U1Vdx64+x kjfbxl3h3miJ5yRu62YnmSCtqtiC/ErrJ1bz68RglI/aeGD4g6nPkpoHhZ/O ix1zPxOpV+fnjEZtZfRCzNah+wa1vWyxF/UFpbIUe/pME6Y1pCGf4ZWGPFG8 qVdxSU/GwMMIaQn+Kz+iwoZDzhbkkprHGwS/yvJkEBIXOf8SspnlOOH0gJ6J yFvxCBmaLeFUDoHhOy9JdL5toUN6hCtwu1wKPnUC3xN0IypeGdHtrQ== =a9Jn -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature _______ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Add daemon_pid to --tls-crypt-v2-verify environment
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Tuesday, 4 May 2021 21:36, tincantech via Openvpn-devel wrote: > Hi, > > ‐‐‐ Original Message ‐‐‐ > On Tuesday, 4 May 2021 20:41, Selva Nair selva.n...@gmail.com wrote: > > > On Tue, May 4, 2021 at 3:04 PM tincantech via Openvpn-devel > > openvpn-devel@lists.sourceforge.net wrote: > > > > > > Due to the inordinate resistance this patch has received, consider this > > > my official > > > withdrawal. I hereby NACK. > > > > Resistance is a good thing -- it means people are considering your > > patch seriously and are asking questions in earnest. And this resistance was indeed not futile. I have discovered a flaw in my logic, which is so insidious, that it may bring my entire house of cards down .. I just F000M'^~,.ed myself .. arse! -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgkcFnACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ3msAgAsoR4DghKD6z/et3JYXabmsGny+5/hu48E1FMXGUH5cB/cWpM 5P+KL3Kr3D7MkemqbHvvapQQKn0DCA+Kt056fqQI8h9fc8vhJKLYAxFD4M8E b60H8+/K5bSwUxVkH4X6jW8m/HJ16q8fBrTSRDbZeJ4x1u1u0uxTk84WVhW2 gjued3xLGhPlkBlufYayr6LytUXN5wDEJSKLgjeROl04NlvTlDc1VCu+QREw KnqXh1JBg9Lqo5ctmNtV6QZ8R5nx9G3cNqJ0joRQfN329H1Bp30S6iyvkBMV /7pgCyKQ1X38D5rXNcRL/4qP0YfcSkQ43zb2dur9LtQ/wFqepKwr4Q== =IcL9 -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Add daemon_pid to --tls-crypt-v2-verify environment
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi,
‐‐‐ Original Message ‐‐‐
On Wednesday, 5 May 2021 08:51, Arne Schwabe wrote:
> > > Could you explain why you need the process ID of the daemon? I am trying
> > > to figure out why that is needed. I also don't understand the secure in
> > > this context. What are you protecting yourself against? You are not
> > > protecting your script being called from a malicious program as that
> > > could lookup the PID of openvpn and just set the daemon_id variable.
> >
> > The reason I am using the process ID is as follows:
> > When --tls-crypt-v2-verify is executed, it saves a file named:
> > $(certificate_serial_number}.${daemon_pid}
> > with data from the TLS-Crypt-V2 key metadata field, which can then
> > be read by the following scripts: --tls-verify and --client-connect.
>
> I can get behind the need of needing something daemon specific when
> running multiple daemon that scripts/plugins need something simple to
> identify a specific daemon. With management and a persistent connection
> that is easier to implicitly assign an ID but for scripts daemon_pid
> seems to be a good fit.
>
> So if we make that a bit clear in the commit message this gets an ACK
> from me.
>
Arne,
thanks for the feedback, I can resubmit with an improved commit message
and corrected email if required.
Thanks
R
-BEGIN PGP SIGNATURE-
Version: ProtonMail
wsBzBAEBCAAGBQJgkxVyACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec
9muQuJ0PGggAtMnaL8kv8Z2xGvqMkSr+TO7kHLWl2OoYP+o+S18NpUpQrLn1
1Yr0t2ZHjdho30l24iMsKGYAgtPwXfmNgNI+tjhb2p7URRNgkfaDDDUiTePL
hfnZnjLdmjlCIurKNnCqFsVKj92C2jQbicLcCH+504a0TeTLGmWaCYQ3/QiE
2I5CUJErNmjXrBRTeS5hB7FLSbYzbAs1AC5dU7uGSxjnhPrT1tx7An/GNAc6
HJMMBhF1if98jvPRntG6zXLTC4nIFPEM73m9oyWyrwXPql0lD8hZJ08OnpxI
YyfsH3KEFc3f6st2pmAen8o31zuDxARpYdhusqiLzqWW0WbCj1lt7A==
=ClM7
-END PGP SIGNATURE-
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Add daemon_pid to --tls-crypt-v2-verify environment
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, ‐‐‐ Original Message ‐‐‐ On Monday, 10 May 2021 18:29, Gert Doering wrote: > Hi, > > On Wed, May 05, 2021 at 10:00:37PM +, tincantech via Openvpn-devel wrote: > > > thanks for the feedback, I can resubmit with an improved commit message > > and corrected email if required. > > This is how I understand Arne - he's happy with the code change, just > wants the commit message to explain a bit better why this is relevant. > > So, there is an ACK-and-merge pending :-) > well, personally.. it's complicated.. 1. Antonio's initial reluctance. I do not believe it would be prudent to continue without his opinion. 2. Replacement method. This is no longer required. (Thanks given to Gert for PPID) 3. Work Rewriting the commit message to suit, plus resubmitting as a V2 .. and .. then jumping through googles and gits hoops is not at the top of my list. 4. Having my user account _recently_ locked out of Trac. I expect that I can even ''predict'' what that is with regard to. ... For the time being, I suggest that TLS-Crypt-V2 code be left as-is, because TLS-Crypt-V2 *has* more important issues to consider.. I would list the trac issue but #4 The impasse has been met, R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgmZY5ACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ1sMggAnsGf77yUfrERZRY67k3zTPqRuXuVegRKSzyAlumJXaMSyY81 JMD1m3s5vQSE2EyH/b+3U0jlZIlnKTRVvLE/YJYKiEEFNm0LuWy1dc7jpdwo vWeGI3O442zngXzk4SRnHRNP1e11jwPtlh3zZevlMHMwgzpKE+xkpT+9ySIP bGNyHO25odJy4lqwpvF54C2IL9Pokh5u3/Ij7vdESE/X+WLkS/I2nPJFMkLj ls4Hdyxfhyh/ekiVPDEkyioAEG00FqVsVYvZrMpsbu2wmwP6eX8Jk1jJVZ1i FRyEaUVJaxzmCr1pqt8Nzu46uL4Pt3xdenxOo6O09SZzCNaPqYcsIQ== =dlZP -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Add daemon_pid to --tls-crypt-v2-verify environment
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, > 4. Having my user account recently locked out of Trac. > > I expect that I can even ''predict'' what that is with regard to. > > ... > Seems I typed my ludicrously long password incorrectly.. The rest still stands. Sorry for the noise, R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgma0dACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ3aSggAs9IxRPp2KmNfmP8o16gHzMA1X7MpncTWmWHRsVsrAv7daAbg LUX310MIqsz1tOb+dG7TqHiXjfhO7VH5L7DJfjm/zRdVIWyHBtYM3CBeleq+ zsHwOYF1k8pyRPMmOIc+mYPpXuk3hb9xvNBvLpdEBsJI7HYE9JTfaLAJNaOi zoIWHUtcG6sc6pP0as0EDoT1kKhN0j0j/BWkxIvNMOENGCTPyHn4MX0aFmdp Hpzva/0zHIbd5MFnDMH3v20thBOp3EhOaBxD0uXn3S4J0NxzNXeOtHaoQSFF W9zefCIUEFxiP7yxae644Cw9FLqjSD+uRyAeJb9YkPwXVxNWJdVzrw== =NgsE -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature _______________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Add daemon_pid to --tls-crypt-v2-verify environment
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, ‐‐‐ Original Message ‐‐‐ On Monday, 10 May 2021 23:10, Selva Nair wrote: > On Mon, May 10, 2021 at 4:24 PM tincantech via Openvpn-devel > openvpn-devel@lists.sourceforge.net wrote: > > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA256 > > Hi, > > ‐‐‐ Original Message ‐‐‐ > > On Monday, 10 May 2021 18:29, Gert Doering g...@greenie.muc.de wrote: > > > > > Hi, > > > On Wed, May 05, 2021 at 10:00:37PM +, tincantech via Openvpn-devel > > > wrote: > > > > > > > thanks for the feedback, I can resubmit with an improved commit message > > > > and corrected email if required. > > > > > > This is how I understand Arne - he's happy with the code change, just > > > wants the commit message to explain a bit better why this is relevant. > > > So, there is an ACK-and-merge pending :-) > > > > well, personally.. it's complicated.. > > I think it's a good thing to pass daemon_pid to all scripts uniformly. > Can't think of any downside. And, on Windows it's a pain to get the > parent pid from a batch file. Personally, I do not have a use case > though. > > Selva Trac in question: https://community.openvpn.net/openvpn/ticket/1310 -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgmbIfACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ2QrQgAoH7L8LCDvs8Tp9mj/VVR/aolKox2hHQJqfEcZXsEfKySmFUC 8oDFY9bnlOiGg1LhEaLIITXkYlW2aTB11Sm1DE/hYy1MK/IxByzwRa1AJyCk 6TJtmoiMl7Inwxz6z/IOCpSDCdOR+/i+BXaXx8pJujn7omr9Vprgkku78I6s 2unDfIycBWwMD78pCULJvqnOPzCM5TkA82x6WdcpJykLaeOOX+do7CrkNmxC s9Hfl7duiqGgSCLAZOZv71CwvyoJYorHpO6yhB+UxikhszFANXRCEU4AXoqR jRL8yH7ouz92mR9vospC39lwAMJGthBQ85l8Sj5ngaiVrvBj3qfh6g== =WQSw -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Add daemon_pid to --tls-crypt-v2-verify environment
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Tuesday, 11 May 2021 07:02, Gert Doering wrote: > Hi, > > On Mon, May 10, 2021 at 06:10:33PM -0400, Selva Nair wrote: > > > > > So, there is an ACK-and-merge pending :-) > > [..] > > > I think it's a good thing to pass daemon_pid to all scripts uniformly. > > Can't think of any downside. And, on Windows it's a pain to get the > > parent pid from a batch file. Personally, I do not have a use case > > though. > > This was about the thoughts Arne and I had - if we have daemon_pid in > some places, we should have it in all places. And, on Windows it's not > as trivial as on Unix... > > (Out of interest: is there a way at all to get the ppid from a batch file?) > This is what I found for PID/PPID in batch: PID: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/finding-the-process-id PPID: https://stackoverflow.com/questions/7486717/finding-parent-process-id-on-windows Thanks R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgmmV+ACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ0BCgf9Ffzik7MJhQtRjPBc2L/ZCpcQxLJJTHSB9c//g0YetY2/hEyG ReuEW9G7AnSoZTPep8Xt502rPJZtyxut3kmY79J9Pt/NTD7siV4+f4ZUg24V lPDqWpsVhqD0EeeiPqWa/6OhZWmgT4qXMnYyPznCHdzYlcjYAZARJB4EWeE6 baf6RQFfJ1cjhNY07jaeMJi3SW72J5RjdlLFPfKITfrPgIuzFhFc6rvmyplU Sz41k1Bd1QprZwIGE7JiZDLajOmYkmGUaqXQ6AoLWmTZJACNFDKyQZYXs7lY wwoROF6u14vxLh2TeQ1btfuxnGUs2HhpqZX80TrxAm80EQyBrnJ5bA== =17mP -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 9/9] Add detailed man page section to setup a OpenVPN setup with peer-fingerprint
e:`` > > - > - After adding two clients the part of configuration would look like this: > > - > - :: > > - > - > > > - > ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00:ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00 > > > - > 99:88:77:66:55:44:33:22:11:00:ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00:88:77:66:55:44:33 > > > - > > > - > > +6. (optional) if the client is an older client that does not support the > > - :code:`peer-fingerprint` (OpenVPN 2.5 and older, OpenVPN Connect 3.3 > > - and older), the config can be modified to still work with those. > > - > - Remove the line starting with :code:`peer-fingerprint` line. Then > > - add a new :code:`` section at the end of the configuration file > > - with the contents of the :code:`server.pem` created in step 2 of the > > - server setup. The end of `alice.ovpn` file should like: > > - > - :: > > - > -[...] # Beginning of the file skipped > > > - > > > - > -# The tun-mtu of the client should match the server MTU > > > -tun-mtu 1400 > > > - dev tun > > > - > - > > > -[contents of the server.pem] > > > - > > > - > - Note that we put the :code:`` section after the :code:`` section > > - to make the fingerprint generation from step 4 still work since it will > > - only use the first certificate its find. > > - > > +7. Import the file into the OpenVPN client or just use the > > - :code:`openvpn alice.ovpn` to start the VPN. > -- > 2.31.1 > > > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgnZQBACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ28dwgAuy7fuhyoasafHKdlfo1PENgbpA8jS+oX0+FAW0CmbZV/4cvn 7hA46fBg2ys7y1xjTLgWGDJXQx6lqSH3RJSuaCMQ4Lfu5uFQK/8FjB9nz1zu Pe4M0mTRbenC1RdHTipH2u6wi4S3L7vV35mcCmhLmXiXNcAstJ/Ta5PfLP5u 55voFJNxicyVgCPHzTgMdY3hZWC5/s3/j5TNiuJOsS1Tge+31+7X6YfyFrJR r2TtTD9TKZ5xuSpDZQl9iQAtzcGiaUYpYgDo/iVlkLEW8F4Uosqe698BmcI4 JuS++8adaxKJvDkbiwnqJDsK06SCHER9TIZLP51VKhRq0noiEg/laA== =G2yu -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 9/9] Add detailed man page section to setup a OpenVPN setup with peer-fingerprint
) if the client is an older client that does not support the > + :code:`peer-fingerprint` (OpenVPN 2.5 and older, OpenVPN Connect 3.3 > + and older), the config can be modified to still work with those. > + > + Remove the line starting with :code:`peer-fingerprint` line. Then Second 'line' is superfluous. > + add a new :code:`` section at the end of the configuration file > + with the contents of the :code:`server.pem` created in step 2 of the > + server setup. The end of `alice.ovpn` file should like: > + > + :: > + > + [...] # Beginning of the file skipped > + > + > + # The tun-mtu of the client should match the server MTU > + tun-mtu 1400 > + dev tun > + > + > + [contents of the server.pem] > + > + > + Note that we put the :code:`` section after the :code:`` section > + to make the fingerprint generation from step 4 still work since it will > + only use the first certificate its find. its find -> it finds (move the s) > + > +7. Import the file into the OpenVPN client or just use the > + :code:`openvpn alice.ovpn` to start the VPN. > -- > 2.31.1 > > > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgnZ7BACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ06Qwf+KUQVSE5cElO0CD+IfIWRzSCXEeb6pjUXPi29iHn2ZEhwU60N SrDKGxB7SFEGG6RZsEN39Hky9yArMQneSbktQ8lr5P2+QuBdki3wySWvqabo 6hakuOAXUCeCgj5I2X3BHv9Bz33toXD5JVyVwrrZ+bO5dBNE/Jtzycaa3HCg Hx2wY02RVIG6SHUAOJJv3LuRIt6pXvRO1BHXcrSy93tlBE1CHeZ+XGVjdj5W 0R2VXrRToQQdJ3AjI4YkKgIaze9KSXNgfwE9IBB5gmYf4Nk3Gkej1OKSgVKs vwOZ0jwXIou0JiN8UHmVJEz4s/WfOwH2Zl2Hb6zmZmujOL5W8kI0Kg== =RSkh -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 9/9] Add detailed man page section to setup a OpenVPN setup with peer-fingerprint
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, missed one.. ‐‐‐ Original Message ‐‐‐ On Thursday, 13 May 2021 22:48, tincantech via Openvpn-devel wrote: > Hi, > > I used sed to create my own reply .. > > comments inline. > > ‐‐‐ Original Message ‐‐‐ > On Wednesday, 12 May 2021 14:15, Arne Schwabe a...@rfc2549.org wrote: > > > This is meant to give new users a quickstart for a useable OpenVPN > > setup. Our own documentation is lacking in this regard and many often > > tutorials that can be found online are often questionable in some > > aspects. many often tutorials -> many tutorials (extra 'often') -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgnaAYACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ0jjwgAygbBIeAgigR5msWnDad8NZboh62d7CDlMMEJGQBm5AU54R28 IYQInLl4LoRx4oFiMQ6aDUzSbkc3dHwnPIDxhEJkh+Js36GOEOBEaOlnPCSq lZQEX0l3scOuBdgSXpqYQkysOySnyqxbiTPR+dVZ1h5PsFTMsSFSD/w93n5y v+pNi4zXy5fae07dJeQCRCermE+FeRwK8jdGVpUS6awE2q87pcZ7rAF6E13s T7WCEkvZt0baK/gInoa5Yv7EcodtJX02uL+A+zfLltg7rgZgrB+Fv7ld3LHo X1dHTBDBhCrGANJP/rRwL/D+zzrqCAdR+onSqaH6esaa/nfAAi2Asw== =LDsm -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] Feature request - Allow comments inside markers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, I think it would useful to allow comment inside the markers. EG: # alice 67:1F:A5:CA:26:98:BA:40:D9:EB:6A:5B:C1:64:8C:8E:66:6E:7A:22:26:73:96:6A:5E:9B:B3:17:8F:F8:C6:9C # bob 55:B6:3F:AD:BC:A0:8C:EF:00:B3:2F:A5:46:46:83:82:6F:34:86:8D:23:2B:AC:79:39:E2:26:0B:FC:1A:86:38 Thanks R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgooRFACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ2Gxwf+MZsFJKL83UScncpqzPDid2nJnp685JBqS42dmE+XPADUrinU ymZA000r8Q4aqgU/1Ml5TAkFT9yAVUEJK4HJVLenpyL2lP3y2Fel7Wy66caZ K+zUyX82JpBVSyh6O5DwoaEnKG5Er86So4bVrfFvEgYv6xO5eWHaEWfQPwTD 6zw6k5OimLaj+KTPaoL0rDuEt0uTyhAcWFkHmkzskNtNaowNo/u3P5zfT49o ct/9/GpDUx0nY0D6MfM88SIYjcegoaCdVdY0OHIer2sxoRCnDk4r6jgdOj1I 67B/HdKHXSng6sJfRp2teyxFp6+mCsqDdtOjTotZv7rT5+xDA6EGlw== =5Phv -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] Feature request - Allow comments inside markers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, ‐‐‐ Original Message ‐‐‐ On Monday, 17 May 2021 16:31, Gert Doering wrote: > Hi, > > On Mon, May 17, 2021 at 02:57:32PM +, tincantech via Openvpn-devel wrote: > > > I think it would useful to allow comment inside the > > markers. > > I've run across this as well, and share that sentiment. It would be nice. > > That said, I'm not sure how easy it is to implement (the inline-config > parser is used for all inline stuff, not only for peer-fingerprint). > > > As a workaround, you can put "per user" peer-fingerprint lines into the > config: > > the config option - and the inline block - can appear multiple times. > Ah nice, I should have thought of that myself ! I can't think of any other reason to allow comments in other inline sections and your work around is perfectly suitable for small setups, consider this resolved. Thanks R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgoo8lACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ36hQf+Iv76yenMrNbvyi32egQsvjGnIEEHekVr1YLjkm935asSF9NW 7Pe0XsGhcbcVgupPPhYo+KsfX0wnAEmVClDSn6r2jZQ9r5/DFoBHP2fst7UA qPZs5EgLXcaNiBLI3gY6yxaxxrqCiAb4LEoHxdaO4sWGoYUnZxly3H/dkLgE NEdxTarhBYPd0Rr5hg0pXIsz+RTGo/Eb/fzqRN7HzZdgk3isVPhtzm0a3tJM YhPpa8KOuRh23u5/gVtLsGtKP3uyIA51RD22tv+NC6QOoV32+bvIbaXS+NfN tX2sfax7F/Tmhv6EhSWoUSe9GktQyczWGjAQF5Ajv9JkT4j1bTrgig== =Ur8w -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 9/9] Add detailed man page section to setup a OpenVPN setup with peer-fingerprint
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, ‐‐‐ Original Message ‐‐‐ On Wednesday, 12 May 2021 14:15, Arne Schwabe wrote: > This is meant to give new users a quickstart for a useable OpenVPN > setup. Our own documentation is lacking in this regard and many often > tutorials that can be found online are often questionable in some > aspects. > I believe Openvpn in standard mode (Full PKI) would reject an expired client certificate. Note: There is absolutely nothing in the manual to confirm this ! https://build.openvpn.net/man/openvpn-2.5/openvpn.8.html On that page there are eight uses of the word 'expire' and they all relate to an expired auth-token, this could also probably be improved. However, Openvpn in peer-fingerprint mode allows an expired client certificate to connect. The client log *does* have a 'WARNING: Your certificate has expired!' The server log has nothing about an expired client certificate. And, as we all know, _who reads their log files_ anyway ? The issue here is that the server allows an expired client certificate to connect and there is no mention of this change in behaviour. Thanks R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgoqTPACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ18DQgAiFbKtIV3YXi4YG3qiN429AsLyGd8FR+ysy09aNB/FM9p/70E FgobM0x2waAWILLaNOgG/u3B8ocHa6ld0s2h0fJ7ef7FAdo4SRYbosyQFq+Q gcv5Z8AzivkOVbK2d9kP9T9HWd4BVOtduHKg/u/pwwQD7GUB4mM9HrztTzy8 X+oG6197ZZnA9jLUE+wxShttgXf1PP9q39r7gJ798kt1P0zDrtN4gjSTLp5v JwdyxMLHnD5YdwqsW31Zu3AnYP+s12xXfq8dZtAP0JaY/qYt/FqU6t+3hNOB PLtXCdmr53wPdrkyUOHnzLcOoF2S3M9pDLZW1/JSowginVfUpRpUWQ== =kmta -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 9/9] Add detailed man page section to setup a OpenVPN setup with peer-fingerprint
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, ‐‐‐ Original Message ‐‐‐ On Monday, 17 May 2021 18:16, tincantech via Openvpn-devel wrote: > Hi, > > ‐‐‐ Original Message ‐‐‐ > On Wednesday, 12 May 2021 14:15, Arne Schwabe a...@rfc2549.org wrote: > > > This is meant to give new users a quickstart for a useable OpenVPN > > setup. Our own documentation is lacking in this regard and many often > > tutorials that can be found online are often questionable in some > > aspects. I think it is also worth noting that, in it's current form, the documentation given does not provide for a --remote-cert-tls solution. I may be able to help with that but prefer to log it here first. Thanks R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgor7wACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ3g5wf9EXijgq5+j38umqKpdwIeQQ1F78OeEPMi8/LAxyrGZlSJNvr+ 9OIDwj9ZBE1SOY80f2AGR5tXE7Czl1VT0S+CPcrVnaKadR5dfNB3HpVShOWY sFPvmjzY++U0Jmw6/vsV09SCigBv85DU2s+VYmwoBwgq08vc28WvKXPY6DJl PxmePhpVbsV/5uZAw+3MismpvPvw7hzDmEEKtZLeqduLFGx9l0D7Apeq+d1Q 4348BdmeZFaIjk6sKBW45akIjxeLN3wejfp0hUFBYrITVs8ssQUbQUc9uDDu CdUxMwoeu5ZhVT7TN5Rh2iSjkFQjjsewTimGLuNr4dT+dUH3ypJvsQ== =ql9l -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature _______________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 9/9] Add detailed man page section to setup a OpenVPN setup with peer-fingerprint
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, ‐‐‐ Original Message ‐‐‐ On Tuesday, 18 May 2021 13:21, Arne Schwabe wrote: > Am 17.05.21 um 19:16 schrieb tincantech: > > > Hi, > > ‐‐‐ Original Message ‐‐‐ > > On Wednesday, 12 May 2021 14:15, Arne Schwabe a...@rfc2549.org wrote: > > > > > This is meant to give new users a quickstart for a useable OpenVPN > > > setup. Our own documentation is lacking in this regard and many often > > > tutorials that can be found online are often questionable in some > > > aspects. > > > > I believe Openvpn in standard mode (Full PKI) would reject an expired > > client certificate. > > Note: There is absolutely nothing in the manual to confirm this ! > > https://build.openvpn.net/man/openvpn-2.5/openvpn.8.html > > On that page there are eight uses of the word 'expire' and they all > > relate to an expired auth-token, this could also probably be improved. > > However, Openvpn in peer-fingerprint mode allows an expired client > > certificate to connect. > > The client log does have a 'WARNING: Your certificate has expired!' > > The server log has nothing about an expired client certificate. > > And, as we all know, who reads their log files anyway ? > > The issue here is that the server allows an expired client certificate > > to connect and there is no mention of this change in behaviour. > > Yes. We just trust the fingerprint of the certificate. The behaviour to > ignore expiry is a side effect of that. It is kinda designed to be this way. > > Arne The change itself is ok, I just thought it worth mentioning is this guide. Thanks R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgo76EACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ1pAAf+M7BWGoMLjSdhrcfokV0mu9M8eND0XF7AvEI3d+DQEGqJ2S9I l6aVCCXsIKi1m/fJbYSYROhD7zvKj3i1KQebXxUTTonmlhEIMLhXnzHmdAPH Owh3Ixpf284NMTcjZgcQAhGcLdlMeVpykJrIIx4lpR75u0+FV6STUmtIgG2Q gWOi4OduA5gNJanu4BlF/7JCHNXSQvHQ5yrSGBrRdT2kIIGnrHSYfmUz1Jq4 v0AHQP8aTFD6sUaYw2j0nRGKj43rAmV+yyx2oLU1/6jbiBl5wq25fgNi3cCa 22HuxRP1SsbSf5PoWbUyZmXagpnHKRmgj42DkMn3pMTLjGnDD6NmVA== =Fotu -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 9/9] Add detailed man page section to setup a OpenVPN setup with peer-fingerprint
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, ‐‐‐ Original Message ‐‐‐ On Monday, 17 May 2021 20:07, tincantech wrote: > Hi, > > ‐‐‐ Original Message ‐‐‐ > On Monday, 17 May 2021 18:16, tincantech via Openvpn-devel > openvpn-devel@lists.sourceforge.net wrote: > > > Hi, > > ‐‐‐ Original Message ‐‐‐ > > On Wednesday, 12 May 2021 14:15, Arne Schwabe a...@rfc2549.org wrote: > > > > > This is meant to give new users a quickstart for a useable OpenVPN > > > setup. Our own documentation is lacking in this regard and many often > > > tutorials that can be found online are often questionable in some > > > aspects. > > I think it is also worth noting that, in it's current form, the > documentation given does not provide for a --remote-cert-tls solution. > > I may be able to help with that but prefer to log it here first. > If/how you choose to document this here, I leave that to you. I have expanded easypfp to create either Server or Client certificates by adding X509v3 Extended Key Usage: TLS Web Client Authentication and TLS Web Server Authentication as optional extras. All tests passed. https://github.com/TinCanTech/easy-pfp Thanks R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgpAgIACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ2goggAsxXM0nhW/aKCPi5ZiAgn4ZwSXwDuCQRU/G5Ff57RKfdiPjim ZWyWtttrUBlyBNRKUzKVoMbiAdXuf8WIUIgx11SqG0ZrJEbzvyhN6rcsCX33 6c6C2EPFriFwtMDjyiBiS4OtxKVs/L/GpbjfbxU6oPvQfQLVs/licvPOOHGs xAFXMOF8COPvcANstUUFzr9BTq7kc6KUzaI01zrBkDAh7zRapHupo6wiPrjB xRuhWnwV8dGxaeDNoxB7VXAqbWaPQFCsxc+gt9wPlFcG28Y0Ct1ME1MIIKKc +w6+wzEgGq01OTKFIzKJ6CVjIVUTziHZ65nsmHd/JqXOWZ146ZXJ5w== =+xAi -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] Summary of the community meeting (19th May 2021)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, ‐‐‐ Original Message ‐‐‐ On Wednesday, 19 May 2021 14:31, Samuli Seppänen wrote: > Hi, > > Here's the summary of the IRC meeting. > > > > COMMUNITY MEETING > > Place: #openvpn-meeting on irc.freenode.net > Date: Wed 19th May 2021 > Time: 14:00 CET (12:00 UTC) > > Planned meeting topics for this meeting were here: > > https://community.openvpn.net/openvpn/wiki/Topics-2021-05-19 > > Your local meeting time is easy to check from services such as > > http://www.timeanddate.com/worldclock > > SUMMARY > > cron2, dazo, d12fk, lev, mattock, ordex, plaisthos and syzzer > participated in this meeting. > > > > > Talked about removing --no-replay option. Noted that it was to be > removed in 2.5, but we backpedaled on that decision and forgot to change > our documentation. It was also noted that that option changes the wire > format. > > Noted that --cipher none --auth none and --no-replay are quite > intertwined. Getting rid of these options would be good from security > perspective, but it was also noted that plain-text OpenVPN tunnels do > have some advantages over the alternatives like GRE tunnels. > > Summarizing the discussion: > > 1. OpenVPN 2.6: reject configs where --no-replay is used without --auth > none. > > 2. OpenVPN 2.7: remove --no-replay > 3. Add clear warnings to 2.5 and 2.6 about 1) and 2) > > Noted that mattock buildbot setup is shaping up nicely. There are a ton > of workers and code and data are quite well separated. Mattock is now > working on limiting concurrent builds on the docker host, then moving on > to t_client tests. > WRT --no-replay There is also --mute-replay-warnings, which you all seem to have over-looked. Perhaps this message could be changed (crypto.c:338): msg(D_REPLAY_ERRORS, "%s: bad packet ID (may be a replay): %s -- " "see the man page entry for --no-replay and --replay-window for " "more info or silence this warning with --mute-replay-warnings", error_prefix, packet_id_net_print(pin, true, gc)); Remove the reference to --no-replay soon. Just a thought. R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgpTRkACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ30bAgAk6bSZLaE73TDgkhlkhX5dTkLe6Lx4zAal1ADnS3tluqXJIlg IP16FNKbh+ZGahCBh4ICzEJvPwbI12F+hba0QwQpQOUiN0k00yvNxGuPpc8H q1YmasQvst4cFKJGqESR4gVe2hZx/JQT7ZLisWVPO3Je1roACOx/PNtRWG3F 36/zWFTwY7qqpbHrbfOgYV3/6hdvAArn//ki/Mu1DTPVOLu9v6n947nkcA7n /WBGY+IUp4heUQoNmNxkbT/SokVmx6bwgvMwpAF04PKWiLwGFcKxKsRHO6yw /AdxLouR77cRW3Jfu/WjiipXyU+H8LZAfa4UyRA2kQHf+99acRw4/Q== =+xci -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 9/9] Add detailed man page section to setup a OpenVPN setup with peer-fingerprint
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, ‐‐‐ Original Message ‐‐‐ On Thursday, 20 May 2021 00:36, Arne Schwabe wrote: > > I just want this to be verified because the manual reads that: > > udp6 will force only udp on IPv6, at least that is how I read it. > > Not on the server side. It is one of the quirks that we need to fix at > some point. See the ipv6only option of --bind for more details I actually checked this and believe it is a reasoanble decision. It works for me and I was not expecting it to do so. > > > > - > > > - The ip address the server will distribute > > > > > > == > > > > > > - server 192.168.234.0 255.255.255.0 > > > - server-ipv6 fd00:6f76:706e::/64 > > > - > > > - A tun-mtu of 1400 avoids problems of too big packets after VPN > > > encapsulation > > > > > > > > > = > > > > > > - tun-mtu 1400 > > > - > > > - The fingerprints of your clients. After adding/remvoing one here > > > restart the > > > > > > > > > = > > > > > > > remvoing -> removing > > > > > - server > > > > > > === > > > > > > - > > > - > > > - > > > - Notify clients when you restart the server to reconnect quickly > > > > > > > > > > > > - explicit-exit-notify 1 > > > - > > > - Ping every 60s, restart if no data received for 5 minutes > > > > > > == > > > > > > - keepalive 60 300 > > > > I presume you are all sure that this is suitable for consumer grade routers. > > I think 60 300 is a good starting point but we might later modify it if > this becomes a problem. OK. It is a big difference from the standard setting so I just wanted to call it here. > > Thanks for spell/grammar checking it! > > Arne No problem. Thanks for everything you've done too. Richard -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgpaUbACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ1iEQf9HSb9ReZSAve3LfzgDNo4hb0c1mGNWSNcIQudw8fdaYc8TfjU UD1MLdTM9CM5uuHEz3O29nyBPEjCUJS16bQ45lVtHzAbGcdzUEF9cn/gUsST 7v/3aMeFM76YSDXnI3DrA6PtlqXoWJ7K+NC3tzXb7suF3Zy0Gi8AWgJhKD8q tXvHtXdGD9ohsZTF4yio8PWCW4n0UFPUTImndr/R8D6TRO5umhBDkmQ9fWx0 3gPN6ln9FF2bE/gqG7Sj1s6uu5OLNqJ+aswet2B22DI/7CHlgQzFC38nuy5f CKFJ0eZnrQ8baDDOpOHlmLTarisRLcOP7rxT1qz5S6PWdGTP4+s/rg== =VNul -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 9/9] Add detailed man page section to setup a OpenVPN setup with peer-fingerprint
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, just FYI I was also going to question the --tun-mtu 1400 setting but decided that was above my pay-grade. I think it is probably a good long-term decision that will probably invade some of those less respectable blogs and be a good thing over-all. I know, it is complicated ! Cheers R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgpamaACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ3PVQgAju8gPugglio2RQ1Qr/fcXFyq7tAQEy/njizNTIDBEAE3E1tr J0gOsMMe1fQTDjen5DCtJEyq7pwIgMVKWw/kVP7DzOlTzC+oUb4avysoi3Ld pUFDmJdD2eP1Ls+Ylc9O2HDlK1q8n46mUjX5Fuv1+0UN/HFUb1d7z9IgRHTf 0h+6f7dkn4z0QgFjY97esSKDu9x3ZZhhIfUPwPOUF4mLEQv+6PczpzAvm7eS oZRr/GNjSBq1dBzzWNi80v9cv31Uxz7VTuy3ntKp5k0n80W0b93tbG0xVcu7 qi1ZCQh5VgFdh/35+7uwsJkpA9Eoc+ijFqV1+gz1+FekdRAmO1iCpA== =rh5B -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 9/9] Add detailed man page section to setup a OpenVPN setup with peer-fingerprint
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, missed another one .. ‐‐‐ Original Message ‐‐‐ On Thursday, 20 May 2021 01:13, tincantech wrote: > Hi, > > just FYI > > I was also going to question the --tun-mtu 1400 setting but decided > that was above my pay-grade. I think it is probably a good long-term > decision that will probably invade some of those less respectable blogs > and be a good thing over-all. I know, it is complicated ! > How would that effect the default --mssfix ? Swings and roundabouts R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgpa+8ACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ1f9Af/ZxK/IusDe82uZsnlZXlRAJElzyamWPA+Splu+nOoUVQhSjah eyc6YqM4+FNNP6dyZxVELT0RKC5p8c7KUEqFzay+2nflnwALDu9m5ak4WVyb EFmXPFctfu1myCdqZ70705DhfORainxI7tLrbzTwLMeZMH1xPJ9IszBE5wqb nUcBO1B3g+E01b/cF9GL6wHF32kW9BH5uc+0A1mb4/3+iO83VP3nUnKBm+sj pZUR4G3VpgLzyc1ymIkxQIxsas1f6M3r8qvBI+ol1F1YkZJXy76Piuh7I5rF 0fYcm0jtxKmf/ETHPIQFL6J3N2zrar8+kazS0GRW9hPLPfqODXqqDQ== =I3MI -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature _______ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2 2/2] Add detailed man page section to setup a OpenVPN setup with peer-fingerprint
older client that does not support the > + :code:`peer-fingerprint` (e.g. OpenVPN 2.5 and older, OpenVPN Connect 3.3 > + and older), the client config `alice.ovpn` can be modified to still work > with > + these clients. This doesn't seem right. Do you mean ? the client config `alice.ovpn` can be modified to still work with *new servers* > + > + Remove the line starting with :code:`peer-fingerprint`. Then > + add a new :code:`` section at the end of the configuration file > + with the contents of the :code:`server.pem` created in step 2 of the > + server setup. The end of `alice.ovpn` file should like: > + > + :: > + > + [...] # Beginning of the file skipped > + > + > + # The tun-mtu of the client should match the server MTU > + tun-mtu 1400 > + dev tun > + > + > + [contents of the server.pem] > + > + > + Note that we put the :code:`` section after the :code:`` section > + to make the fingerprint generation from step 4 still work since it will > + only use the first certificate it find. Forgot the 's' in finds ;-) Hope I'm helping R > + > +7. Import the file into the OpenVPN client or just use the > + :code:`openvpn alice.ovpn` to start the VPN. > diff --git a/doc/openvpn-examples.5.rst b/doc/openvpn-examples.5.rst > index 988b6027b..0e1b6c4f6 100644 > --- a/doc/openvpn-examples.5.rst > +++ b/doc/openvpn-examples.5.rst > @@ -14,4 +14,5 @@ INTRODUCTION > > This man page gives a few simple examples to create OpenVPN setups and > configuration files. > > +.. include:: man-sections/example-fingerprint.rst > .. include:: man-sections/examples.rst > -- > 2.31.1 > > > > _______ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgppStACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ2WGwgAhMxENN0Y9MYIQcTpm51WuOtHmS5yyPTH9tQjw1yPlGkXXakE whB6vVRGZ9BDGxZFsGHxzJ8XllM1HnYROW4rpRhX2IoafW6QIaMZ33mvYVgq rwu/JHbWktXOAzkh3z1Z7v5HCEI5LW1at8ei7+H06pUR9Eo1W6YBDa0nP7Ni AAoik9/cEv1l/7V4pHhBklyydqoUVAPNXP5lOy6NoqKJYkRQOH98BeA+Tctm BaxzC+XFNYMO+khkvSeLNRG0l1coc825VPbwMdmInqlW9f+u5jgh3e9ka6sW UmIEmODei6zSXAChWn6OlBBJhyAMdDEYf53kKAMFf8E+2s4m1ReYaw== =ZRj2 -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2 2/2] Add detailed man page section to setup a OpenVPN setup with peer-fingerprint
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, ‐‐‐ Original Message ‐‐‐ On Thursday, 20 May 2021 19:30, Arne Schwabe wrote: > Am 20.05.2021 um 18:56 schrieb tincantech: > > > Hi, > > again, I do not understand why openvpn choose to switch to .pem > > for this tutorial. PEM -> Private Email, which this is not. > > You have a certificate and a key and every other openvpn tutorial > > on openvpn and probably the entire planet uses .crt and .key. > > This seems to be a poor decision in my opinion. > > pem as extension for keys is pretty common and specifies more the > encoding than the type. E.g. there is also the der encoding. > > Arne I accept the principle but openvpn *only* uses PEM-enc, that I know of. So, why switch to .pem when it has never been used before by openvpn? If you are all happy to let it go that way then so-be-it, Thanks R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgpr0yACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ3AXgf9H+mL+H1aPZ/Gk0lTukZEP7FVXHkO2LBf49KA/YmoyhbHYAFf sICvASsTlkA0q3wuKYzXs8bspMGiebOeqcoJi7QvJSaAq4sDLvWopz/VmN96 SmB33OnN/jYHQmKpk2qOMeZv6PyhFyjFb/3j1ymQ2zuYXh8osrSiiRHftwSx hXg8CMyXOA0THrK6H9mnxisLuss7uhVsclwTOSKMOnRj0NiEx5tFg1itn7+u YmRL/h2taDC6skHbF5PPfU1x/M6HtG05ZajAtNfh3bc0Zw4S7bRiEUc4+4qb f8GEEufo2WAg4CUwaCVJ9O5pSewk48OAScHGx9RMybvfZ1X6V5xnqA== =EBa6 -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2 2/2] Add detailed man page section to setup a OpenVPN setup with peer-fingerprint
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Thursday, 20 May 2021 22:05, Jan Just Keijser wrote: > Hi, > > On 20/05/21 21:49, tincantech via Openvpn-devel wrote: > > > > > Hi, > > > > again, I do not understand why openvpn choose to switch to .pem > > > > for this tutorial. PEM -> Private Email, which this is not. > > > > You have a certificate and a key and every other openvpn tutorial > > > > on openvpn and probably the entire planet uses .crt and .key. > > > > This seems to be a poor decision in my opinion. > > > > pem as extension for keys is pretty common and specifies more the > > > > encoding than the type. E.g. there is also the der encoding. > > > > > > Arne > > > I accept the principle but openvpn only uses PEM-enc, that I know of. > > > > So, why switch to .pem when it has never been used before by openvpn? > > If you are all happy to let it go that way then so-be-it, > > Hopefully this clarifies things: > > - the default output format of OpenSSL is PEM-encoded ; openssl uses the > default extension .pem > > - the OpenVPN .crt and .key files are ALSO PEM-encoded by default, but > they've just been named differently by the easy-rsa tools to ensure that > the files can be easily loaded on Windows > > - FTR: nearly all webservers I have ever seen are configured to use a > hostcert.pem and hostkey.pem and my guess is that there are (still) > more Linux-based webservers out there than OpenVPN clients and servers. > > Having said that, I do agree that after using .crt/.key files left and > right (to accomodate Windows users) for over 15 years, it does seem > confusing to start using files named .pem for peer-fingerprinting all > of sudden. On the other hand, with peer-fingerprinting you don't > HAVE a .crt file (at least, you don't need one, technically) but only > a .key file. So choosing a different extension for peer-fingerprinting > does have its merits. FTR: Openvpn still exchanges the full certificates in peer-fingerprint mode. > > HTH, > > JJK > -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgptC5ACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ2t0ggAxDZnJr8UhxV79fyAjnScANMeWbN3XZ/QqQuTsgaJp85Fibbz weT1TfvihZ5l1rS6vh1nIDyTtoNRpqLHMxlaNWnmgN9tR4IRlQZuVR8svZl1 UYmrAm1H5g83yHef60nnIiOxGe8tnLdy/fmjqoRFsHaBwSM87zTQ8uG+UJnq GIGhHbdLYWaH4C9SrJ+p64pZYdm3jaQpwZHdeg3rPdvHAgUixX13KWBU J2UYseRDBLcvNfz6gAgQDtTJtdT9edH3h6m4Tyu0AsIw016hfREeNe20uzrX uyQ6jGGovT2ki9alVN9P5v1k9uYVC0/1mYnFBLR8PI8effQd/zfLiA== =KICZ -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2 2/2] Add detailed man page section to setup a OpenVPN setup with peer-fingerprint
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, ‐‐‐ Original Message ‐‐‐ On Thursday, 20 May 2021 22:22, Jan Just Keijser wrote: > On 20/05/21 23:12, tincantech wrote: > > > [...] > > > > > > So, why switch to .pem when it has never been used before by openvpn? > > > > If you are all happy to let it go that way then so-be-it, > > > > Hopefully this clarifies things: > > > > > > - the default output format of OpenSSL is PEM-encoded ; openssl uses the > > > default extension .pem > > > > > > - the OpenVPN .crt and .key files are ALSO PEM-encoded by default, but > > > they've just been named differently by the easy-rsa tools to ensure > > > that > > > the files can be easily loaded on Windows > > > > > > - FTR: nearly all webservers I have ever seen are configured to use a > > > hostcert.pem and hostkey.pem and my guess is that there are (still) > > > more Linux-based webservers out there than OpenVPN clients and > > > servers. > > > Having said that, I do agree that after using .crt/.key files left and > > > right (to accomodate Windows users) for over 15 years, it does seem > > > confusing to start using files named .pem for peer-fingerprinting all > > > of sudden. On the other hand, with peer-fingerprinting you don't > > > HAVE a .crt file (at least, you don't need one, technically) but only > > > a .key file. So choosing a different extension for peer-fingerprinting > > > does have its merits. > > FTR: Openvpn still exchanges the full certificates in peer-fingerprint > > mode. > meh ... I guess it was easier to implement it that way at the TLS level... I cannot comment on the code but there is the case of older clients which require self-signed server".crt" (Easy-RSA) in place of the CA cert. > > IMO that does add a "+1" to using .crt/.key extensions - otherwise it > might confuse the heck out of end users (like overwriting the private > key with the public cert etc ... ) That is another good point. > How do the examples distinguish between the cert and the private key in > this case then? Generally, the distinction between what is private and what is public has not been very well covered. Other than the notable exception of "Protect your Private CA key at all costs!" I have included this Private v Public information in the easy-pfp output. Seems like the only way to get things done sometimes is do-it-yourself ;-) Anyway, all other points aside, the point is that: Changing to .pem (not PEM) feels like an unnecessary complication. Thanks for all your input R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgptYeACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ0haQf/VyfMNC8x8r+8okE+aKW+kp+OMA58J6R7xOdv7D518BsBSJNX BAqDiM1lalAwDvU7edKKMXhc0U2BOgMiaVOXp54jkZvXo7O5tt57A1O+tTKv GNPzqDrhfGQRuaplHTMeiSkcWZOSmyNwIAW0vroCmiPBnGY2/F5GIL8T83Dp qiNsST7Fug+u4nVUv/BUE2K81/B3pNz4Jy6hX2QMmq5LdRJgtNU37AAsZAQ5 Zwr4bewl/l8q36VjsX4QYNQgQekXdK8oT7LXZuqEy+tf4RnVHA8YDQZ2Ed5t tfUUg/b02w3Ml6k9Wt3SHDgoXMAW0utUxxOWCMGVnEhuDRWg0kQ3rw== =B+MM -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2 2/2] Add detailed man page section to setup a OpenVPN setup with peer-fingerprint
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi,
-‐‐ Original Message ‐‐‐
On Thursday, 20 May 2021 22:35, tincantech via Openvpn-devel
wrote:
> Hi,
>
> ‐‐‐ Original Message ‐‐‐
> On Thursday, 20 May 2021 22:22, Jan Just Keijser janj...@nikhef.nl wrote:
>
> > On 20/05/21 23:12, tincantech wrote:
> >
> > > [...]
> > >
> > > > > So, why switch to .pem when it has never been used before by openvpn?
> > > > > If you are all happy to let it go that way then so-be-it,
> > > > > Hopefully this clarifies things:
> > > >
> > > > - the default output format of OpenSSL is PEM-encoded ; openssl uses
> > > > the
> > > > default extension .pem
> > > >
> > > > - the OpenVPN .crt and .key files are ALSO PEM-encoded by default, but
> > > > they've just been named differently by the easy-rsa tools to ensure
> > > > that
> > > > the files can be easily loaded on Windows
> > > >
> > > > - FTR: nearly all webservers I have ever seen are configured to use a
> > > > hostcert.pem and hostkey.pem and my guess is that there are (still)
> > > > more Linux-based webservers out there than OpenVPN clients and
> > > > servers.
> > > > Having said that, I do agree that after using .crt/.key files left
> > > > and
> > > > right (to accomodate Windows users) for over 15 years, it does seem
> > > > confusing to start using files named .pem for peer-fingerprinting
> > > > all
> > > > of sudden. On the other hand, with peer-fingerprinting you don't
> > > > HAVE a .crt file (at least, you don't need one, technically) but
> > > > only
> > > > a .key file. So choosing a different extension for
> > > > peer-fingerprinting
> > > > does have its merits.
> > > >
>
> > > FTR: Openvpn still exchanges the full certificates in
> > > peer-fingerprint mode.
> > >
>
> > meh ... I guess it was easier to implement it that way at the TLS level...
>
> I cannot comment on the code but there is the case of older clients which
> require
> self-signed server".crt" (Easy-RSA) in place of the CA cert.
>
> > IMO that does add a "+1" to using .crt/.key extensions - otherwise it
> > might confuse the heck out of end users (like overwriting the private
> > key with the public cert etc ... )
>
> That is another good point.
>
> > How do the examples distinguish between the cert and the private key in
> > this case then?
>
> Generally, the distinction between what is private and what is public
> has not been very well covered. Other than the notable exception of
> "Protect your Private CA key at all costs!"
>
> I have included this Private v Public information in the easy-pfp output.
> Seems like the only way to get things done sometimes is do-it-yourself ;-)
>
> Anyway, all other points aside, the point is that: Changing to .pem (not PEM)
> feels like an unnecessary complication.
>
I would like to hammer one final nail into this discussion.
Openvpn option names and inline tags ALL use ificate .crt and .key.
They do not use .pem or PEM and none of the Official online documentation,
to date, references use of a {name}.pem file, other than far-flung cases.
The files generated in this tutorial will all be PEM encoded regardless.
This is why I asked the question of why Openvpn suddenly chooses to change
to a .pem extension and add this unnecessary complication.
Real users may see this as another hurdle which they just don't want to jump.
Do you want to drive them away .. ?
As I am also banned from #openvpn-meeting, so I leave this for you to discuss.
--
Richard
-BEGIN PGP SIGNATURE-
Version: ProtonMail
wsBzBAEBCAAGBQJgpvNyACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec
9muQuJ1U5wgAza4n5mxniWpvVrkSxRCN3TEc0MEafFb+Eza0uL/l9i5tVDDQ
A4ZwjBuRGgteJzNhbe3Q+YJzZZ1hjf9k9FjPwGtnUK49IZZt8OOe60bfiQt7
aSmhKMRyZzzjRgSv6QNdPWsZEB3JceZ572+EIi5zfQmz6V1q8USsPQPaUZoa
k65YA9Z+pU6xsm1+lKMLGbi8rzIvIhNYCEIZ4pGl5OzckQP7o7JKUanhOoHH
7KrD5Nu5ad4CtgMv72RYWCbmW5vsqIcOrYJIG7mASodCTGkL2JH5F2i8fVUJ
rg5OrvVViLewxTYyGCVc+PZ7ukB6l/bEYd8efA1G4carr6+hRDTfSA==
=T6wH
-END PGP SIGNATURE-
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2 2/2] Add detailed man page section to setup a OpenVPN setup with peer-fingerprint
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi,
‐‐‐ Original Message ‐‐‐
On Friday, 21 May 2021 00:40, tincantech wrote:
> I would like to hammer one final nail into this discussion.
>
> Openvpn option names and inline tags ALL use ificate .crt and
> .key.
>
> They do not use .pem or PEM and none of the Official online documentation,
> to date, references use of a {name}.pem file, other than far-flung cases.
>
> The files generated in this tutorial will all be PEM encoded regardless.
One final blow to the nail:
There is still the outstanding problem of --remote-cert-tls
which this tutorial does not discuss or solve.
The user log will show a WARNING message which they *cannot* solve
by means of your documentation.
--
Thanks
R
Unfairly banned.
-BEGIN PGP SIGNATURE-
Version: ProtonMail
wsBzBAEBCAAGBQJgpvv5ACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec
9muQuJ2gkQf9FDId8dPnTrdC4+UHLhFOJOAYelk9SDQ1a3PSVhbag2ZO2FvM
3pCKfqdqSB0zYuu3rXBSdBoToovKw2Zc+8tnF8MaH6Oqm5+cmnRDfc03ZfDs
auqD04xIACnt3cPYAXXU+qXxGC8GpwLiUlEIEzlTcTsBrZyLMJhMPx146Dpe
MNRQtmYW+FqJfYHO7OscIb1uwUQ4WeWLY+76GkqhRMSPY6hrZ6CRU9htSdoU
w+B7KOGCKVE/FsyABNOz4IRNdnM3FMzvAvRD0UcOxJnmz/2BjImP6qNa7D0f
VGyg1kvnYQViVOOjE17ejvqbnLcRJRD53gRJcHpb/45UbVWNjSq04A==
=C3te
-END PGP SIGNATURE-
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
_______
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] --tls-verify runs twice for a single cert in Peer-fingerprint mode
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, Is this expected ? Server log: 2021-05-24 14:58:03 us=534606 10.10.201.226:60276 TLS CRYPT V2 VERIFY SCRIPT OK 2021-05-24 14:58:03 us=558066 10.10.201.226:60276 VERIFY KU OK 2021-05-24 14:58:03 us=558105 10.10.201.226:60276 Validating certificate extended key usage 2021-05-24 14:58:03 us=558120 10.10.201.226:60276 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication 2021-05-24 14:58:03 us=558130 10.10.201.226:60276 VERIFY EKU OK * EasyTLS-verify => CN: cli-arch-v21x connection allowed 2021-05-24 14:58:03 us=573751 10.10.201.226:60276 VERIFY SCRIPT OK: depth=0, CN=cli-arch-v21x 2021-05-24 14:58:03 us=573782 10.10.201.226:60276 VERIFY OK: depth=0, CN=cli-arch-v21x 2021-05-24 14:58:03 us=573911 10.10.201.226:60276 VERIFY KU OK 2021-05-24 14:58:03 us=573928 10.10.201.226:60276 Validating certificate extended key usage 2021-05-24 14:58:03 us=573939 10.10.201.226:60276 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication 2021-05-24 14:58:03 us=573948 10.10.201.226:60276 VERIFY EKU OK * EasyTLS-verify => CN: cli-arch-v21x connection allowed 2021-05-24 14:58:03 us=588472 10.10.201.226:60276 VERIFY SCRIPT OK: depth=0, CN=cli-arch-v21x 2021-05-24 14:58:03 us=588508 10.10.201.226:60276 VERIFY OK: depth=0, CN=cli-arch-v21x 2021-05-24 14:58:03 us=590929 10.10.201.226:60276 peer info: IV_VER=2.6_git Client log: 2021-05-24 15:06:44 us=111054 TLS: Initial packet from [AF_INET]10.10.101.101:17332, sid=ae12d90b 6b413bf6 2021-05-24 15:06:44 us=120475 VERIFY KU OK 2021-05-24 15:06:44 us=121197 Validating certificate extended key usage 2021-05-24 15:06:44 us=122354 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 2021-05-24 15:06:44 us=122737 VERIFY EKU OK * TLS Verify Script OK 2021-05-24 15:06:44 us=130217 VERIFY SCRIPT OK: depth=0, CN=srv-wiscii-v21x 2021-05-24 15:06:44 us=130598 VERIFY OK: depth=0, CN=srv-wiscii-v21x 2021-05-24 15:06:44 us=131581 VERIFY KU OK 2021-05-24 15:06:44 us=132268 Validating certificate extended key usage 2021-05-24 15:06:44 us=132828 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 2021-05-24 15:06:44 us=133364 VERIFY EKU OK * TLS Verify Script OK 2021-05-24 15:06:44 us=137990 VERIFY SCRIPT OK: depth=0, CN=srv-wiscii-v21x 2021-05-24 15:06:44 us=138614 VERIFY OK: depth=0, CN=srv-wiscii-v21x Thanks R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgq7M5ACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ1+vAgApEpHTOh5m9D706+WEOMvXq6PiKxfLnnjowOMLS1ut+ts0Kj6 8JHutbqJarT+0rhiezfDlKqqdXrDLaW/5bfF0M0f9J8+BgZNGIKXSM2Tp39f lSqJIF0kMdD/RQKYxGu5TaO3eLaaWTBbEdkyAHa+t74E7fIiTtxEdvgqVkWm 423h3PSsdnHcOaCQkM7KOGilmpq+Wz/5KEtjVlzhKyfscqtw3RUvtFgKOXYj p+axmfzY1aqkQNQTz98nC4w06Vao7XUSQtjWYfznVdDd8rP/hHmWDwLtYNyR yQnN+iPHg5JsAdmrQ+6m99bX+C8btSHUPfN/0jAifkZjmEwP/I9ckA== =cwb8 -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] --tls-verify runs twice for a single cert in Peer-fingerprint mode
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, ‐‐‐ Original Message ‐‐‐ On Monday, 24 May 2021 18:39, Selva Nair wrote: > Hi, > > On Mon, May 24, 2021 at 10:09 AM tincantech via Openvpn-devel > openvpn-devel@lists.sourceforge.net wrote: > > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA256 > > Hi, > > Is this expected ? > > Server log: > > 2021-05-24 14:58:03 us=534606 10.10.201.226:60276 TLS CRYPT V2 VERIFY > > SCRIPT OK > > 2021-05-24 14:58:03 us=558066 10.10.201.226:60276 VERIFY KU OK > > 2021-05-24 14:58:03 us=558105 10.10.201.226:60276 Validating certificate > > extended key usage > > 2021-05-24 14:58:03 us=558120 10.10.201.226:60276 ++ Certificate has EKU > > (str) TLS Web Client Authentication, expects TLS Web Client Authentication > > 2021-05-24 14:58:03 us=558130 10.10.201.226:60276 VERIFY EKU OK > > * EasyTLS-verify => CN: cli-arch-v21x connection allowed > > 2021-05-24 14:58:03 us=573751 10.10.201.226:60276 VERIFY SCRIPT OK: > > depth=0, CN=cli-arch-v21x > > 2021-05-24 14:58:03 us=573782 10.10.201.226:60276 VERIFY OK: depth=0, > > CN=cli-arch-v21x > > 2021-05-24 14:58:03 us=573911 10.10.201.226:60276 VERIFY KU OK > > 2021-05-24 14:58:03 us=573928 10.10.201.226:60276 Validating certificate > > extended key usage > > 2021-05-24 14:58:03 us=573939 10.10.201.226:60276 ++ Certificate has EKU > > (str) TLS Web Client Authentication, expects TLS Web Client Authentication > > 2021-05-24 14:58:03 us=573948 10.10.201.226:60276 VERIFY EKU OK > > * EasyTLS-verify => CN: cli-arch-v21x connection allowed > > 2021-05-24 14:58:03 us=588472 10.10.201.226:60276 VERIFY SCRIPT OK: > > depth=0, CN=cli-arch-v21x > > 2021-05-24 14:58:03 us=588508 10.10.201.226:60276 VERIFY OK: depth=0, > > CN=cli-arch-v21x > > 2021-05-24 14:58:03 us=590929 10.10.201.226:60276 peer info: IV_VER=2.6_git > > This looks like an unintended consequence of how and when OpenSSL > executes the verify callback. If there are no verification errors, the > callback is called only once for each depth with preverify_ok = 1. > When there are errors (as is the case when CA is missing), for each > depth and each error we get a callback. (Ref: OpenSSL docs on > SSL_CTX_set_verify). > > Even for self-signed certs one would get a call with an error saying > certificate is self-signed and then possibly another call with > signature verification success. For a cert issued by a CA, one would > first get an "issuer missing" error followed by a "signature > verification" error and no success calls unless there are intermediate > certs. > > This was not an issue before fingerprint support. In that case we do > not proceed further when OpenSSL reports a verify error. > > The easiest option for scripts may be to be prepared to be called > mutiple times with the same cert and same depth. I think we should > export the verification error-status to the env so that the script > could make a more informed decision. Note: In the logs above, the script is executed *before* Openvpn/Openssl verification, so exporting error-status to env for script seems unlikely. > Our internal callback is not meant to be executed multiple times with > same depth, but the side effects appear to be benign -- like repeated > VERIFY OK in the logs. > > Selva Thanks R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgq+wRACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ3oqQf9ELeVXn5uhviySVqMzIRyCKQAY9zMrdvFSLgNcEOJbiBYcv6Y WIzDoVfODy0jGIx44dsjODw2jM9hWP27FSj/uG8RuTCv7gmO/zDvJIKL6qEn EcpnLxLBvyJcfu7zfW80kBNhYcHyys3DSSL2khtzbT+75OM3Kvo7pUNJUAhl czUF07j7o8KmUGq2wB8E70Y7i+U07j2Dcs0+oDRhY3hBsnHHmWPSm32fBPLZ uSbRPm4btNe4a/R83uMRkWTgL1U/2dTKKPb3PyVE7bGWfeB5BmkuUQsPx5q6 bofIkWaDYG+1pW6nyTxMZ2drihC2c9vA/OHmLG6HUYxBIaYPW/JZLQ== =s/jt -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] --tls-verify runs twice for a single cert in Peer-fingerprint mode
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, I may be wrong but this is the order as it appears to me: ‐‐‐ Original Message ‐‐‐ On Monday, 24 May 2021 18:39, Selva Nair wrote: > > Server log: > > 2021-05-24 14:58:03 us=534606 10.10.201.226:60276 TLS CRYPT V2 VERIFY > > SCRIPT OK --tls-crypt-v2-verify script > > 2021-05-24 14:58:03 us=558066 10.10.201.226:60276 VERIFY KU OK > > 2021-05-24 14:58:03 us=558105 10.10.201.226:60276 Validating certificate > > extended key usage > > 2021-05-24 14:58:03 us=558120 10.10.201.226:60276 ++ Certificate has EKU > > (str) TLS Web Client Authentication, expects TLS Web Client Authentication > > 2021-05-24 14:58:03 us=558130 10.10.201.226:60276 VERIFY EKU OK --remote-cert-tls client > > * EasyTLS-verify => CN: cli-arch-v21x connection allowed --tls-verify > > 2021-05-24 14:58:03 us=573751 10.10.201.226:60276 VERIFY SCRIPT OK: > > depth=0, CN=cli-arch-v21x > > 2021-05-24 14:58:03 us=573782 10.10.201.226:60276 VERIFY OK: depth=0, > > CN=cli-arch-v21x Openvpn/Openssl verify Then it repeats. I just wanted to clarify that and I may also be wrong in my understanding. R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgq+5zACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ23wAf9GluCVmrwY47qboOJX79NMSJ9Q0aVy7Q7F+rkwDwTwxkGA6zd 2wi4Q9NNgNd+c4Y4nEd6gtCFgYWDN5ScFi4xfwla1rmCWn2jom/HpNGC8i6D IZHpOEuW1qQFV7iNOB3VoVggOiuUteChJ55RE380R3RvMypJDxo7wQIU5hak xAiTqbvYYmNfTKFUN4GSxn+6ioGIc+KtQsr0P/VWslh6Cg8cGmfJoK1RhSfs i1J/MtiGiuRY/2bpZBwo1G2P1gQgbIKtoZyBzjwxCivOAM34RLz3vszNm3hj 9g44xzJze5n7i9FK9uRZIm8hyJM34frpk2qimuIQTKrqDUin1Z/L2A== =rUbS -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] --tls-verify runs twice for a single cert in Peer-fingerprint mode
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, ‐‐‐ Original Message ‐‐‐ On Monday, 24 May 2021 21:43, Arne Schwabe wrote: > Am 24.05.2021 um 16:07 schrieb tincantech via Openvpn-devel: > > > Hi, > > Is this expected ? > > I might to check if it is even a good idea to allow tls-verify and other > verify options together peer-fingerprint. (You could implement > peer-fingerprint with tls-verify as well. Since we haven't published 2.6 > yet we might just make the combination very limited to avoid allowing > all kind of crazy combinations and having to support those. > > Arne Posted in -devel not -users for that very reason. I am not questioning the code, only bringing you test data. Thanks R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgrDE5ACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ3xZwf/cgA0qvrIM2XUNnXWE9VcR98jeGkFh10rmucI5QlApd+78v1w uCv/2udPYrJVD2gcsy59nT+tyNcTaewv4WM7x6P9dh5fSvQaX58yZSn1kbV/ wva46qCRYIUDTA9833gNCjkvdDSdCSJPiTYYBDqE/LABAmVqUdGlP4mlqcv3 Ls+9/bEpGkeiqUC53vazWIBWQfeogGin6d0TUel2rV7wm/hB6Luo13K5BTsK vDuTorFUUft7pPVjTsjo19Q5zVDj3No30xhOKJGGINg16Q5xeH5hfQzJw5QK KZvplCjUgKAeJJX+Zx6DnDv/i07ISWBpSw5/9LK6LRd9fRHUTAgA9Q== =BDnA -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature _______________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 1/2] Improve documentation of AUTH_PENDING related directives
>
> -
>
> -The format of EXTRA is similar to the already used two step authentication
> +The format of {EXTRA} is similar to the already used two step authentication
> described in Challenge/Response Protocol section of this document. Since
> -most of the fields are not necessary or can be infered only the
> -and fields are used:
> +most of the fields are not necessary or can be inferred, only the
> +and fields are used:
>
> CR_TEXT::
>
> @@ -707,7 +726,8 @@ and fields are used:
>
> : the challenge text to be shown to the user.
>
> --
>
> +The client should return the response to the crtext challenge
> +using the cr-response command.
>
> COMMAND -- client-deny (OpenVPN 2.1 or higher)
>
> ---
>
> @@ -925,17 +945,18 @@ To accept connecting to the host and port directly, use
> this command:
>
> COMMAND -- cr-response (OpenVPN 2.5 or higher)
>
>
>
> -Provides support for sending responses a challenge/response
> -query via INFOMSG,CR_TEXT. The response should be base64 encoded:
> +Provides support for sending responses to a challenge/response
> +query via INFOMSG,CR_TEXT (client-only). The response should
> +be base64 encoded:
>
> cr-response SGFsbG8gV2VsdCE=
>
> -The document is intended to be used after the client received a
> -CR_TEXT challenge (see send-pending-auth section). The answer is
> -the answer to the challenge and depends on the challenge itself
> -for a TOTP challenge this would the number encoded as base64 or
> -just a string for a challenge like "what day is it today?".
>
> ---
>
> +This command is intended to be used after the client receives a
> +CR_TEXT challenge (see client-pending-auth section). The argument
> +to cr-response is the base64 encoded answer to the challenge and
> +depends on the challenge itself. For a TOTP challenge this would
Insert "be" after "this would" (Otherwise it is a bit Yoda)
> +a number encoded as base64; for a challenge like "what day is it today?"
> +it would be a string encoded as base64.
>
-BEGIN PGP SIGNATURE-
Version: ProtonMail
wsBzBAEBCAAGBQJgt1K5ACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec
9muQuJ3QkwgApXDMefVrhrU2V5ncU6JZQTxmjMRP7/jOaJD0SvphieaxXYu/
KKoBXFlCqdeTjJm8cHaKcZcmQiV020PKRSDvn787ZCr4oJFDH+aUB+MjgouN
IlRF2nlAN/rYR6Jjda781wKYcuKSfk/E7hhDNvrgO6+svyVZq6fgnzMoi8Ov
mUvhRjBkN8YbHI4fsDlG1IvtYX29lWI8iGRSMv8eriYTk/ljhCiIFW+/XmPl
57bKjkh4t7BwFf+98TM3C3YX5EvOOq3wGUAdZwrfZ1LrxpB+HQPGixV4TD+t
h9QPsCVzidyTmYfUkZw3AI/OST1L35F0ny1+10jUl00uifHgrNDZIA==
=fKES
-END PGP SIGNATURE-
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 8/9] Document stub-v2 being basically an alias for no compression at all
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi text corrections. Sorry about protonmail making '+' to '-' ‐‐‐ Original Message ‐‐‐ On Wednesday, May 12th, 2021 at 14:15, Arne Schwabe wrote: > Signed-off-by: Arne Schwabe a...@rfc2549.org > > doc/man-sections/protocol-options.rst | 5 + > > 1 file changed, 5 insertions(+) > > diff --git a/doc/man-sections/protocol-options.rst > b/doc/man-sections/protocol-options.rst > > index 4b6928c68..34d4255ee 100644 > > --- a/doc/man-sections/protocol-options.rst > > +++ b/doc/man-sections/protocol-options.rst > > @@ -96,6 +96,11 @@ configured in a compatible way between both the local and > remote side. > > other variants always add one extra framing byte compared to no > > compression framing. > > - Especially :code:`stub-v2` is essentially identical to no compression and > - no compression framing as its header indicates IP version 5 in a tun setup > - and can (ab)used to complete disable compression to clients. (See the > - :code:`migrate option below) > - If the `algorithm` parameter is :code:`stub`, :code:`stub-v2` or empty, Re-write: The :code:`stub-v2` is essentially identical to no compression and no compression framing as its header indicates IP version 5 in a tun setup and can be (ab)used to completely disable compression to clients. (See the :code:`migrate` option below) If the `algorithm` parameter is :code:`stub`, :code:`stub-v2` or empty, > > compression will be turned off, but the packet framing for compression > > will still be enabled, allowing a different setting to be pushed later. > > -- > > 2.31.1 > > > Openvpn-devel mailing list > > Openvpn-devel@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/openvpn-devel -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgz4RlACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ17fgf/SKzw7gpopswKR35nFGEW9F2hR7FMgKX7xBkhWLLUlENrD/Eq LvQ39Y7+CK0+19MIJHed4hgSaBx4MK3Eb28XHMsm6y9Vz8lfM9/IeXsS3uXy Ip9nCy4EpzPc62FWb93ysXyXRNS8GkYvZX50Oh3xV7glZMEwA5q7UGhRLsJY 3orWsnpT0PUTjrwB4Nm8ZDprXUEU1tsefTJn/HnbOzwlrCAa+b/W3xP8F7wn YO4+bU3XP137bEV7t0FaB0qpTKXB2X+5j+A46T3jVjLOjHKSQipqgqSY0j5j TJvwi5mjw0zaWCkFKBlrhp2f4Ybztd6OSB/JguxLE+jPkkWvEoRV2Q== =ms4h -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature _______ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 8/9] Document stub-v2 being basically an alias for no compression at all
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ignore me .. this has been applied Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Sunday, June 20th, 2021 at 19:09, tincantech via Openvpn-devel wrote: > Hi > > text corrections. > > Sorry about protonmail making '+' to '-' > > ‐‐‐ Original Message ‐‐‐ > > On Wednesday, May 12th, 2021 at 14:15, Arne Schwabe a...@rfc2549.org wrote: > > > Signed-off-by: Arne Schwabe a...@rfc2549.org > > > > doc/man-sections/protocol-options.rst | 5 + > > > > 1 file changed, 5 insertions(+) > > > > diff --git a/doc/man-sections/protocol-options.rst > > b/doc/man-sections/protocol-options.rst > > > > index 4b6928c68..34d4255ee 100644 > > > > --- a/doc/man-sections/protocol-options.rst > > > > +++ b/doc/man-sections/protocol-options.rst > > > > @@ -96,6 +96,11 @@ configured in a compatible way between both the local > > and remote side. > > > > other variants always add one extra framing byte compared to no > > > > compression framing. > > > > - Especially :code:`stub-v2` is essentially identical to no compression > > and > > - no compression framing as its header indicates IP version 5 in a tun > > setup > > - and can (ab)used to complete disable compression to clients. (See the > > - :code:`migrate option below) > > - If the `algorithm` parameter is :code:`stub`, :code:`stub-v2` or empty, > > Re-write: > > The :code:`stub-v2` is essentially identical to no compression and > > no compression framing as its header indicates IP version 5 in a tun setup > > and can be (ab)used to completely disable compression to clients. (See the > > :code:`migrate` option below) > > If the `algorithm` parameter is :code:`stub`, :code:`stub-v2` or empty, > > > compression will be turned off, but the packet framing for compression > > > > will still be enabled, allowing a different setting to be pushed later. > > > > -- > > > > 2.31.1 > > > > > > Openvpn-devel mailing list > > > > Openvpn-devel@lists.sourceforge.net > > > > https://lists.sourceforge.net/lists/listinfo/openvpn-devel -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgz4cFACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ3SOwgAmIYtimEns1a2LT4CwKUU3lfhXEr2IHvNCZGbTl56p7FYgsVe L3my1KclB/z6NVPydgBs/FAowSPOnWWoaWuh/+eMo1O8+nfA7+5YhNTL6Hyn pRKJDJ6trAWXlGQm8N1kzRKUCjrDkPzFKoKsQvXgmjypQeyfwVLL4gJ+XQFk gsP3gve88tb/q8F5FJfPcuM2NrNsLN0c+f4CKlfb6sr/U7ALp7Rf00hQ71CV 28RSZir15r+aahRmJs6SWng0K5gpN50Ed9PICBYQNmsQSqVAg6f2n1OA3ACQ C68i58Vv85ElzG2VRymSzWAHdzA/KFM3qaKCnEZyviTkB00rbgWm0g== =1Bdk -END PGP SIGNATURE----- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] --tmp-dir and systemd PrivateTmp incompatibility
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, the openvpn-server systemd unit file currently make use of PrivateTmp=True, this denies the openvpn process access to /tmp (and /var/tmp). This setting also does not provide the systemd assigned location for temporary files to the openvpn process. Thus the problem is two fold: 1. It is not possible to pre-determine a temporary directory within the systemd PrivateTmp assigned folder within an openvpn config which needs to use --tmp-dir 2. Openvpn is forced to assign a non-standard temporary folder to --tmp-dir which lies outside of the systemd assigned private temporary folder. Not being familiar with lib-systemd, I do not know how to approach this problem, the only "answer" I can see is something like an "alias" for systemd PrivateTmp. EG: To use --tmp-dir within an openvpn config that uses the systemd assign temporary folder, the alias would be something like: 'tmp-dir systemd' Otherwise, what is the recommended way to use --tmp-dir under systemd ? Thanks R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJg3PFrACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ2uQwgAzLi4zvrOVV+N88FegTN6rzAT9/pvW/BDRSH5/SGISOlxs8sF nxWtQyAq1qgokSK1LrIudge/43b4xB2q++hjeZ+U+e7nW2GvyLONwc/FL2IX 6lA6g1JLpQzhy+i4F4A6vFr2kdatPPy9LOFS5AZryvQXYFcF8+5vWmaWav4j mJ1IBgxwBEQSRglhlKaKwWNqOfVNfKBCpRq54a9EikQSoZbs5SADxp4d5VVE UbNnf3jkIXRgCsWPVzbP3llwiCwhnyQtN6MhwkRIUk3Q8iZifWzmu2ETMX4q wVB17Kc0WrDrd4lAmMl8wiKxRoZRYZf+8eG1yAWDIkbVdGjfCWLoew== =I4w+ -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] --tmp-dir and systemd PrivateTmp incompatibility
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi the problem is three fold: 3. How would I then point scripts to the systemd assigned folder ? (Yet another env var: systemd_private_tmp) The most logical answer is "To take matters into my own hands" and specify my own temporary location but that does not sound like a "secure" approach generally .. which is the point of using systemd to "secure" things, in the first place. stuck in a rabbit hole .. R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJg3PaaACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ2gSQgAj8sL20yh3H+lruv30ZyMG3l3sMd81FZdhMQpn1yGbFNqDeit geuooC8RIQ1636Sa4UD/TxEZy5e0gU0SfRcaX1+383cV33iFUXHCahMlVAO5 /CDY7yCi+sXuacvR7TpoR6f3hB0zaF0P+XUNH/K0CUE76P1F1csFlGpvycCx 6yjIIJo/fWx2VFS7FiPSwK3l2AreLKo8aQAjo/RWnY/AB6uKVbl/l9qKdhn0 appzLGAzDRbjhpSunp20BtruVu0X5t2fxh6GYpkSy1V8cBI4EZkSu6IfKZpD olhzDOPswOFKNdwu5CUYIbRJ03lVInxJo/kb0z9rgcy29SKii8Eisw== =1l7e -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] --tmp-dir and systemd PrivateTmp incompatibility
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi David, with your help, I was able to use systemd.PrivateTmp correctly. thanks for this detailed explanation. R ‐‐‐ Original Message ‐‐‐ On Thursday, July 1st, 2021 at 13:41, David Sommerseth wrote: > On 01/07/2021 00:56, tincantech via Openvpn-devel wrote: > > > Hi > > [... copied from first mail ...] > > > > Thus the problem is two fold: > > > > It is not possible to pre-determine a temporary directory within the systemd > > > > PrivateTmp assigned folder within an openvpn config which needs to use > > --tmp-dir > > > > 2. > > > > Openvpn is forced to assign a non-standard temporary folder to --tmp-dir > > which > > > > lies outside of the systemd assigned private temporary folder.[... second > > mail ...] > > > > the problem is three fold: > > > > 3. > > > > How would I then point scripts to the systemd assigned folder ? > > > > (Yet another env var: systemd_private_tmp) > > > > > The most logical answer is "To take matters into my own hands" > > > > > > and specify my own temporary location but that does not sound > > > > > > like a "secure" approach generally .. which is the point of using > > > > > > systemd to "secure" things, in the first place. > > First of all - what you are describing is what you are observing. But I'm > missing the context of when you need a publicly available tmp-dir. > > The PrivateTmp is a security hardening. Using /tmp and /var/tmp to dump > various data has been a well-known security issue for years. And not just > within OpenVPN, but all kind of running daemons have faced security > challenges with the use of a global tmp-dir. > > First some background. > > In 2010 we added some hardening to avoid some of the potential issues with > tmp-dir and temp-files needed for the script hooks (see commit 4e1cc5f6d for > details). Already back then we knew this was not covering all issues, but it > was still a good step forward to harden this issue. For those not being > satisfied with this change, can use --tmp-dir to relocate this directory with > stricter privileges. That's probably as strict as you can go. > > The challenge at hand was that another process could manage to create a > tempfile with the same tempname as OpenVPN did earlier, which OpenVPN would > pick up and read despite it had not created it (it was the task of the > plug-in/script to do so earlier). This was a perfect trap to inject data from > outside, even from a user not privileged to configure OpenVPN. So we changed > the model so OpenVPN always creates the temp-file before it runs the > plug-in/script and ensures the privileges on that file is correct. > > And then came systemd with PrivateTmp which added further hardening. > > That's the background ... now to PrivateTmp > > When running scripts via OpenVPN's script hooks or plug-ins, they should run > under the same confinement as the OpenVPN process, so it should share the > same tmp-dir. So PrivateTmp should not cause any issues in regards to script > hooks or plug-ins. They should all share the same tmp-dir. I don't recall now > if some $TMP or $TMPDIR variables would be set as well. > > Now if you want your scripts to leave data after it has run, a tmp-dir is > still the wrong location for such data - as then it isn't strictly a > temporary file. In that case, these scripts should ideally use a different > path with is not confined inside a private tmp-dir. > > Some reasonable locations: > > - Most Linux packaging provides /var/lib/openvpn, which should be owned > > by openvpn:openvpn by default. Creating a subdirectory here with the > > proper ACL would be considered appropriate. > - If the data you want to leave for another script/process to pick up > > (like a queue), the typical location for that would be /var/spool > > /openpvn (which needs to be created). > - If it is cached data, then /var/cache/openvpn would be appropriate. > > - If it is runtime related data, which may be wiped when the OpenVPN > > process is stopped, using /run/openvpn/ would be fine - but these > > days, /run is mostly mounted as a tmpfs filesystem so be careful with > > the amount of data you put there. > > My point is, don't use tmp-dir to save data which isn't really temporary, > where temporary means it should not live there for very long. And don't abuse > the --tmp-dir option to relocate it to one of these more persistent > locations. Just d
Re: [Openvpn-devel] [PATCH v3 7/9] Cleanup handling of initial auth token
n_initial)
> +bool is_renegotiation =3D session->key[KS_PRIMARY].key_id !=3D 0;
> +
> +if (multi->auth_token_initial && !is_renegotiation)
> {
> /*
> * We do not explicitly schedule the sending of the
> @@ -1648,7 +1650,7 @@ verify_user_pass(struct user_pass *up, struct tls_mu=
> lti *multi,
> * established and furthermore since this is called in
> * the middle of authentication, there are other messages
> * (new data channel keys) that are sent anyway and will
> - * trigger schedueling
> + * trigger scheduling
> */
> send_push_reply_auth_token(multi);
> }
> diff --git a/tests/unit_tests/openvpn/test_auth_token.c b/tests/unit_tests=
> /openvpn/test_auth_token.c
> index 4030052e0..a504eed91 100644
> --- a/tests/unit_tests/openvpn/test_auth_token.c
> +++ b/tests/unit_tests/openvpn/test_auth_token.c
> @@ -174,7 +174,10 @@ auth_token_test_timeout(void **state)
>
> now =3D 10;
> generate_auth_token(&ctx->up, &ctx->multi);
> +
> strcpy(ctx->up.password, ctx->multi.auth_token);
> +free(ctx->multi.auth_token_initial);
> +ctx->multi.auth_token_initial =3D NULL;
>
> /* No time has passed */
> assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->sessio=
> n),
> @@ -244,10 +247,10 @@ auth_token_test_known_keys(void **state)
>
> now =3D 0;
> /* Preload the session id so the same session id is used here */
> -ctx->multi.auth_token =3D strdup(now0key0);
> +ctx->multi.auth_token_initial =3D strdup(now0key0);
>
> /* Zero the hmac part to ensure we have a newly generated token */
> -zerohmac(ctx->multi.auth_token);
> +zerohmac(ctx->multi.auth_token_initial);
>
> generate_auth_token(&ctx->up, &ctx->multi);
>
> --
> 2.32.0
>
>
>
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
-BEGIN PGP SIGNATURE-
Version: ProtonMail
wsBzBAEBCAAGBQJg5LfeACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec
9muQuJ2UwQf9HRGKdMwuFN5gofphNKjx5u5PnF3woa+LOmg12VHHc99K+JHB
5S7UmRMbt7V+i67paCYMZ54YPE6jeB30UHqw/GY9Rwx+fnh6Qq0Hv8mwvKKz
lM4jweoYCmZKIFcHj8C3UxbOIMugK1F7HSj2s7M7NsF6OqF2ursQQtQHhi80
1HBcYjADWNGufli8JC7CPUNp7MDzKAXu/HK9sxsrIp0B4YAft3WF3+U1OhVt
sOAz0KghaX3tllfqbblNoQGfwzowP78Rxc9jh2dSzsEtl2C6HNSGvDcXjGdS
DT9whFFw8mYkIJ/OPwUDsn8k3sxagYeE0h8X3eppojRgC2JDmRO0Ng==
=Dq71
-END PGP SIGNATURE-
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v3] Add detailed man page section to setup a OpenVPN setup with peer-fingerprint
and older), the client config `alice.ovpn` can be modified to still wo= > rk with > + these clients. > + > + Remove the line starting with :code:`peer-fingerprint`. Then > + add a new :code:`` section at the end of the configuration file > + with the contents of the :code:`server.crt` created in step 2 of the > + server setup. The end of `alice.ovpn` file should like: > + > + :: > + > + [...] # Beginning of the file skipped > + > + > + # The tun-mtu of the client should match the server MTU > + tun-mtu 1400 > + dev tun > + > + > + [contents of the server.crt] > + > + > + Note that we put the :code:`` section after the :code:`` sec= > tion > + to make the fingerprint generation from step 4 still work since it wil= > l > + only use the first certificate it find. 'it find' -> found > + > +7. Import the file into the OpenVPN client or just use the > + :code:`openvpn alice.ovpn` to start the VPN. > diff --git a/doc/openvpn-examples.5.rst b/doc/openvpn-examples.5.rst > index 988b6027b..0e1b6c4f6 100644 > --- a/doc/openvpn-examples.5.rst > +++ b/doc/openvpn-examples.5.rst > @@ -14,4 +14,5 @@ INTRODUCTION > > This man page gives a few simple examples to create OpenVPN setups and co= > nfiguration files. > > +.. include:: man-sections/example-fingerprint.rst > .. include:: man-sections/examples.rst > -- > 2.32.0 > -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJhAbdiACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ3NdQgAscHRyr3wCUuRtnIdbMBWjAfbvfP5iwPiGHyGh1S00PAUDHeJ RRSjJAIPlDcVhJircaeRzOVe+rPIf6icwdrzOzkE8wnifE570ivq/z8BtT6d zgC9s2CXKBVRTY5L/UGWlWkk15yaSzFjHS3ZtXGVlTyfQ2SItHbHh6ceeazo l44PxOt+qJtDqA6FKzj7SfnAVyVBLq1XSpkebnuL/CXJzVdVXsXGCDl1CSwf srnLPfAoW8dcKrJyUE4meYovCq8Ym+zHZZY70iLfB6kxfz+1Uyase/BkmrAY b+j9BUOQ+OPFtGABBJB+FBR9dIN44Q6KTbgmXUC0mq1bYK7QfLZMdw== =0swD -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v3] Add example script demonstrating TOTP via auth-pending
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Monday, August 2nd, 2021 at 10:52, Arne Schwabe wrote: > Signed-off-by: Arne Schwabe a...@rfc2549.org > > Patch v3: Some minor cleanups in the script (rename CNs, add more comments) > > Signed-off-by: Arne Schwabe a...@rfc2549.org > > doc/man-sections/script-options.rst | 3 + > > sample/sample-scripts/totpauth.py | 111 > > 2 files changed, 114 insertions(+) > > create mode 100755 sample/sample-scripts/totpauth.py > > diff --git a/doc/man-sections/script-options.rst > b/doc/man-sections/script-options.rst > > index f48e5818d..6517f8474 100644 > > --- a/doc/man-sections/script-options.rst > > +++ b/doc/man-sections/script-options.rst > > @@ -147,6 +147,9 @@ SCRIPT HOOKS > > :code:`auth_control_file or further defer it. See `--auth-user-pass-verify` > > for details. > > - For a sample script that implement TOTP (RFC 6238) based two-factor > - authentication, see :code:`sample-scripts/totp.py`. sample-scripts/totp.py -> sample-scripts/totpauth.py Checked everything else and it all LGTM. -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJhCABYACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ1MTgf+KJa9xstxZXVoGhTer7jFDn+EQdKeBQT3S2JOiu/lLVrGFhCG +4nEXmsVSN/G/UIqwIzTfe0c6bTALGeEI4YUjL2Rsqixt96xxVUWeer+YVdv DF4Jxza/vCagzH3uszCpvBgiqB4YIhk7ZaTpLGfXqbY0VgVrwUD1AYPPWPFH tssgUx5UxSqqoT+AnIpsHTkT/svKCmd1d5IYLjAPy0I9+2vhBQEauWr4f/xa eoRJb6CQET3z3Lag9DEuqct/k4kT+twS4WYh4Ljr5SzNhuRZV+fbqHQYgk3n 50QttAoUmgzVKkwPSzwTd6u5DZUiT4KyH5REeqAOdwzNYwmxjwKCkQ== =YOUk -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Modernise OpenVPN defaults and introduce '--compat-mode'
lags;
> };
>
> +/**
> + * Returns if we want 'backwards-compatible' to a certain version
> + * @param version the first version does that *NOT* need the compatibility
> + * e.g. 204000 for all versions <= 2.4.0
> + * @return compatibility should be enabled.
> + */
> +static inline bool
> +need_compatibility(const struct options *o, int version)
> +{
> +return o->backwards_compatible != 0 && o->backwards_compatible < version;
> +}
> +
> +
> #define streq(x, y) (!strcmp((x), (y)))
>
> /*
> diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c
> index 0258e6a72..5ea76640f 100644
> --- a/src/openvpn/ssl_ncp.c
> +++ b/src/openvpn/ssl_ncp.c
> @@ -172,6 +172,19 @@ mutate_ncp_cipher_list(const char *list, struct gc_arena
> *gc)
> return ret;
> }
>
> +
> +void
> +append_cipher_to_ncp_list(struct options *o, const char *ciphername)
> +{
> +/* Append the --cipher to ncp_ciphers to allow it in NCP */
> +size_t newlen = strlen(o->ncp_ciphers) + 1 + strlen(ciphername) + 1;
> +char *ncp_ciphers = gc_malloc(newlen, false, &o->gc);
> +
> +ASSERT(openvpn_snprintf(ncp_ciphers, newlen, "%s:%s", o->ncp_ciphers,
> +ciphername));
> +o->ncp_ciphers = ncp_ciphers;
> +}
> +
> bool
> tls_item_in_cipher_list(const char *item, const char *list)
> {
> diff --git a/src/openvpn/ssl_ncp.h b/src/openvpn/ssl_ncp.h
> index 3fa68e262..2fc68fb53 100644
> --- a/src/openvpn/ssl_ncp.h
> +++ b/src/openvpn/ssl_ncp.h
> @@ -101,6 +101,14 @@ tls_peer_ncp_list(const char *peer_info, struct gc_arena
> *gc);
> char *
> mutate_ncp_cipher_list(const char *list, struct gc_arena *gc);
>
> +/**
> + * Appends the cipher specified by the ciphernamer parameter to to
ciphernamer -> ciphername - No 'r' on the end
> + * the o->ncp_ciphers list.
> + * @param o options struct to modify. Its gc is also used
> + * @param ciphernamethe ciphername to add
> + */
> +void append_cipher_to_ncp_list(struct options *o, const char *ciphername);
> +
> /**
> * Return true iff item is present in the colon-separated zero-terminated
iff -> if
> * cipher list.
> --
> 2.32.0
>
>
>
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
-BEGIN PGP SIGNATURE-
Version: ProtonMail
wsBzBAEBCAAGBQJhCAh+ACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec
9muQuJ3gdQgAmq1LvRmTWrYIthfKt84Dc16hdhc4dCRrZijYQFcxM7CL+M1U
dMMJibxQc4Bv5RgbXn6gcix1rFN3hlOouqkHaxMXgrPn4s4d0E1Vrv4xruth
oX8vFzMZH6FcG4MIyWqNUZEXXOXsbV+FnF9CMbZeFHWdRSram6Mp26+QFATU
ejHUs0OvAHpvlU8szQXb7QTM1bc/rZsF3ureMKp5R6RYVWcnD/BEGN9x6M/a
gnyNlUlfdQ9xtaLX1kC8RZYPieSjrpK+aa/d8xqX36AyGwk0smfv3cSFGqa3
UZnCQ2WB/dZ7hhzpGGVXa4DLGjJBBDLLMrCaLcr4eI+YyQiUCYwPQQ==
=+rmR
-END PGP SIGNATURE-
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2] Modernise OpenVPN defaults and introduce '--compat-mode'
/
> +static inline bool
> +need_compatibility(const struct options *o, int version)
> +{
> +return o->backwards_compatible != 0 && o->backwards_compatible < version;
> +}
> +
> +
> #define streq(x, y) (!strcmp((x), (y)))
>
> /*
> diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c
> index 6967e2bba..022a9dc3b 100644
> --- a/src/openvpn/ssl_ncp.c
> +++ b/src/openvpn/ssl_ncp.c
> @@ -172,6 +172,19 @@ mutate_ncp_cipher_list(const char *list, struct gc_arena
> *gc)
> return ret;
> }
>
> +
> +void
> +append_cipher_to_ncp_list(struct options *o, const char *ciphername)
> +{
> +/* Append the --cipher to ncp_ciphers to allow it in NCP */
> +size_t newlen = strlen(o->ncp_ciphers) + 1 + strlen(ciphername) + 1;
> +char *ncp_ciphers = gc_malloc(newlen, false, &o->gc);
> +
> +ASSERT(openvpn_snprintf(ncp_ciphers, newlen, "%s:%s", o->ncp_ciphers,
> +ciphername));
> +o->ncp_ciphers = ncp_ciphers;
> +}
> +
> bool
> tls_item_in_cipher_list(const char *item, const char *list)
> {
> diff --git a/src/openvpn/ssl_ncp.h b/src/openvpn/ssl_ncp.h
> index 4a2601a2e..09ddeb28e 100644
> --- a/src/openvpn/ssl_ncp.h
> +++ b/src/openvpn/ssl_ncp.h
> @@ -102,6 +102,14 @@ tls_peer_ncp_list(const char *peer_info, struct gc_arena
> *gc);
> char *
> mutate_ncp_cipher_list(const char *list, struct gc_arena *gc);
>
> +/**
> + * Appends the cipher specified by the ciphernamer parameter to to
ciphernamer -> ciphername, drop the 'r'
> + * the o->ncp_ciphers list.
> + * @param o options struct to modify. Its gc is also used
> + * @param ciphernamethe ciphername to add
> + */
> +void append_cipher_to_ncp_list(struct options *o, const char *ciphername);
> +
> /**
> * Return true iff item is present in the colon-separated zero-terminated
iff -> if
> * cipher list.
> --
> 2.32.0
>
>
>
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
-BEGIN PGP SIGNATURE-
Version: ProtonMail
wsBzBAEBCAAGBQJhCA1CACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec
9muQuJ2EKAgAlgY56kyo6+hVDb9zB1t2aOB4xsaJ4TFV9USMdY+ooSL0+QTi
hAdFKXxG7hqgmEicVsFirQ7ydLpfpmJNtK6rkh1O4eEvzqg1lwvxuZQ6Iv9g
uOopYj5DZR0oIXPS62sFXTWX0kHeJMn7uihCOeVe2DvTC6jpsCHMZf3iIKqU
ITgl7PEpeBWiatiWiDozIJMyMxy1xdJ/uy/DTZLH03DOUtrGzBnUnOzWD+0A
Qw8+qey+BB/5duA+vhe0vocOq+9b/Qw5rI241QzCCNSPxBdOwa28YHy3cdgA
BDZzhNlab8suog1FLtyTwQ3hGREjVbPlKw/ek/d49CK5PlE0pU+kOw==
=UDQ/
-END PGP SIGNATURE-
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v3] Modernise OpenVPN defaults and introduce '--compat-mode'
uot;, &major, &minor, &patch) == 3))
> > +{
> > +msg(msglevel, "cannot parse version number for -compat-mode:
> > %s", p[1]);
> > +goto err;
> > +}
> > +
> > +options->backwards_compatible = major * 1 + minor * 100 +
> > patch;
> > +}
> > else if (streq(p[0], "setenv-safe") && p[1] && !p[3])
> > {
> > VERIFY_PERMISSION(OPT_P_SETENV);
> > @@ -7701,6 +7767,7 @@ add_option(struct options *options,
> > else if (streq(p[1], "asym"))
> > {
> > options->comp.flags &= ~COMP_F_ALLOW_COMPRESS;
> > +options->comp.flags |= COMP_F_ALLOW_ASYM;
> > }
> > else if (streq(p[1], "yes"))
> > {
> > diff --git a/src/openvpn/options.h b/src/openvpn/options.h
> > index b0e40cb7f..eb4e39f11 100644
> > --- a/src/openvpn/options.h
> > +++ b/src/openvpn/options.h
> > @@ -225,6 +225,10 @@ struct options
> >
> > /* enable forward compatibility for post-2.1 features */
> > bool forward_compatible;
> > +/** What version we should try to be compatible with as major * 1 +
> > + * minor * 100 + patch, e.g. 2.4.7 => 20407 */
> > +unsigned int backwards_compatible;
> > +
> > /* list of options that should be ignored even if unknown */
> > const char **ignore_unknown_option;
> >
> > @@ -660,6 +664,19 @@ struct options
> > unsigned int data_channel_crypto_flags;
> > };
> >
> > +/**
> > + * Returns if we want 'backwards-compatible' to a certain version
>
> Maybe better rephrased:
>
> Returns if
>
> > + * @param version the first version does that *NOT* need the
> > compatibility
> > + * e.g. 204000 for all versions <= 2.4.0
does that *NOT* need ???
that does not need ??? guessing ..
>
> is there a 0 too many in the example (should be 20400?)? How about
> making the format more explicit?
> At the moment the example is the only thing trying to document the
> version format.
>
>
> On top of that, isn't the example wrong? The definition says "first
> version that *NOT* need.." but the example says <= 2.4.0 ?
> It probably should say "<2.4.0"
>
> This said I think this is a bit confusing. See below:
>
> > + * @return compatibility should be enabled.
> > + */
> > +static inline bool
> > +need_compatibility(const struct options *o, int version)
> > +{
> > +return o->backwards_compatible != 0 && o->backwards_compatible <
> > version;
>
> How about changing this check to "backwards_compatible <= version" ?
>
> This way the function meaning becomes "do we want to be compatible with
> the version specified and older?"
>
>
> > +}
> > +
> > +
> > #define streq(x, y) (!strcmp((x), (y)))
> >
> > /*
> > diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c
> > index 6967e2bba..022a9dc3b 100644
> > --- a/src/openvpn/ssl_ncp.c
> > +++ b/src/openvpn/ssl_ncp.c
> > @@ -172,6 +172,19 @@ mutate_ncp_cipher_list(const char *list, struct
> > gc_arena *gc)
> > return ret;
> > }
> >
> > +
> > +void
> > +append_cipher_to_ncp_list(struct options *o, const char *ciphername)
> > +{
> > +/* Append the --cipher to ncp_ciphers to allow it in NCP */
> > +size_t newlen = strlen(o->ncp_ciphers) + 1 + strlen(ciphername) + 1;
> > +char *ncp_ciphers = gc_malloc(newlen, false, &o->gc);
> > +
> > +ASSERT(openvpn_snprintf(ncp_ciphers, newlen, "%s:%s", o->ncp_ciphers,
> > +ciphername));
> > +o->ncp_ciphers = ncp_ciphers;
> > +}
> > +
> > bool
> > tls_item_in_cipher_list(const char *item, const char *list)
> > {
> > diff --git a/src/openvpn/ssl_ncp.h b/src/openvpn/ssl_ncp.h
> > index 4a2601a2e..09ddeb28e 100644
> > --- a/src/openvpn/ssl_ncp.h
> > +++ b/src/openvpn/ssl_ncp.h
> > @@ -102,6 +102,14 @@ tls_peer_ncp_list(const char *peer_info, struct
> > gc_arena *gc);
> > char *
> > mutate_ncp_cipher_list(const char *list, struct gc_arena *gc);
> >
> > +/**
> > + * Appends the cipher specified by the ciphernamer parameter to to
ciphernamer -> ciphername
> > + * the o->ncp_ciphers list.
> > + * @param o options struct to modify. Its gc is also used
> > + * @param ciphernamethe ciphername to add
> > + */
> > +void append_cipher_to_ncp_list(struct options *o, const char *ciphername);
> > +
> > /**
> > * Return true iff item is present in the colon-separated zero-terminated
> > * cipher list.
> >
>
> I think this patch, although not too big, may be better if split in pieces.
>
> IMHO the change to the default should be atomic and clearly motivated.
> In a few months from now we will see this patch changing defaults and we
> will have to remember why we wanted to do that.
>
> The commit message explains what is happening, but not why.
>
> Wouldn't it be better to have one patch of reach default behaviour being
> charged with a concise but focused explanation as to why that default is
> being changed?
>
> After those patches, then another patch could come in implementing
> compat-mode.
>
> IMHO this would give the change history a very good cut. Anybody willing
> to understand what happened can go back and check.
>
> Thoughts?
>
>
> Regards,
>
> p.s. the code per se looks good at first glance.
>
> --
> Antonio Quartulli
>
>
>
>
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
-BEGIN PGP SIGNATURE-
Version: ProtonMail
wsBzBAEBCAAGBQJhE8qOACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec
9muQuJ2veAgAtOlgEGJ5zKH0YPIwck4s36FcJ1a68VlJQZGpBNGw/gdsm23w
YtiLckbzCQ/d4EuIFx1CX5DOW1oSY+PUYVLVehYkDtHKfCqrBDjbr7r5Rap9
B64mrZgTctr/Vfd9INDPR86Wn90/cDBfMsXNiHMAN25ZvHTlPSZEszmhBnkR
eMDDF6OeWpVhLDIr940FDO2XllJMFZaHjguT+PGLMnImEkXBWkrxCi9Ob5Wk
r5IVS6dPEV5i32g/Msh2O1+TEvuTmReNB7G0IGuuZiN4w795aEi+kTRW3j/g
Ie3niYsZo/dMfavCSLexZ/cQ2FEUfUVdDWXNmR+fu7kfDGEJv49V2Q==
=djIW
-END PGP SIGNATURE-
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 1/7] simplify condition detecting pure P2P mode
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Sent with ProtonMail Secure Email.
‐‐‐ Original Message ‐‐‐
On Monday, September 6th, 2021 at 14:19, Arne Schwabe wrote:
> Am 04.09.21 um 11:56 schrieb Antonio Quartulli:
>
> > The new condition is equivalent to the old one, but easier to grasp.
> >
> > Also add message to inform uset that cipher negotiation, in this case,
> >
uset -> user
> > it indeed disabled.
> >
it -> is
> > Signed-off-by: Arne Schwabe a...@rfc2549.org
> >
> > Signed-off-by: Antonio Quartulli a...@unstable.cc
> >
> >
> > src/openvpn/options.c | 6 +-
> >
> > 1 file changed, 5 insertions(+), 1 deletion(-)
> >
> > diff --git a/src/openvpn/options.c b/src/openvpn/options.c
> >
> > index 00ba6044..0d6b85cf 100644
> >
> > --- a/src/openvpn/options.c
> >
> > +++ b/src/openvpn/options.c
> >
> > @@ -3076,8 +3076,12 @@ options_postprocess_verify(const struct options *o)
> >
> > static void
> >
> > options_postprocess_cipher(struct options *o)
> >
> > {
> >
> > - if (!o->pull && !(o->mode == MODE_SERVER))
> >
> > - if (!o->tls_server && !o->tls_client)
> >
> > {
> > - /* we are in the classic P2P mode */
> >
> >
> > - msg(M_WARN, "Cipher negotiation is disabled since TLS "
> >
> >
> > - "mode is not enabled");
> >
> >
> > - /* If the cipher is not set, use the old default of BF-CBC. We
> > will
> > * warn that this is deprecated on cipher initialisation, no need
> > * to warn here as well */
> >
> >
>
> Yes. Makes sense. The change makes it is a lot more clear. I think it is
>
> actually not equivalent but the new one is definitively the correct one.
>
> Acked-By: Arne Schwabe a...@rfc2549.org
>
> Arne
>
> Openvpn-devel mailing list
>
> Openvpn-devel@lists.sourceforge.net
>
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
-BEGIN PGP SIGNATURE-
Version: ProtonMail
wsBzBAEBCAAGBQJhNhflACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec
9muQuJ2H0wgAup4i4ArQzzTGnSsFtHYAjzeKiwIPemMiOw76gv64TqI7dRST
6SsSkpS4Xs10HQysdYzyoCW4Pju2u1zEn654UeonDa43HPYtrL0V3NDmtRYT
3+aJOtqkE74MAZXpMxh1zo1KVkP+UMtpJmFVngK9IvMnSMjBnEj/1np2aZeE
KJSRKpskDgBXC5ISzo6JB3T48zbbl1+4zq8TOKrr9uvyXluw5Cme+YGL1yC5
l0ApubT29ANQMOIwBMwGaHm49sRZtkFod/hO630NNcjD/veksS2eyT0fo7oY
P38ZVT0rbQWO06D1/0D4PGlXeukYHa0aVRqCR+nWm01dqa22gedDzg==
=S+qj
-END PGP SIGNATURE-
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Correct --client-disconnect environment variable common_name
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
The commit message is incorrect.
Not *always* but "after a renegotiation" then *always*
I'll resubmit again after some final testing.
R
Sent with ProtonMail Secure Email.
‐‐‐ Original Message ‐‐‐
On Thursday, September 16th, 2021 at 17:46, wrote:
> From: Richard T Bonhomme tincant...@protonmail.com
>
> --client-disconnect is always passed the X509 certificate common_name,
>
> which is incorrect when --username-as-common-name is used.
>
> Set the environment variable common_name to the correct value, prior to
>
> calling --client-disconnect.
>
> Resolves https://community.openvpn.net/openvpn/ticket/160
>
> Signed-off-by: Richard T Bonhomme tincant...@protonmail.com
>
> src/openvpn/multi.c | 3 +++
>
> 1 file changed, 3 insertions(+)
>
> diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
>
> index 22357cfb..18ee5e52 100644
>
> --- a/src/openvpn/multi.c
>
> +++ b/src/openvpn/multi.c
>
> @@ -557,6 +557,9 @@ setenv_stats(struct context *c)
>
> static void
>
> multi_client_disconnect_setenv(struct multi_instance *mi)
>
> {
>
> - /* setenv client current common-name */
>
> - setenv_str(mi->context.c2.es, "common_name",
> tls_common_name(mi->context.c2.tls_multi, true));
>
> - /* setenv client real IP address */
>
> setenv_trusted(mi->context.c2.es, get_link_socket_info(&mi->context));
>
>
> 2.25.1
-BEGIN PGP SIGNATURE-
Version: ProtonMail
wsBzBAEBCAAGBQJhQ68bACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec
9muQuJ3Mogf+OX2Aj37g3VmepoBmyefgwHdxf6kf5Bfogns3GvEwcL459ciZ
OfDlWF1L7TyUX4ddSlApcbMCCb3r2iuLwgf4/LHc1RgybONaNCXk1lRqhQW4
eer6XYSGSjtdirdqCic3VGE0Zb61dtjEUzBFIGPsnZMD4bioXSwZ/aZ9ol/9
+zBZlkN4Pbk+I25D3AIXMCiZf3rl++BLlVYy/MND8VpiQi6wCj9K5r/YB2CI
AY1c+V7KjaUhSD6rwpchz9bQnYSTwvwOlv+3gggGXiiExy8HCieXLNybPJYq
3DhM3PPUt9zYgoOdD5BUUCArpU1DX1yt9FlD6Nl3Tjm1z2ST5TefnQ==
=OGdj
-END PGP SIGNATURE-
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Correct value for --client-disconnect env variable common_name
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi,
I NAK this for the following reasons.
The original problem:
"Openvpn does not set common_name for --client-disconnect",
for reasons which have not been identified, no longer occurs.
The code has changed enough since 2011 that a new problem occurs.
The new problem:
Openvpn sets common_name to X509-CN for --client-disconnect,
after a client has attempted to float, successfully or not.
If this patch is applied to current Openvpn then similar behaviour
of the original problem occurs. That being, after a client attempts
to float then common_name is not set at all.
I have also written Easy-TLS to work around this bug, as it stands,
and Easy-TLS manages connection tracking 100% successfully.
Regards
R
Sent with ProtonMail Secure Email.
‐‐‐ Original Message ‐‐‐
On Friday, September 17th, 2021 at 16:35, wrote:
> From: Richard T Bonhomme tincant...@protonmail.com
>
> A server configured with --client-disconnect and --username-as-common-name
>
> will pass the X509-CN not username, after the client has completed a
>
> renegotiation, to --client-disconnect.
>
> Explicitly set the environment variable common_name to the current value,
>
> which will be username in this case, prior to calling --client-disconnect.
>
> Trac: #160
>
> Signed-off-by: Richard T Bonhomme tincant...@protonmail.com
>
> src/openvpn/multi.c | 4
>
> 1 file changed, 4 insertions(+)
>
> diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
>
> index 22357cfb..c72e8e95 100644
>
> --- a/src/openvpn/multi.c
>
> +++ b/src/openvpn/multi.c
>
> @@ -557,6 +557,10 @@ setenv_stats(struct context *c)
>
> static void
>
> multi_client_disconnect_setenv(struct multi_instance *mi)
>
> {
>
> - /* setenv client current common-name */
>
> - setenv_str(mi->context.c2.es, "common_name",
>
> - tls_common_name(mi->context.c2.tls_multi, true));
>
>
> - /* setenv client real IP address */
>
> setenv_trusted(mi->context.c2.es, get_link_socket_info(&mi->context));
>
>
> 2.25.1
-BEGIN PGP SIGNATURE-
Version: ProtonMail
wsBzBAEBCAAGBQJhYxtZACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec
9muQuJ1suAgAkjPdY7Zh0qZpnSjd2nUoBwnsafzflGlzlTjzokRURa5+aAdK
zDZvyN3TTayZgVlnFWRf+lvrIQTbYyUkLSRqxWfiDabr6BxIEGeFxqWardLn
YAdfvwI8MX17HBZPXI02EJiaCnKWA90uU9OM1DRzswarc8Kakqrs61vIy/iL
LhamBby/984WrJhJq1Gv90aM25E6/GLCi9GUAHixhvxDiaeCiWDpO/asB19d
TYxJWt1yVxuELAIaot02ESMPEogorK3V9W52oN64xCieoKWYsW51OxgSFMfu
0JIv20gJdPLMM0GOPFOi3ZHVPChiLg+gh7tiQixsi4+LGMkwOT4+hw==
=+jcn
-END PGP SIGNATURE-
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Fix error in example firewall.sh script
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Monday, November 8th, 2021 at 12:23, Frank Lichtenheld wrote: > > Arne Schwabe a...@rfc2549.org hat am 08.11.2021 12:36 geschrieben: > > > > Am 07.11.21 um 18:40 schrieb Frank Lichtenheld: > > > > > From: Adrian adrian.cre...@protonmail.com > > > > > > The man page says: > > > > > > [!] -s, --source address[/mask][,...] > > > > > > Signed-off-by: Frank Lichtenheld fr...@lichtenheld.com > > > -- > > > > > > sample/sample-config-files/firewall.sh | 2 +- > > > > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > As part of an initative to clean up the Github PR submissions, submitting > > > > > > this patch to the mailing list for inclusion. Looks obviously correct to > > > > > > me. > > > > > > diff --git a/sample/sample-config-files/firewall.sh > > > b/sample/sample-config-files/firewall.sh > > > > > > index 19d75ee9..456700ca 100755 > > > > > > --- a/sample/sample-config-files/firewall.sh > > > > > > +++ b/sample/sample-config-files/firewall.sh > > > > > > @@ -50,7 +50,7 @@ iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j > > > DROP > > > > > > iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP > > > > > > Check source address validity on packets going out to internet > > > == > > > > > > -iptables -A FORWARD -s ! $PRIVATE -i eth1 -j DROP > > > > > > +iptables -A FORWARD ! -s $PRIVATE -i eth1 -j DROP > > > > > > Allow local loopback > > > > > > > > > iptables -A INPUT -s $LOOP -j ACCEPT > > > > I have a vague idea that this is actually different. Like one is that > > > > condition is not fulfilled and the other is that it is not part of the > > > > subnet if is different when there is different protocol but I might > > > > misremember. > > Certainly does not work with my iptables: > > iptables -A OUTPUT -s ! 10.0.0.0/8 -j ACCEPT > > > Bad argument `10.0.0.0/8' Try` iptables -h' or 'iptables --help' for more > information. > > iptables -A OUTPUT ! -s 10.0.0.0/8 -j ACCEPT > > From: https://ipset.netfilter.org/iptables.man.html [!] -s, --source address[/mask][,...] Source specification. Address can be either a network name, a hostname, a network IP address (with /mask), or a plain IP address. Hostnames will be resolved once only, before the rule is submitted to the kernel. Please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea. The mask can be either an ipv4 network mask (for iptables) or a plain number, specifying the number of 1's at the left side of the network mask. Thus, an iptables mask of 24 is equivalent to 255.255.255.0. A "!" argument before the address specification inverts the sense of the address. The flag --src is an alias for this option. Multiple addresses can be specified, but this will expand to multiple rules (when adding with -A), or will cause multiple rules to be deleted (with -D). R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJhiSw2ACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ1jZAf/b2mzU/9kXQIIvNAhICrkyDc68AnyR5GRlMItdo91prqcH/bn ksBxh5OolZeq7Md7K6O63DZgL3Kdj0HpUGavPonVgIrBXj1QoQW69KiEp9/A 98UixypgCCi3yy4wii510Wn9F8ZFmfQBk9l/ilRB5tT+oU6/KyvaZmwz2kRQ pkmcvXWI40LEvjMXA1Ye5Usn7a1yf5lP2YbJyvhE8mG64mZo6/2fePyTuASd EhCzxoQ1QIUy/jHL6FCHac6Gt2lx5JH73CI9lKzczvfZmq4Y7a3I5+rjpP2w Gx4YdA/PkRK5QJtn/KHppCZx4FdYBSvW2Aqq+fSrhzPam//qXQLt6g== =8IIR -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v4] [OSSL 3.0] Allow loading of non default providers
r Windows build with OPENSSL_NO_EC: disabling EC key is not supported.
>
> @@ -149,6 +152,33 @@ crypto_init_lib_engine(const char *engine_name)
>
> #endif
>
> }
>
> +provider_t *
>
> +crypto_load_provider(const char *provider)
>
> +{
>
> +#if OPENSSL_VERSION_NUMBER >= 0x3000L
>
> - /* Load providers into the default (NULL) library context */
>
> - OSSL_PROVIDER* prov = OSSL_PROVIDER_load(NULL, provider);
>
> - if (!prov)
>
> - {
>
> - crypto_msg(M_FATAL, "failed to load provider '%s'", provider);
>
>
> - }
>
> - return prov;
>
> +#else /* OPENSSL_VERSION_NUMBER >= 0x3000L */
>
> - msg(M_WARN, "Note: OpenSSL hardware crypto engine functionality is not
> available");
>
> - return NULL;
>
> +#endif
>
> +}
>
>
> +void crypto_unload_provider(const char* provname, provider_t *provider)
>
> +{
>
> +#if OPENSSL_VERSION_NUMBER >= 0x3000L
>
> - if (!OSSL_PROVIDER_unload(provider))
> - {
> - crypto_msg(M_FATAL, "failed to undload provider '%s'", provname);
undload -> unload
>
>
> - }
>
> +#endif
>
> +}
>
> /*
>
> *
>
> - Functions related to the core crypto library
>
> diff --git a/src/openvpn/crypto_openssl.h b/src/openvpn/crypto_openssl.h
>
> index e540a76b9..446f08508 100644
>
> --- a/src/openvpn/crypto_openssl.h
>
> +++ b/src/openvpn/crypto_openssl.h
>
> @@ -33,6 +33,10 @@
>
> #include
>
> #include
>
> #include
>
> +#if OPENSSL_VERSION_NUMBER >= 0x3000L
>
> +#include
>
> +#endif
>
> +
>
> /** Generic cipher key type %context. /
>
> typedef EVP_CIPHER cipher_kt_t;
>
> @@ -49,12 +53,17 @@ typedef EVP_MD_CTX md_ctx_t;
>
> /* Generic HMAC %context. /
>
> #if OPENSSL_VERSION_NUMBER < 0x3000L
>
> typedef HMAC_CTX hmac_ctx_t;
>
> +
>
> +/ Use a dummy type for the provider /
>
> +typedef void provider_t;
>
> #else
>
> typedef struct {
>
> OSSL_PARAM params[3];
>
> uint8_t key[EVP_MAX_KEY_LENGTH];
>
> EVP_MAC_CTX ctx;
>
> } hmac_ctx_t;
>
> +
>
> +typedef OSSL_PROVIDER provider_t;
>
> #endif
>
> / Maximum length of an IV */
>
> diff --git a/src/openvpn/openvpn.c b/src/openvpn/openvpn.c
>
> index da06f59c2..095d448b0 100644
>
> --- a/src/openvpn/openvpn.c
>
> +++ b/src/openvpn/openvpn.c
>
> @@ -112,10 +112,23 @@ void init_early(struct context c)
>
> / init verbosity and mute levels */
>
> init_verb_mute(c, IVM_LEVEL_1);
>
> - /* Initialise OpenVPN provider, this needs to be initialised this
>
> - - early since option post-processing and also openssl info
> - - printing depends on it */
> - for (int j=1; j < MAX_PARMS && c->options.providers.names[j]; j++)
>
> - {
>
> - c->options.providers.providers[j] =
>
>
> - crypto_load_provider(c->options.providers.names[j]);
>
>
> - }
>
> }
>
> static void uninit_early(struct context *c)
>
> {
>
> - for (int j=1; j < MAX_PARMS && c->options.providers.providers[j]; j++)
>
> - {
>
> - crypto_unload_provider(c->options.providers.names[j],
>
>
> - c->options.providers.providers[j]);
>
>
> - }
>
> net_ctx_free(&c->net_ctx);
>
>
> }
>
> diff --git a/src/openvpn/options.c b/src/openvpn/options.c
>
> index b5d65d293..87062d58d 100644
>
> --- a/src/openvpn/options.c
>
> +++ b/src/openvpn/options.c
>
> @@ -8157,6 +8157,13 @@ add_option(struct options *options,
>
> options->engine = "auto";
>
> }
> }
>
>
> - else if (streq(p[0], "provider") && p[1])
>
> - {
>
> - for (size_t j = 1; j < MAX_PARMS && p[j] != NULL;j++)
>
>
> - {
>
>
> - options->providers.names[j] = p[j];
>
>
> - }
>
>
> - }
>
> #endif /* ENABLE_CRYPTO_MBEDTLS */
>
> #ifdef ENABLE_PREDICTION_RESISTANCE
>
> else if (streq(p[0], "use-prediction-resistance") && !p[1])
>
> diff --git a/src/openvpn/options.h b/src/openvpn/options.h
>
> index 20b34ed4e..d4f41cd71 100644
>
> --- a/src/openvpn/options.h
>
> +++ b/src/openvpn/options.h
>
> @@ -179,6 +179,14 @@ struct remote_list
>
> struct remote_entry *array[CONNECTION_LIST_SIZE];
>
> };
>
> +struct provide
Re: [Openvpn-devel] Start openvpn gui before windows login
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ user/pass. On Monday, November 15th, 2021 at 13:11, Ruben Herold wrote: > On Mon, Nov 15, 2021 at 02:45:53PM +0200, Lev Stipakov wrote: > > > Are you sure your problem cannot be solved with openvpn service? > > > > See, for example, > > > > https://openvpn.net/community-resources/running-openvpn-as-a-windows-service/ > > > > Also this discussion might be relevant: > > > > https://github.com/OpenVPN/openvpn-gui/issues/77 > > We are using user/pass auth against AD and MFA so this is not possible. > You can save user/pass to a text file and have openvpn read it. Regards -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJhknRpACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ3BFggAvO0aIVB2pblvi+NgTi/V5be0n+6m1tqMD6Z8262mPTdPP27F FAxzgvy37ck7ojzpHbWOuCHgwI8qm7C9wWEUZvqRbb/Od5oIxSmQZrNDG10P hZqMpaDUKFq3VRLQ6cHj0dcntW3+0poeIeMguI/bGiym2rsiWwOuWKeU6s/F yZs6DacAMu4hvq2ZfHsyszZnjkLcVXzd9lsNtU0mEx2YEcELBLsWBlStE/FO vJAWi2odrNDQkvX24H9TiL8AVOvaTJ6XK6YGLyC3wxplE6OlrgJ55MCJLU/Z ZkyLf0j4jpwSsteKGw4m3YqHQzdmB397l5+UmrYM6FdoAtKn48iErQ== =Jk8I -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature _______ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Log message: Replace NCP ciphers with --data-ciphers (NFC)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Superseded - Due to incorrect option name.
Sent with ProtonMail Secure Email.
‐‐‐ Original Message ‐‐‐
On Tuesday, November 16th, 2021 at 14:49, Richard T Bonhomme
wrote:
> Signed-off-by: Richard T Bonhomme tincant...@protonmail.com
>
> src/openvpn/options.c | 2 +-
>
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/openvpn/options.c b/src/openvpn/options.c
>
> index 4a5db8a6..7822f21e 100644
>
> --- a/src/openvpn/options.c
>
> +++ b/src/openvpn/options.c
>
> @@ -3240,7 +3240,7 @@ options_postprocess_mutate(struct options *o)
>
> o->ncp_ciphers = mutate_ncp_cipher_list(o->ncp_ciphers, &o->gc);
>
> if (o->ncp_ciphers == NULL)
>
> {
>
>
> - msg(M_USAGE, "NCP cipher list contains unsupported ciphers or is
> too long.");
>
>
>
> - msg(M_USAGE, "--data-cipher list contains unsupported ciphers or
> is too long.");
>
>
> }
>
> if (o->remote_list && !o->connection_list)
>
> --
>
> 2.25.1
-BEGIN PGP SIGNATURE-
Version: ProtonMail
wsBzBAEBCAAGBQJhk8pGACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec
9muQuJ1YMAgAjo7FUlGvpm1DwEN/EzLTQegAuD9yyclb+C/x++DzdQPc1/FK
3xt/xT2wH159v/bDXtFu3FSOuQxRIwyiDpJUSX1bhIGqyq2jkXVCbTdQtLUV
xrdOmM+fLN810BGHiUIrhsx4R+eSyEdFUnvw7o0xuOl+2RfQ5ZOQXmm9M1nO
UbhGbRdmPTxEsq4toaMu4blwszg1zdcj0CviKULOARytPdHh4YcvmmNhtEmg
cqBXarbERdI3XUtm8UbVxPBHm7DGqf8dxZFa94JVCwbN4zR7YTqURnXuFgah
bA7M0BvXslxJqlfVZ5cvXXaMLpDwFjGZiLtPQFB5IKks6MMUzXrjFA==
=4Uqz
-END PGP SIGNATURE-
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Doc openvpn.8: Add deprecation notice to --compress
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Seems I jumped the gun a little.. NACK, --compress is not deprecated in 2.4 Sorry R Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Friday, November 26th, 2021 at 14:48, Antonio Quartulli wrote: > Hi, > > On 26/11/2021 15:43, Richard T Bonhomme wrote: > > > Signed-off-by: Richard T Bonhomme tincant...@protonmail.com > > --- > > > > doc/openvpn.8 | 1 + > > > > 1 file changed, 1 insertion(+) > > > > diff --git a/doc/openvpn.8 b/doc/openvpn.8 > > > > index 598d5fce..dfe0ad10 100644 > > > > --- a/doc/openvpn.8 > > > > +++ b/doc/openvpn.8 > > > > @@ -2501,6 +2501,7 @@ limit repetitive logging of similar message types. > > > > .\"* > > > > .TP > > > > .B \-\-compress [algorithm] > > > > +.B DEPRECATED > > > > Enable a compression algorithm. > > > > The > > We already have this. Against what branch did you create this patch? > > Cheers, > > -------- > > Antonio Quartulli > > Openvpn-devel mailing list > > Openvpn-devel@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/openvpn-devel -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJhotroACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ1VPgf+O45rGSxFsovrhOa2OQ3r9DFCiG8Wsc51hs24jqH8CJd7fiaI Bqy3ZIJsxi/PQocn2JCqE0odfFSiHOQVLpGEkCS2dSnbOG7wrA+LKqWbuTMu xnly3U0a1ekMwunKbXxE6tGgQXrS0aBPkcx5oNWyxvFGNruYoDUwHkOex2zh mUvjQS1F/TWxwBaXm/2awzBOLghIqUNE+l+Fm5eAN+025jUP9g3TUVlxBF6S j6FOjIEXukN75t/K01g2ME/P4RJgvjNcRLw2kQewD8ajtGJhweRQKyaFQOJY xSKE3ePA7wWoTVX0xpY41Gruin3usMXwL6XeU3/WyX6CLZY5nQIQ4g== =nFcI -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.5.5 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 It seems only fair to warn the OpenVPN community that Version 2.5.5 has had bugs identified. A new release v2.5.6 is planned for the coming week, or so.. Regards Richard Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Wednesday, December 15th, 2021 at 09:30, Samuli Seppänen wrote: > The OpenVPN community project team is proud to release OpenVPN 2.5.5. > > The most notable changes are Windows-related: use of CFG > > Spectre-mitigations in MSVC builds, bringing back of OpenSSL config > > loading and several build fixes. More details are available in Changes.rst: > > https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst > > Source code and Windows installers can be downloaded from our download page: > > https://openvpn.net/community-downloads/ > > Debian and Ubuntu packages are available in the official apt repositories: > > https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos > > On Red Hat derivatives we recommend using the Fedora Copr repository. > > https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release/ > > Openvpn-users mailing list > > openvpn-us...@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/openvpn-users -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJhuhgkACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ2UVwgAljL4rh7sOEw05+pdAxPREqT9Hrn5owARWcJsWN6CLrf1sR0c 3BjzssUxNNjaubeQZIQe7fqaRlOdE/ikQzCT8H2f9OTQazbK+FYgFZmlwQbj 173E7Ucc1WE4gLgpAy1rArJRiB7ow8AUPqj9xU63JKb5Q8qUTz0tfI7J7NSl vEZS+nB/zFgsC+OhuPcZvzPXfjmT/4pOHn057jParQBtVw+H8AS+aGjUcKAB UfQGtuLKHTxZp7FBR4Eh5kr9l/dTbSiRMcoZJAPSN/chs/POolNa/Bbtv6A5 rREVQODLIDrubJhwIweUn3nfburrUd5E+ACVJTCcYJrEi/e/mOHISw== =n6Vj -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.5.5 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Seems I was too hasty here. OpenVPN 2.5.5 is the current release and there are no bugs severe enough to warrant a version 2.5.6, at this time. Sorry for the confusion. Regards Richard Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Wednesday, December 15th, 2021 at 16:30, tincantech via Openvpn-users wrote: > It seems only fair to warn the OpenVPN community that Version 2.5.5 has had > bugs identified. > > A new release v2.5.6 is planned for the coming week, or so.. > > Regards > > Richard > > Sent with ProtonMail Secure Email. > > ‐‐‐ Original Message ‐‐‐ > > On Wednesday, December 15th, 2021 at 09:30, Samuli Seppänen > sam...@openvpn.net wrote: > > > The OpenVPN community project team is proud to release OpenVPN 2.5.5. > > > > The most notable changes are Windows-related: use of CFG > > > > Spectre-mitigations in MSVC builds, bringing back of OpenSSL config > > > > loading and several build fixes. More details are available in Changes.rst: > > > > https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst > > > > Source code and Windows installers can be downloaded from our download page: > > > > https://openvpn.net/community-downloads/ > > > > Debian and Ubuntu packages are available in the official apt repositories: > > > > https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos > > > > On Red Hat derivatives we recommend using the Fedora Copr repository. > > > > https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release/ > > > > Openvpn-users mailing list > > > > openvpn-us...@lists.sourceforge.net > > > > https://lists.sourceforge.net/lists/listinfo/openvpn-users -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJhuiAeACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ1pDwgAzPtRlmOa5WhGv7Ui7SiKO3kO2GCxpAsQYP4H/GpHLWv3o4GY 2UymApbeXtYu6cjHm4n7fPGyd3302WFmX4/8JkwN4lMmGGNC2mUO8SEYuz1o mFoBpLhAGI3l/VvGTiEtrIiQBYCwfHURVH8WR5j2lcMvXEqoxaOOIiZpjcN9 uCwPDI8s8ipU1MUGN7DUWHs+6Mp0R+406S9cNKu9J7kpGb+zuYt+y2f37L3Q gXwETEqDOEm9gXR9eDeZruFXnQSraTvAZm32DUa1JvswCcaWyrynnUHieY12 gx7z0Tw11+Re2OCu5hMgIU97fN1ZNcto/L0eoWB8uNw20Ynoja2tnw== =7edC -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Fix checks of SHA256 in tls-crypt and auth-token
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 May as well attribute this correctly. * tincant...@protonmail.com Protonmail, now so badly mangles mail on reply that I may have to go back to gmail. -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJiC7VvACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ2jFAgAjHPRhyMsY1JJuJjt7ePXPcve39xSF46BDUZyMQYXoEVC/pMC Zrlg5SUtASqxBTis3qI8A8t1aCi+8PdYgM+e2GdSuFLwYYGHDsBMBxlohr0V tHEVz4eaLtA5h/vQ5a5aki5g/rkPFP7Zedx1jgO7VNxF1EAmfbGK3ch1F/67 o23TePBzlNOPJLrGNPouU58msG8lv5+kB0PRSOUlNGLIN4TA86ynr9ThqvNY NLP+IXFkmFasizioI5sFZ8wqaLyMFfiSQbUiTXu5yD2DQjuarxwqUsLP2lZv in8LULOk9Vx+L2RWrmv/LOdCgmRNWppAOs+VN4K1P9EcU+y0P4mRjA== =d1PC -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Enablement of quantum-safe key establishment
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 EasyRSA development is back on-track. Happy to help. BR --- Original Message --- On Monday, March 28th, 2022 at 14:56, Michael Baentsch wrote: > Am 28.03.22 um 13:52 schrieb Arne Schwabe: > > > > Easyrsa has become also separate project. Development and maintainance > > > > of easyrsa have become quite slow in the last years. > -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJiQcETACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ2sGgf+ItPKF6rxjuLxtLJ8IeV8powsxVVmRCJ07c5OgyT98r8zDYsv NzaQ//cQou736YsA5lPhSfAFvqxLcAAsjyUsqJ24uSOyR49IND7pOe1p06Ea Jp31EQSCqZU0RkvGkgxGL//j+dg2dq7PLKYpy9axwPBeWb+GWjWZlso6QSrZ Br73r6qz+nDdQ6JHdt1ZiAti2gewvxkamR+4H51dMjqzrJ81xUbZIjRi6ALX niJ4hQf0yKtgeZBf3GCLRNtoNB56x5liJIBwrpUA4NTbFaEEiK+kDy/0Rgh2 omuOKZnBgtZR/K/jTh/VTCh8Rn1owKULTTMxnvGdB7oPCMmGN5QgdA== =N9Ct -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] Subject: OpenVPN Client Vulnerability - TLS Key Negotiation Timeout Leading to DoS (Black Box Pentest)
eve the behavior described poses a significant > > > security risk. I have attached the partial log file demonstrating the > > > repeated errors. > > > > > > I would greatly appreciate it if you could investigate this potential > > > vulnerability and provide any guidance or recommendations for > > > strengthening the server's resilience against this type of attack. If > > > further information is needed, please do not hesitate to ask. > > > > > > Sincerely, > > > > > > Netanel > > > > > > > > > > > > > > > בתאריך יום ו׳, 15 בנוב׳ 2024 ב-17:30 מאת Arne Schwabe > > > <a...@rfc2549.org>: > > > > > > > Am 15.11.24 um 13:56 schrieb נתי שטרן: > > > > > I pentested openvpn 2.4 on client and I need to write cve on TLS Key > > > > > Negotiation Timeout Leading to DoS on 2.4 version > > > > > > > > > > > > You are free to publish your finding but they do not qualify for a CVE > > > > for two reasons > > > > > > > > - currently only proven that an EOL version affected > > > > - the reported behaviour is expected behaviour and we do not see any > > > > security problems/implication in that behaviour, so no security problem, > > > > no CVE. > > > > > > > > > > > > -- > > > > -- -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJnOW/aCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAADJqgf/fP+US1O0sV88Ui7MjEiaOUPyneyB5A1REmGnON+8Wr1rYngi EZ+fN/t+ro1F5oVN3r+Y+DrrxQY6sy3C1p62CjcVcu3ogeHtPvpzprcpq6QV GNl0hp5jg58T7yUyKFD4XPQJoiRBRr4TPnjP8Xa6O3D1KvcU0n22Xa3R/FxC pCIjeFgcSkqnjrCCmVqQ7cyS4WZ42Sfq1a/ijsq/RWoUX04Afuatyr0qB3fE EdVUZuzPic0HTA/zrxbnj2Bnv3J05euWROPzVmqpMGqVokKXboN8/N/AyPQb NZGlV8tierETQvnt/5x6fCM87psCF0K73S8YTbQ/dLfS+7wL2PLlGg== =c6Lz -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH 1/2] Fix IPv6 in port-share journal
getpeername() and getsockname() will truncate the result if it is
larger than the passed-in length. Because here always the size of the
`sa` IPv4 union member was passed in, all larger (aka IPv6) results
were truncated. Instead use the size of the `addr` union, which is the
maximum size of all union members.
The bug was introduced in 0b6450c9.
Fixes https://community.openvpn.net/openvpn/ticket/1358
Signed-off-by: corubba
---
src/openvpn/ps.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/openvpn/ps.c b/src/openvpn/ps.c
index 4ca3a129..06bf91a8 100644
--- a/src/openvpn/ps.c
+++ b/src/openvpn/ps.c
@@ -344,8 +344,8 @@ journal_add(const char *journal_dir, struct
proxy_connection *pc, struct proxy_c
char *jfn;
int fd;
-slen = sizeof(from.addr.sa);
-dlen = sizeof(to.addr.sa);
+slen = sizeof(from.addr);
+dlen = sizeof(to.addr);
if (!getpeername(pc->sd, (struct sockaddr *) &from.addr.sa, &slen)
&& !getsockname(cp->sd, (struct sockaddr *) &to.addr.sa, &dlen))
{
--
2.47.1
___________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH 2/2] Fix port-share journal doc
Filename and content descriptions were switched. Signed-off-by: corubba --- doc/man-sections/server-options.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index 0632e314..3fe9862c 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -429,7 +429,7 @@ fast hardware. SSL/TLS authentication must be used in this mode. ``dir`` specifies an optional directory where a temporary file with name N containing content C will be dynamically generated for each proxy - connection, where N is the source IP:port of the client connection and C + connection, where C is the source IP:port of the client connection and N is the source IP:port of the connection to the proxy receiver. This directory can be used as a dictionary by the proxy receiver to determine the origin of the connection. Each generated file will be automatically -- 2.47.1 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2 1/2] port-share: Normalize IPv4-mapped IPv6 addresses
gt;addr.sa.sa_family == AF_INET6 && IN6_IS_ADDR_V4MAPPED(&sock->addr.in6.sin6_addr))
+{
+struct openvpn_sockaddr *sock4;
+ALLOC_OBJ_CLEAR_GC(sock4, struct openvpn_sockaddr, gc);
+copy_normalized_sockaddr(sock, sock4);
+return sock4;
+}
+
+/* horrible: returning the passed-in const pointer as non-const */
+return (struct openvpn_sockaddr *) sock;
+}
+
/*
* Convert an in_port_t in host byte order to a string
*/
@@ -2985,6 +3038,10 @@ setenv_sockaddr(struct env_set *es, const char *name_prefix, const struct openvp
{
char name_buf[256];
+struct openvpn_sockaddr addr_struct = {0};
+copy_normalized_sockaddr(addr, &addr_struct);
+addr = &addr_struct;
+
char buf[INET6_ADDRSTRLEN];
switch (addr->addr.sa.sa_family)
{
@@ -3009,19 +3066,8 @@ setenv_sockaddr(struct env_set *es, const char *name_prefix, const struct openvp
break;
case AF_INET6:
-if (IN6_IS_ADDR_V4MAPPED( &addr->addr.in6.sin6_addr ))
-{
-struct in_addr ia;
-memcpy(&ia.s_addr, &addr->addr.in6.sin6_addr.s6_addr[12],
- sizeof(ia.s_addr));
-snprintf(name_buf, sizeof(name_buf), "%s_ip", name_prefix);
-inet_ntop(AF_INET, &ia, buf, sizeof(buf));
-}
-else
-{
-snprintf(name_buf, sizeof(name_buf), "%s_ip6", name_prefix);
-inet_ntop(AF_INET6, &addr->addr.in6.sin6_addr, buf, sizeof(buf));
-}
+snprintf(name_buf, sizeof(name_buf), "%s_ip6", name_prefix);
+inet_ntop(AF_INET6, &addr->addr.in6.sin6_addr, buf, sizeof(buf));
setenv_str(es, name_buf, buf);
if ((flags & SA_IP_PORT) && addr->addr.in6.sin6_port)
diff --git a/src/openvpn/socket.h b/src/openvpn/socket.h
index 465d92ba..07fb7b73 100644
--- a/src/openvpn/socket.h
+++ b/src/openvpn/socket.h
@@ -359,6 +359,7 @@ void sd_close(socket_descriptor_t *sd);
#define PS_SHOW_PKTINFO (1<<2)
#define PS_DONT_SHOW_ADDR (1<<3)
#define PS_DONT_SHOW_FAMILY (1<<4)
+#define PS_DONT_NORMALIZE (1<<5)
const char *print_sockaddr_ex(const struct sockaddr *addr,
const char *separator,
@@ -398,6 +399,12 @@ const char *print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena
const char *print_in6_addr(struct in6_addr addr6, unsigned int flags, struct gc_arena *gc);
+void normalize_sockaddr(struct openvpn_sockaddr *sock);
+
+void copy_normalized_sockaddr(const struct openvpn_sockaddr *src, struct openvpn_sockaddr *dst);
+
+struct openvpn_sockaddr * normalized_sockaddr(const struct openvpn_sockaddr *sock, struct gc_arena *gc);
+
const char *print_in_port_t(in_port_t port, struct gc_arena *gc);
struct in6_addr add_in6_addr( struct in6_addr base, uint32_t add );
--
2.47.1
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
