Re: [Openvpn-users] [ext] Windows GUI + proxy script support
* Dajka Tamás : > Hi All, > > > > is there any way to push proxy config to clients with the Win Gui? > PROXY_AUTO_CONFIG_URL does not seem implemented. Server is a bridge config, > but openvpn server assigns the IP addresses. If I change that to a separate > DHCP will it work as a DHCP option? You want a user to establish a VPN connection and the "use" the pushed PROXY_AUTO_CONFIG_URL in his/her browser? Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] [ext] OpenVPN GUI 11
* Colin Ryan : > Folks, > > Per a previous email (and thanks for the help), I've been playing around > with the 11 GUI. > > > One thing that has come up is wondering if there is anyway to generate a > situation where if a user is presented a complete (i.e. embedded certs) > .ovpn config file is there a configuration or switch that could be used to > automatically have it Imported into the OpenVPN-GUI's local user config > directories via a simple double click. openvpn gui has a "import" option. > I know Tunneblick on Mac does this where a user can simply double click a > ovpn extension file and it will prompt to load the configuration. I do agree an "import on double click" would benefit the average reading-impaired user (we have those, lots!) Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] crl-verify
Hello list, Debian Buster, OpenVPN 2.4.0-6 In the man page there is an flag 'dir' to the option 'crl-verify': If the optional dir flag is specified, enable a different mode where crl is a directory containing files named as revoked serial numbers (the files may be empty, the contents are never read). If a client requests a connection, where the client certificate serial number (decimal string) is the name of a file present in the directory, it will be rejected. Ok, here we go: # grep crl-verify /etc/openvpn/server.conf crl-verify /etc/openvpn/crl dir I'd like to block cert with serial number 0B: # openssl x509 -noout -serial -in test.crt | \ sed 's/.*=//g;s/../&:/g;s/:$//' 0B AFAIU the manpage I only have to touch the file: # touch /etc/openvpn/crl/0B to prevent the cert with serial number 0B from connecting, but no way, I am still able to connect using this cert with serial 0B. Have I missed something crucial somwhere? R. -- richard lucassen http://contact.xaq.nl/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] crl-verify
Hi, why not simply using a CRL file and revoke the unneeded certificate? To debug the issue, I think we'll need some logs with 'verb 4' - at least from the server side. Cheers, Tom -Original Message- From: richard lucassen [mailto:mailingli...@lucassen.org] Sent: Thursday, April 16, 2020 12:02 PM To: openvpn-users@lists.sourceforge.net Subject: [Openvpn-users] crl-verify Hello list, Debian Buster, OpenVPN 2.4.0-6 In the man page there is an flag 'dir' to the option 'crl-verify': If the optional dir flag is specified, enable a different mode where crl is a directory containing files named as revoked serial numbers (the files may be empty, the contents are never read). If a client requests a connection, where the client certificate serial number (decimal string) is the name of a file present in the directory, it will be rejected. Ok, here we go: # grep crl-verify /etc/openvpn/server.conf crl-verify /etc/openvpn/crl dir I'd like to block cert with serial number 0B: # openssl x509 -noout -serial -in test.crt | \ sed 's/.*=//g;s/../&:/g;s/:$//' 0B AFAIU the manpage I only have to touch the file: # touch /etc/openvpn/crl/0B to prevent the cert with serial number 0B from connecting, but no way, I am still able to connect using this cert with serial 0B. Have I missed something crucial somwhere? R. -- richard lucassen http://contact.xaq.nl/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] crl-verify
On Thu, 16 Apr 2020 12:30:48 +0200 Dajka Tamás wrote: > why not simply using a CRL file and revoke the unneeded certificate? Because it's a nice and simple option ;-) > To debug the issue, I think we'll need some logs with 'verb 4' - at > least from the server side. Even with "verb 9" there is NO log line containing the word "crl". That's quite weird isn't it? I can see all options of the conf file pass by when restarting this instance (I cannot restart the complete server as it's a production server) Bug? Oh, and BTW, I tried the crl file, just to try, but got: "CRL: cannot read CRL from file". The dir is 755 and the file crl.pem is 644. I run openvpn as nobody/nogroup. R. -- richard lucassen http://contact.xaq.nl/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] crl-verify
If it cannot read the crl file, than that's a problem :) Check, if all directory is world readable (not just the crl, but all 'upstream' directories, like /etc, /etc/openvpn ... !) -Original Message- From: richard lucassen [mailto:mailingli...@lucassen.org] Sent: Thursday, April 16, 2020 12:51 PM To: openvpn-users@lists.sourceforge.net Subject: Re: [Openvpn-users] crl-verify On Thu, 16 Apr 2020 12:30:48 +0200 Dajka Tamás wrote: > why not simply using a CRL file and revoke the unneeded certificate? Because it's a nice and simple option ;-) > To debug the issue, I think we'll need some logs with 'verb 4' - at > least from the server side. Even with "verb 9" there is NO log line containing the word "crl". That's quite weird isn't it? I can see all options of the conf file pass by when restarting this instance (I cannot restart the complete server as it's a production server) Bug? Oh, and BTW, I tried the crl file, just to try, but got: "CRL: cannot read CRL from file". The dir is 755 and the file crl.pem is 644. I run openvpn as nobody/nogroup. R. -- richard lucassen http://contact.xaq.nl/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] crl-verify
On Thu, 16 Apr 2020 12:50:30 +0200 richard lucassen wrote: When adding the option on the CLI I see that it reads the option: # openvpn --crl-verify /etc/openvpn/crl/tun0 dir \ --config /etc/openvpn/server.conf | grep -i crl Thu Apr 16 12:56:01 2020 us=442959 crl_file = '/etc/openvpn/crl/tun0' But it still does not work. When running with "verb 9" there is no string "crl" in the logs. -- richard lucassen http://contact.xaq.nl/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] crl-verify
On Thu, 16 Apr 2020 12:58:35 +0200 Dajka Tamás wrote: > If it cannot read the crl file, than that's a problem :) Check, if all > directory is world readable (not just the crl, but all 'upstream' > directories, like /etc, /etc/openvpn ... !) That is all ok. It is all 755 for dirs and 644 for files, except the server keys. There is also a ccd dir and if upstream was 700 than it would not be able to read these dirs as well. But I presume OpenVPN *can* read the file, there is no "permission denied". But I'd like to go for the option 'dir' as stated in the manpage... -- richard lucassen http://contact.xaq.nl/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] crl-verify
On Thu, 16 Apr 2020 13:00:53 +0200 richard lucassen wrote: > On Thu, 16 Apr 2020 12:50:30 +0200 > richard lucassen wrote: > > When adding the option on the CLI I see that it reads the option: > > # openvpn --crl-verify /etc/openvpn/crl/tun0 dir \ > --config /etc/openvpn/server.conf | grep -i crl > > Thu Apr 16 12:56:01 2020 us=442959 crl_file = > '/etc/openvpn/crl/tun0' > > But it still does not work. When running with "verb 9" there is no > string "crl" in the logs. [erratum] But when starting a client that uses a cert with serial '0B' it still does not work. When running with "verb 9" there is no string "crl" in the logs. -- richard lucassen http://contact.xaq.nl/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] crl-verify
Still does NOT work? You mean, you are able to connect? If u can't restart the server how can you test? Changing the server side requires reboot. You might have missed something with the directory rights. Simply 'su' to nobody with a valid shell and try to read the 0B file -Original Message- From: richard lucassen [mailto:mailingli...@lucassen.org] Sent: Thursday, April 16, 2020 1:07 PM To: openvpn-users@lists.sourceforge.net Subject: Re: [Openvpn-users] crl-verify On Thu, 16 Apr 2020 13:00:53 +0200 richard lucassen wrote: > On Thu, 16 Apr 2020 12:50:30 +0200 > richard lucassen wrote: > > When adding the option on the CLI I see that it reads the option: > > # openvpn --crl-verify /etc/openvpn/crl/tun0 dir \ > --config /etc/openvpn/server.conf | grep -i crl > > Thu Apr 16 12:56:01 2020 us=442959 crl_file = > '/etc/openvpn/crl/tun0' > > But it still does not work. When running with "verb 9" there is no > string "crl" in the logs. [erratum] But when starting a client that uses a cert with serial '0B' it still does not work. When running with "verb 9" there is no string "crl" in the logs. -- richard lucassen http://contact.xaq.nl/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] [ext] Windows GUI + proxy script support
Yes (given he/she can access the proxy through the VPN - the defgw is pushed also) PROXY_AUTO_CONFIG_URL is a 'wpad'/'pac' file for me, containing all the infos needed - standard format. Cheers, Tom -Original Message- From: Ralf Hildebrandt [mailto:ralf.hildebra...@charite.de] Sent: Thursday, April 16, 2020 10:44 AM To: Dajka Tamás Cc: openvpn-users@lists.sourceforge.net Subject: Re: [ext] [Openvpn-users] Windows GUI + proxy script support * Dajka Tamás : > Hi All, > > > > is there any way to push proxy config to clients with the Win Gui? > PROXY_AUTO_CONFIG_URL does not seem implemented. Server is a bridge > config, but openvpn server assigns the IP addresses. If I change that > to a separate DHCP will it work as a DHCP option? You want a user to establish a VPN connection and the "use" the pushed PROXY_AUTO_CONFIG_URL in his/her browser? Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] [ext] Windows GUI + proxy script support
* Dajka Tamás : > Yes (given he/she can access the proxy through the VPN - the defgw is pushed > also) > > PROXY_AUTO_CONFIG_URL is a 'wpad'/'pac' file for me, containing all the infos > needed - standard format. Same as here; I don't think there's a way :/ Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN GUI 11
Hi, On Wed, Apr 15, 2020 at 10:19 AM Colin Ryan wrote: > > Folks, > > Per a previous email (and thanks for the help), I've been playing around > with the 11 GUI. > > > One thing that has come up is wondering if there is anyway to generate a > situation where if a user is presented a complete (i.e. embedded certs) > .ovpn config file is there a configuration or switch that could be used > to automatically have it Imported into the OpenVPN-GUI's local user > config directories via a simple double click. > > > I know Tunneblick on Mac does this where a user can simply double click > a ovpn extension file and it will prompt to load the configuration. Just for the record, the best way to install configurations in Tunnelblick is to drag the configuration(s) and drop them on the Tunnelblick icon in the menu bar. The user can install "incomplete" .ovpn files, too, as long as the cert/key/etc. files the .ovpn files reference are readable by the user. Drag/drop forces macOS to use the currently-running copy ofTunnelblick to install the configuration. macOS's Launch Services, which handles double-clicks, can get confused when more than one copy of Tunnelblick exists on a system, or when other programs claim to be able to open configuration files, or when its database gets messed up. All three happen with enough frequency that we recommend drag/drop to install. Cheers, Jon Bullard PS: Because of the way macOS works, we can't disable double-clicks but still allow drag/drop, so for most users a double-click will work. But we don't advertise that. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] [ext] Windows GUI + proxy script support
I'll try to use a separate DHCP as Gert suggested and will see :) -Original Message- From: Ralf Hildebrandt [mailto:ralf.hildebra...@charite.de] Sent: Thursday, April 16, 2020 1:59 PM To: Dajka Tamás Cc: openvpn-users@lists.sourceforge.net Subject: Re: [ext] [Openvpn-users] Windows GUI + proxy script support * Dajka Tamás : > Yes (given he/she can access the proxy through the VPN - the defgw is pushed > also) > > PROXY_AUTO_CONFIG_URL is a 'wpad'/'pac' file for me, containing all the infos > needed - standard format. Same as here; I don't think there's a way :/ Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] [ext] Re: OpenVPN GUI 11
* Jonathan K. Bullard : > Just for the record, the best way to install configurations in > Tunnelblick is to drag the configuration(s) and drop them on the > Tunnelblick icon in the menu bar. The user can install "incomplete" > .ovpn files, too, as long as the cert/key/etc. files the .ovpn files > reference are readable by the user. Jonathan, just let me say: Tunnelblick rocks. You put so much thought into this piece of software. It's a joy running it. It's so much more sane than openvpnGUI on Windows (no offense intended). The only thing which is currently giving me gripes is that "the configuration file you're currently using is outdated and some distant version of openvpn might not be able to connect" - warning. (My) users don't comprehend this. They don't grasp that it's just a warning . They see this warning as error "rendering their current installation faulty/non working" - while it's working perfectly. For over a year we're sending out config files which don't trigger the warning, but people still use the old files - and a new Tunnelblick, since (thank Lord!) it auto updates! -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] [ext] Re: OpenVPN GUI 11
Jonathan, Yes I am aware of the proper approach, we don't espouse just double clicking. And I concur too, the functionality of Tunnelblick is great, I've used it lot's over the years. Colin On 2020-04-16 8:24 a.m., Ralf Hildebrandt wrote: * Jonathan K. Bullard : Just for the record, the best way to install configurations in Tunnelblick is to drag the configuration(s) and drop them on the Tunnelblick icon in the menu bar. The user can install "incomplete" .ovpn files, too, as long as the cert/key/etc. files the .ovpn files reference are readable by the user. Jonathan, just let me say: Tunnelblick rocks. You put so much thought into this piece of software. It's a joy running it. It's so much more sane than openvpnGUI on Windows (no offense intended). The only thing which is currently giving me gripes is that "the configuration file you're currently using is outdated and some distant version of openvpn might not be able to connect" - warning. (My) users don't comprehend this. They don't grasp that it's just a warning . They see this warning as error "rendering their current installation faulty/non working" - while it's working perfectly. For over a year we're sending out config files which don't trigger the warning, but people still use the old files - and a new Tunnelblick, since (thank Lord!) it auto updates! ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] crl-verify
Hi, On 16/04/2020 13:38, Dajka Tamás wrote: > Still does NOT work? You mean, you are able to connect? > > If u can't restart the server how can you test? Changing the server side > requires reboot. This is not the case for CRLs and CRL directories. The server will get the freshest data even without reboot. Regards, -- Antonio Quartulli ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] [ext] Re: OpenVPN GUI 11
Hi, On Thu, Apr 16, 2020 at 8:25 AM Ralf Hildebrandt wrote: > > * Jonathan K. Bullard : > > > Just for the record, the best way to install configurations in > > Tunnelblick is to drag the configuration(s) and drop them on the > > Tunnelblick icon in the menu bar. The user can install "incomplete" > > .ovpn files, too, as long as the cert/key/etc. files the .ovpn files > > reference are readable by the user. > > Jonathan, just let me say: Tunnelblick rocks. > > You put so much thought into this piece of software. It's a joy > running it. It's so much more sane than openvpnGUI on Windows (no > offense intended). Thanks! I try! > The only thing which is currently giving me gripes is that "the > configuration file you're currently using is outdated and some distant > version of openvpn might not be able to connect" - warning. > > (My) users don't comprehend this. They don't grasp that it's just a > warning . > > They see this warning as error "rendering their current installation > faulty/non working" - while it's working perfectly. Yeah, it's a problem. And I'm about to add more such warnings now that macOS has started displaying cryptic warnings about system extensions not working in future versions of macOS. Inspired by your comment, I'm going to rewrite these warnings to stress that the configuration works now. Maybe users will at least read the first sentence of the warning. But I'm not getting my hopes up. For administrators with some control of their users' computers or installations of Tunnelblick, you can set a Tunnelblick preference to disable these warnings. Unfortunately there's a separate preference for each of the different warnings. > For over a year we're sending out config files which don't trigger the > warning, but people still use the old files - and a new Tunnelblick, > since (thank Lord!) it auto updates! Consider having the config files update, too, using our "new, simpler" mechanism [1]. (But note that until they update their config files to updatable config files, they won't update : ) The new way of having config files update requires that you distribute "Tunnelblick VPN Configurations" [2], not plain .ovpn files, so that will be a problem if you distribute the same configuration file(s) for users of all platforms. Colin, please accept my apologies for hijacking your thread. Just want to set the record straight! Cheers, Jon Bullard [1] https://tunnelblick.net/cNewUpdatableConfigurations.html [2] https://tunnelblick.net/cPkgs.html ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] crl-verify
On Thu, 16 Apr 2020 13:38:39 +0200 Dajka Tamás wrote: > Still does NOT work? You mean, you are able to connect? Yep. And according to the man page the server should reject certificate with serial 0B if a file exists in crl/0B (file can be empty) > If u can't restart the server how can you test? Changing the server > side requires reboot. With a SysV system you can restart one of the OpenVPN instances like this: /etc/init.d restart server where "server" is the server.conf without .conf > You might have missed something with the directory rights. Simply > 'su' to nobody with a valid shell and try to read the 0B file As I said in another post, all dirs are 755 and files 644 It smells like a bug. Or a "bug" in the manpage. -- richard lucassen http://contact.xaq.nl/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] crl-verify
On Thu, 16 Apr 2020 14:59:34 +0200 Antonio Quartulli wrote: > > If u can't restart the server how can you test? Changing the server > > side requires reboot. > > This is not the case for CRLs and CRL directories. The server will get > the freshest data even without reboot. Correct, but adding "crl-verify" needs a restart. Once it has been added you can change the crl on the fly. But anyhow, the "crl-verify dir" option does not work. -- richard lucassen http://contact.xaq.nl/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] crl-verify
Is selinux/apparmod enabled? That can prevent the openvpn process to read the file. I know you've check the files/dirs, but it's always a good idea to check it with the actual user accessing it; it's too easy to overlook/miss something. -Original Message- From: richard lucassen [mailto:mailingli...@lucassen.org] Sent: Thursday, April 16, 2020 7:16 PM To: openvpn-users@lists.sourceforge.net Subject: Re: [Openvpn-users] crl-verify On Thu, 16 Apr 2020 13:38:39 +0200 Dajka Tamás wrote: > Still does NOT work? You mean, you are able to connect? Yep. And according to the man page the server should reject certificate with serial 0B if a file exists in crl/0B (file can be empty) > If u can't restart the server how can you test? Changing the server > side requires reboot. With a SysV system you can restart one of the OpenVPN instances like this: /etc/init.d restart server where "server" is the server.conf without .conf > You might have missed something with the directory rights. Simply 'su' > to nobody with a valid shell and try to read the 0B file As I said in another post, all dirs are 755 and files 644 It smells like a bug. Or a "bug" in the manpage. -- richard lucassen http://contact.xaq.nl/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] crl-verify
Hi, On Thu, Apr 16, 2020 at 12:58:35PM +0200, Dajka Tamás wrote: > If it cannot read the crl file, than that's a problem :) Check, if all > directory is world readable (not just the crl, but all 'upstream' > directories, like /etc, /etc/openvpn ... !) --chroot in use? --chdir, and no absolute paths? gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] crl-verify
On Thu, 16 Apr 2020 19:34:21 +0200 Dajka Tamás wrote: > Is selinux/apparmod enabled? That can prevent the openvpn process to > read the file. > > I know you've check the files/dirs, but it's always a good idea to > check it with the actual user accessing it; it's too easy to > overlook/miss something. Of course. Bet there's no apparmor or selinux. Even with a "verb 9" the string "crl" does not show up. That's quiet weird I think. And there's no "permission denied" or whatsoever... -- richard lucassen http://contact.xaq.nl/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] crl-verify
On Thu, 16 Apr 2020 19:49:42 +0200 Gert Doering wrote: > On Thu, Apr 16, 2020 at 12:58:35PM +0200, Dajka Tamás wrote: > > If it cannot read the crl file, than that's a problem :) Check, if > > all directory is world readable (not just the crl, but all > > 'upstream' directories, like /etc, /etc/openvpn ... !) > > --chroot in use? --chdir, and no absolute paths? no chroot, no chdir (default /etc/openvpn/), tried both absolute paths and relative paths. -- richard lucassen http://contact.xaq.nl/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] crl-verify
Hi, > > If the optional dir flag is specified, enable a different mode where > crl is a directory containing files named as revoked serial numbers > (the files may be empty, the contents are never read). If a client > requests a connection, where the client certificate serial number > (decimal string) is the name of a file present in the directory, it > will be rejected. > > > Ok, here we go: > > # grep crl-verify /etc/openvpn/server.conf > crl-verify /etc/openvpn/crl dir > > I'd like to block cert with serial number 0B: > > # openssl x509 -noout -serial -in test.crt | \ > sed 's/.*=//g;s/../&:/g;s/:$//' > 0B > > AFAIU the manpage I only have to touch the file: > > # touch /etc/openvpn/crl/0B IIRC, you have to use the decimal representation of the serial. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] crl-verify [SOLVED]
On Thu, 16 Apr 2020 12:02:17 +0200 richard lucassen wrote: Yeah right: cd /etc/openvpn/crl/tun0/ mv 0B 11 Now it works. The serial number must be decimal. R. -- richard lucassen http://contact.xaq.nl/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] crl-verify
On Thu, 16 Apr 2020 14:29:38 -0400 Selva Nair wrote: > > # touch /etc/openvpn/crl/0B > > IIRC, you have to use the decimal representation of the serial. I just found out, I saw your post too late. That was it indeed. Thnx! R. -- richard lucassen http://contact.xaq.nl/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] crl-verify [SOLVED]
Hi, On 16/04/2020 19:52, richard lucassen wrote: On Thu, 16 Apr 2020 12:02:17 +0200 richard lucassen wrote: Yeah right: cd /etc/openvpn/crl/tun0/ mv 0B 11 Now it works. The serial number must be decimal. Which is even more 'fun' with randomised serial numbers, eg: 94:68:4a:17:db:99:a7:36:88:ad:7d:70:fa:f6:99:11 Which EasyRSA now uses by default. I presume openvpn is converting Hex to Dec in the code somewhere ? ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] crl-verify [SOLVED]
My first thought is "I should be trivial to write a little script to go through and link the decimal name to the hex name", and even though, intellectually, I know that the chance of a collision between hex and dec names in that large a space would be infinitesimal, it still manages to really bother me that it *could* happen. On Thu, Apr 16, 2020 at 3:16 PM tincanteksup wrote: > > Hi, > > > On 16/04/2020 19:52, richard lucassen wrote: > > On Thu, 16 Apr 2020 12:02:17 +0200 > > richard lucassen wrote: > > > > Yeah right: > > > > cd /etc/openvpn/crl/tun0/ > > mv 0B 11 > > > > Now it works. The serial number must be decimal. > > Which is even more 'fun' with randomised serial numbers, eg: > > 94:68:4a:17:db:99:a7:36:88:ad:7d:70:fa:f6:99:11 > > Which EasyRSA now uses by default. > > I presume openvpn is converting Hex to Dec in the code somewhere ? > > > > ___ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] [ext] Re: OpenVPN GUI 11
> > (My) users don't comprehend this. They don't grasp that it's just a > > warning . > > > > They see this warning as error "rendering their current installation > > faulty/non working" - while it's working perfectly. > > Yeah, it's a problem. And I'm about to add more such warnings now that > macOS has started displaying cryptic warnings about system extensions > not working in future versions of macOS. At least these warning should be in the tunnelblick log ( I really like the coloring there) > Inspired by your comment, I'm going to rewrite these warnings to > stress that the configuration works now. Maybe users will at least > read the first sentence of the warning. At most > Consider having the config files update, too, using our "new, simpler" > mechanism [1]. (But note that until they update their config files to > updatable config files, they won't update : ) I will definitely look at that, since I didn't know it was possible. > The new way of having config files update requires that you distribute > "Tunnelblick VPN Configurations" [2], not plain .ovpn files, so that > will be a problem if you distribute the same configuration file(s) for > users of all platforms. That is what we currently do, but if your method has advantages, we can maybe generate MAC-Specific files. Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] crl-verify [SOLVED]
On Thu, 16 Apr 2020 15:25:38 -0400 Joe Patterson wrote: > My first thought is "I should be trivial to write a little script to > go through and link the decimal name to the hex name", and even > though, intellectually, I know that the chance of a collision between > hex and dec names in that large a space would be infinitesimal, it > still manages to really bother me that it *could* happen. In that case I'd use "normal" cert revocation in a crl.pem file... -- richard lucassen http://contact.xaq.nl/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] crl-verify [SOLVED]
On Thu, 16 Apr 2020 12:02:17 +0200 richard lucassen wrote: > > If the optional dir flag is specified, enable a different mode where > crl is a directory containing files named as revoked serial numbers > (the files may be empty, the contents are never read). If a client > requests a connection, where the client certificate serial number > (decimal string) is the name of a file present in the directory, it > will be rejected. > And it's incredible: I read this stanza carefully and I just overlooked it, it is (more or less) cleary stated in the manpage: (decimal string) R. -- richard lucassen http://contact.xaq.nl/ ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] crl-verify [SOLVED]
Missing the point completely. *Why* does openvpn expect a decimal value for something which is clearly intended to be and is at source Hex. On 16/04/2020 20:25, Joe Patterson wrote: My first thought is "I should be trivial to write a little script to go through and link the decimal name to the hex name", and even though, intellectually, I know that the chance of a collision between hex and dec names in that large a space would be infinitesimal, it still manages to really bother me that it *could* happen. On Thu, Apr 16, 2020 at 3:16 PM tincanteksup wrote: Hi, On 16/04/2020 19:52, richard lucassen wrote: On Thu, 16 Apr 2020 12:02:17 +0200 richard lucassen wrote: Yeah right: cd /etc/openvpn/crl/tun0/ mv 0B 11 Now it works. The serial number must be decimal. Which is even more 'fun' with randomised serial numbers, eg: 94:68:4a:17:db:99:a7:36:88:ad:7d:70:fa:f6:99:11 Which EasyRSA now uses by default. I presume openvpn is converting Hex to Dec in the code somewhere ? ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] crl-verify [SOLVED]
Hi, On Thu, Apr 16, 2020 at 10:41 PM tincanteksup wrote: > > Missing the point completely. > > *Why* does openvpn expect a decimal value for something which is clearly > intended to be and is at source Hex. What the the ideal format should be is arguable, but the "source" is not in hex. Serial number is an "INTEGER" with no more than 20 octets and may be, say, DER encoded in the certificate. Decimal, hex etc are just string representations used for display. With hex there are multiple formats out there, like upper case, lower case, optionally separated by space or :, with a leading 0x etc. "openssl x509 -serial ..." prints it as hex in upper case with no spaces, "openssl x509 -text .." has it in decimal with hex in parenthesis if the number is small (< 4 bytes?), otherwise as a lower case hex string with bytes separated by ":". And, there is no guarantee that these will not change in future. I'm not saying decimal string is better. The representation is unambiguous as a set of digits with no spaces and no leading zeros. But it may not be easy for an end user to get the decimal value. If we consider supporting hex, we'll first need to agree on the format. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] crl-verify [SOLVED]
Hi,
On Fri, Apr 17, 2020 at 03:40:12AM +0100, tincanteksup wrote:
> Missing the point completely.
>
> *Why* does openvpn expect a decimal value for something which is clearly
> intended to be and is at source Hex.
It is a *number*. Whether a particular frontend presents it as "hex" is
a matter of, well, "frontend presentation".
Inside the crypto libraries, it's just a bignum - this is what the
OpenVPN code does to get the serial:
backend_x509_get_serial(openvpn_x509_cert_t *cert, struct gc_arena *gc)
{
ASN1_INTEGER *asn1_i;
BIGNUM *bignum;
char *openssl_serial, *serial;
asn1_i = X509_get_serialNumber(cert);
bignum = ASN1_INTEGER_to_BN(asn1_i, NULL);
openssl_serial = BN_bn2dec(bignum);
serial = string_alloc(openssl_serial, gc);
BN_free(bignum);
OPENSSL_free(openssl_serial);
return serial;
}
so, no special "we take a hex thing and change formatting to serial"
(admittedly, formatting a bignum in hex is less work than convert to
decimal string).
Now, for environment purposes, we actually do "serial (decimal)" and
"serial (hex)"...
/* export serial number as environmental variable */
serial = backend_x509_get_serial(peer_cert, &gc);
openvpn_snprintf(envname, sizeof(envname), "tls_serial_%d", cert_depth);
/* export serial number in hex as environmental variable */
serial = backend_x509_get_serial_hex(peer_cert, &gc);
openvpn_snprintf(envname, sizeof(envname), "tls_serial_hex_%d", cert_depth);
which came in in commit f80a52b09eed8e5 to make openssl and polarssl
backends consistent (because polarssl used to do "hex" while openssl
always did "serial", as long as OpenVPN existed).
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
