[Openvpn-users] Did I miss the 2.6.1 announcement?
Did I miss the 2.6.1 announcement? It was released on the 8th, but no announcement it seems. -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] After upgrade Windows 10 client to OpenVPN 2.6, Yubikey PKCS11 PIV fails on server with error 0A00007B:SSL routines::bad
Hello, On Thu, Mar 9, 2023 at 4:01 AM openvpn wrote: > Hi, I’m posting the follow question here as I was redirect to this > mailing list for support by OpenVPN forum. > > > > > https://forums.openvpn.net/viewtopic.php?p=110748&hilit=error+0A7B#p110748 > Thanks for your report. I think we introduced a bug while changing the pkcs11-helper interface to support RSA-PSS signatures. We now directly call pkcs11h_certificate_signAnyEx() but failed to convert the ECDSA signature to the form OpenSSL expects -- PKCS#11 returns r|s, OpenSSl wants DER encoded asn.1. If you want to try out a fixed version, use openvpn.exe from the GHA build here: https://github.com/selvanair/openvpn/suites/11479839963/artifacts/592797275 Just replacing the one installed in C:\Program Files\OpenVPN\bin with this should do. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] After upgrade Windows 10 client to OpenVPN 2.6, Yubikey PKCS11 PIV fails on server with error 0A00007B:SSL routines::bad
Hi Selva, wow, thanks a lot for your very quick reply, I’m willingly testing the new GHA build and let you know the result as soon as possible. Thank you, Tom Von: Selva Nair Gesendet: Freitag, 10. März 2023 14:43 An: openvpn Cc: openvpn-users@lists.sourceforge.net Betreff: Re: [Openvpn-users] After upgrade Windows 10 client to OpenVPN 2.6, Yubikey PKCS11 PIV fails on server with error 0A7B:SSL routines::bad Hello, On Thu, Mar 9, 2023 at 4:01 AM openvpn mailto:open...@sup-logistik.de>> wrote: Hi, I’m posting the follow question here as I was redirect to this mailing list for support by OpenVPN forum. https://forums.openvpn.net/viewtopic.php?p=110748&hilit=error+0A7B#p110748 Thanks for your report. I think we introduced a bug while changing the pkcs11-helper interface to support RSA-PSS signatures. We now directly call pkcs11h_certificate_signAnyEx() but failed to convert the ECDSA signature to the form OpenSSL expects -- PKCS#11 returns r|s, OpenSSl wants DER encoded asn.1. If you want to try out a fixed version, use openvpn.exe from the GHA build here: https://github.com/selvanair/openvpn/suites/11479839963/artifacts/592797275 Just replacing the one installed in C:\Program Files\OpenVPN\bin with this should do. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] After upgrade Windows 10 client to OpenVPN 2.6, Yubikey PKCS11 PIV fails on server with error 0A00007B:SSL routines::bad
Hi, > I’m willingly testing the new GHA build and let you know the result as soon as possible. The link I sent was for the zip file for x64 build -- the following may be more transparent to show the branch it corresponds to. https://github.com/selvanair/openvpn/actions/runs/4384798323#artifacts Selva > ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] 2.6.x pre-build packages for Ubuntu (mostly) without DCO
The release notes say: configure now enables DCO build by default on FreeBSD and Linux. On Linux this brings in a new default dependency for libnl-genl (for Linux distributions that are too old to have a suitable version of the library, use "configure --disable-dco") Now we checked this on our different ubuntu machines and found that openvpn (from the official build repos) on focal: had no DCO on kinetic: had DCO built-in So I thought that libnl-genl and libnl-3 may not be available on focal or may be a bit too old. So I checked that as well: on kinetic: # dpkg -l | grep libnl ii libnl-3-200:amd64 3.7.0-0.2 amd64 library for dealing with netlink sockets ii libnl-genl-3-200:amd643.7.0-0.2 amd64 library for dealing with netlink sockets - generic netlink (I omitted the -dev packages, since their version match) on focal: # dpkg -l |fgrep libnl ii libnl-3-200:amd64 3.4.0-1ubuntu0.1 amd64 library for dealing with netlink sockets ii libnl-genl-3-200:amd643.4.0-1ubuntu0.1 amd64 library for dealing with netlink sockets - generic netlink Now I wondered if 3.4.0 is considered too old (aka "not suitable") or if this is maybe an error in the build process? configure.ac in 2.6.1 says: PKG_CHECK_MODULES([LIBNL_GENL], [libnl-genl-3.0 >= 3.4.0], [have_libnl="yes"], [ AC_MSG_ERROR([libnl-genl-3.0 package not found or too old. Is the development package and pkg-config installed? Must be version 3.4.0 or newer for DCO]) ] ) According to this, 3.4.0 should suffice! So maybe the build process for the packages on https://swupdate.openvpn.net/repos/ is lacking a few build dependencies? -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] 2.6.x pre-build packages for Ubuntu (mostly) without DCO
Hi, On Fri, Mar 10, 2023 at 04:32:37PM +0100, Ralf Hildebrandt via Openvpn-users wrote: > Now we checked this on our different ubuntu machines and found that > openvpn (from the official build repos) > > on focal: had no DCO > on kinetic: had DCO built-in I assume this is something in our build system. If there is no library, the new configure in 2.6.1 will not "just fall back to disable-dco" but will error-out. OTOH, there's no kernel DCO for focal (I think?) so building the userland binary without DCO is no loss. [...] > So maybe the build process for the packages on > https://swupdate.openvpn.net/repos/ is lacking a few build dependencies? More like "explicitly disabling DCO", because without the dependencies, configure would error-out now. Frank, can you enlighten us? :-) gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] [ext] Re: 2.6.x pre-build packages for Ubuntu (mostly) without DCO
* Gert Doering : > On Fri, Mar 10, 2023 at 04:32:37PM +0100, Ralf Hildebrandt via Openvpn-users > wrote: > > Now we checked this on our different ubuntu machines and found that > > openvpn (from the official build repos) > > > > on focal: had no DCO > > on kinetic: had DCO built-in > > I assume this is something in our build system. If there is no library, > the new configure in 2.6.1 will not "just fall back to disable-dco" but > will error-out. > > OTOH, there's no kernel DCO for focal (I think?) so building the > userland binary without DCO is no loss. Nah! We're using linux-image-5.15.0-67-generic (installed by linux-image-virtual-hwe-20.04) and can build the DCO kernel module just fine - yes, manually, but we're willing to suffer if there' no package for that! > More like "explicitly disabling DCO", because without the dependencies, > configure would error-out now. Ey! Rather build with DCO :) > Frank, can you enlighten us? :-) Yes please. -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] After upgrade Windows 10 client to OpenVPN 2.6, Yubikey PKCS11 PIV fails on server with error 0A00007B:SSL routines::bad
Hi Selva, thank you so much, for given information and the provided new build, those works like a charm! Thank you, Tom Von: Selva Nair Gesendet: Freitag, 10. März 2023 15:42 An: openvpn Cc: openvpn-users@lists.sourceforge.net Betreff: Re: [Openvpn-users] After upgrade Windows 10 client to OpenVPN 2.6, Yubikey PKCS11 PIV fails on server with error 0A7B:SSL routines::bad Hi, > I’m willingly testing the new GHA build and let you know the result as soon > as possible. The link I sent was for the zip file for x64 build -- the following may be more transparent to show the branch it corresponds to. https://github.com/selvanair/openvpn/actions/runs/4384798323#artifacts Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
