Re: [Openvpn-devel] 2.1 rc20 and multiple interfaces problem

On Thursday 12 November 2009, David Sommerseth wrote: > On 12/11/09 19:33, Olaf Fraczyk wrote: > > Hello, > > > > No, I wasn't using --multihome - I didn't know that this option exists > > and that is necessary. I haven't found it in man page and in > > documentation on the web page. The only plac

Re: [Openvpn-devel] 2.1 rc20 and multiple interfaces problem

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/11/09 19:33, Olaf Fraczyk wrote: > Hello, > > No, I wasn't using --multihome - I didn't know that this option exists > and that is necessary. I haven't found it in man page and in > documentation on the web page. The only place where I found it

Re: [Openvpn-devel] 2.1 rc20 and multiple interfaces problem

Hello, No, I wasn't using --multihome - I didn't know that this option exists and that is necessary. I haven't found it in man page and in documentation on the web page. The only place where I found it (after you let me know about it) was with openvpn --help. Thank you, I'll try it. BTW, why is i

Re: [Openvpn-devel] Character classes in the tls-verify script

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 (let's try to get this into the mailing list as well, sorry about that) On 12/11/09 18:59, Victor Wagner wrote: > On 2009.11.12 at 10:01:55 -0700, James Yonan wrote: > >> Victor Wagner wrote: >>> On 2009.10.24 at 13:39:56 -0600, James Yonan wrote: >>

Re: [Openvpn-devel] Character classes in the tls-verify script

On 2009.11.12 at 10:01:55 -0700, James Yonan wrote: > Victor Wagner wrote: > > On 2009.10.24 at 13:39:56 -0600, James Yonan wrote: > > > >> Can you submit a patch (as an email attachment) with this fix? > > Attached > > > > This patch also contains X509_NAME_oneline replacement, which handles > >

Re: [Openvpn-devel] Script interface to trigger events depending on the validity of a certificate

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/11/09 16:37, Victor Wagner wrote: > On 2009.11.11 at 16:04:12 +0100, David Sommerseth wrote: >> I completely agree, that under normal circumstances, it should be enough >> by letting OpenSSL take care of the certificate chain. But as OpenVPN >>

Re: [Openvpn-devel] Character classes in the tls-verify script

Victor Wagner wrote: > On 2009.10.24 at 13:39:56 -0600, James Yonan wrote: > >> Can you submit a patch (as an email attachment) with this fix? > Attached > > This patch also contains X509_NAME_oneline replacement, which handles > MSB characters. > > I've not checked if this patch applies cleanly t

Re: [Openvpn-devel] Script interface to trigger events depending on the validity of a certificate

On 2009.11.11 at 16:04:12 +0100, David Sommerseth wrote: > I completely agree, that under normal circumstances, it should be enough > by letting OpenSSL take care of the certificate chain. But as OpenVPN > now do list more certificates already, I was just trying to keep that > possibility still op

Re: [Openvpn-devel] Questions related to the SSL renegotiation vulnerability

Yes indeed. Much appreciated James. Matt. Dunc wrote: I see, Thanks very much for clearing that up James. Cheers, Dunc James Yonan wrote: Well the problem is that even though OpenVPN doesn't rely on OpenSSL renegotiations, it does not explicitly disable them. So to be safe, it's better

[Openvpn-devel] [PATCH] providing certificate SHA1 fingerprint in environment table

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I've rebased and rewritten the patch which gives SHA1 fingerprints/digests of the certificates in the environment table for plug-ins and scripts. The patch can be downloaded here:

[Openvpn-devel] [PATCH] openvpn over ipv6 support v0.4.10, rebased to 2.1_rc21

Hi, I rebased the latest incarnation of the ipv6 patch (0.4.10) to openvpn 2.1_rc21 release. Changes from v0.4.9..v0.4.10: * All platforms: - implemented redirect-gateway support for ipv4 on ipv6 endpoints - several src cleanups (no actual code changes) - doc updates * win32: - expanded usage

Re: [Openvpn-devel] Script interface to trigger events depending on the validity of a certificate

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/11/09 12:51, Till Maas wrote: > On Wed, Nov 11, 2009 at 01:26:04PM +0100, David Sommerseth wrote: > >> 1) The certificate is first dumped to file. Would it be possible to >> pass it only via environment table, to avoid the file stage? The reas

Re: [Openvpn-devel] Questions related to the SSL renegotiation vulnerability

I see, Thanks very much for clearing that up James. Cheers, Dunc James Yonan wrote: > Well the problem is that even though OpenVPN doesn't rely on OpenSSL > renegotiations, it does not explicitly disable them. So to be safe, > it's better to upgrade to the fixed version of OpenSSL (0.9.8l).

Re: [Openvpn-devel] Script interface to trigger events depending on the validity of a certificate

On Wed, Nov 11, 2009 at 01:26:04PM +0100, David Sommerseth wrote: > 1) The certificate is first dumped to file. Would it be possible to > pass it only via environment table, to avoid the file stage? The reason > for this is primarily security (not to write more to disk than what you > really nee

Re: [Openvpn-devel] Questions related to the SSL renegotiation vulnerability

Well the problem is that even though OpenVPN doesn't rely on OpenSSL renegotiations, it does not explicitly disable them. So to be safe, it's better to upgrade to the fixed version of OpenSSL (0.9.8l). Also note that using tls-auth prevents the cited MITM attack (CVE-2009-3555) even when usin

Re: [Openvpn-devel] Questions related to the SSL renegotiation vulnerability

Hi James, Thanks for getting back to me. I was starting to wonder the same myself, but when I found this thread http://article.gmane.org/gmane.network.openvpn.user/28105 I thought I must be missing something. So if OpenVPN always uses a new session, what would be the point of adding an option

[Openvpn-devel] Where to report bugs?

Hello, I have posted an email to this list regarding 2.1 rc20 and multiple network interfaces. It was at October 29. As I see no reply, please tell me where is the place to put bug reports. Regards, Olaf Frączyk -- Olaf Frączyk NAVI http://www.navi.pl http://www.ntp.navi.pl

[Openvpn-devel] OpenVPN 2.1_rc21 released

This release is to respond to the OpenSSL vulnerability CVE-2009-3555. Some people have worried that the fix made to OpenSSL to address this vulnerability (ban all SSL/TLS renegotiations) would break OpenVPN's session renegotiation capability. This is not the case. OpenVPN does not rely on the

Re: [Openvpn-devel] Script interface to trigger events depending on the validity of a certificate

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/11/09 22:15, Karl O. Pinc wrote: > On 11/11/2009 06:26:04 AM, David Sommerseth wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> On 11/11/09 12:06, Mathieu GIANNECCHINI wrote: >>> Victor Wagner a écrit : > But if entire certi

Re: [Openvpn-devel] Questions related to the SSL renegotiation vulnerability

OpenVPN uses a fresh SSL/TLS session for each of its mid-session renegotiations. This means that when you see: TLS: soft reset sec=0 bytes=314/0 pkts=6/0 OpenVPN is actually creating a brand new SSL/TLS session. So the important point here is that OpenVPN does not rely on the session rene