[Openvpn-devel] [PATCH] [PATCHv2] enhance tls-verify possibility

From: Mathieu GIANNECCHINI It should be nice to enhance tls-verify check possibilities against peer cert during a pending TLS connection like : - OCSP verification - check any X509 extensions of the peer certificate - delta CRL verification - ... This patch add a new "tls-export-cert" option whi

Re: [Openvpn-devel] [PATCH] Allow 'lport 0' setup for random port binding

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 28/02/10 14:44, David Sommerseth wrote: > From: Enrico Scholz > > I am running a multihomed host where 'local ' must be specified > for proper operation. Unfortunately, this implies 'lport 1194' or > another static port. > > This causes problems

Re: [Openvpn-devel] FreeBSD funny in the code

On 01.03.2010 22:59, David Sommerseth wrote: Could you please have a look at git://git.birkenwald.de/openvpn.git test-rebase branch? The history of gert-ipv6 was starting to look a bit weird (duplicate commits with the same content), to I rebased it on your bugfix2.1 branch (and dropped the dupl

Re: [Openvpn-devel] FreeBSD funny in the code

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/03/10 22:41, Bernhard Schmidt wrote: > Hi David, > >>> It doesn't make a difference at the moment (since the patch came from >>> feat_ipv6_payload in the first place), but what's the general wish for >>> the future? What to rebase on? >> >> To b

Re: [Openvpn-devel] FreeBSD funny in the code

Hi David, It doesn't make a difference at the moment (since the patch came from feat_ipv6_payload in the first place), but what's the general wish for the future? What to rebase on? To be very honest, I'm very uncertain about what's best. Because it will a lot of changes in multiple branches.

Re: [Openvpn-devel] OpenVPN default gateway problems on Windows after resume from hibernation

On Tue, Jan 26, 2010 at 05:51:36PM +0200, Pasi Kärkkäinen wrote: > On Wed, Dec 16, 2009 at 10:48:30AM +0200, Pasi Kärkkäinen wrote: > > On Thu, Dec 10, 2009 at 02:15:01PM +0200, Pasi Kärkkäinen wrote: > > > Hello, > > > > > > I'm having some problems with OpenVPN (2.1rc20) on Windows Vista. > > >

Re: [Openvpn-devel] FreeBSD funny in the code

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/03/10 22:09, Bernhard Schmidt wrote: > David Sommerseth wrote: > > Hi David, > >>> David, could you please pull my branch from Berni, and move that patch >>> to wherever bugfixes/code cleanups go? It should merge easily into >>> all branches

Re: [Openvpn-devel] FreeBSD funny in the code

David Sommerseth wrote: Hi David, >> David, could you please pull my branch from Berni, and move that patch >> to wherever bugfixes/code cleanups go? It should merge easily into >> all branches. > > Pushed and pulled. I've only put your extra commit into the bugfix2.1 > branch (as a cherry-pi

[Openvpn-devel] [PATCH] The man page needs dash escaping in UTF-8 environments

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 From: Jan Brinkmann There was a debian bugreport which was filed in 2005 . It was patched but it seems that nobody forwarded the patch to the openvpn project itself. The problem is quite simple: The dashes for options (the double dashes) are not esc

[Openvpn-devel] Sent "testers wanted" mail to -users list

Hi, I noted we've had some problems testing the new code against some OS'es (e.g. OpenBSD), so I just sent a "OpenVPN testers wanted" mail to the "openvpn-users" list: http://sourceforge.net/mailarchive/forum.php?thread_name=4B8BF01A.20501%40openvpn.net&forum_name=openvpn-users I suggest we use

Re: [Openvpn-devel] [PATCH] enhance tls-verify possibility

Hi, On Sun, Feb 28, 2010 at 02:59:42PM +0100, David Sommerseth wrote: > It should be nice to enhance tls-verify check possibilities against peer > cert during a pending TLS connection like : > - OCSP verification > - check any X509 extensions of the peer certificate > - delta CRL verification > -

Re: [Openvpn-devel] [PATCH] Allow 'lport 0' setup for random port binding

Till Maas writes: >> |- if (!legal_ipv4_port (port)) >> |+ if (port != 0 && !legal_ipv4_port (port)) > > I am pretty sure that it is possible to listen on port 0, not on linux; e.g. see in net/ipv4/inet_connection_sock.c the implementation of | /* Obtain a reference to a local port

Re: [Openvpn-devel] [PATCH] FQDN for routes should expand to all IPs (second round)

On 03/01/2010 08:12:03 AM, Stefan Monnier wrote: > >> If someone could give at least some vaguely plausible scenario, > >> that'd help. > > Maybe there's more than one tunnel and there's some stupid > > load balancing going on using a hosts file? (Along with > > deleting all non-vpn routes.) > >

Re: [Openvpn-devel] Openvpn 2.1.1 bad tcp performance but good pingwhen -l 1472 (with packet size = MTU)

booyakasha wrote: > We are using Windows XP / Vista. Could you try using the same configuration also on other systems? Linux, BSD, etc. I would be interested in knowing if this problem is only seen on Windows. //Peter

[Openvpn-devel] Free copies of Packt's new OpenVPN book at Cebit, Hannover, Germany

Hello list, Thanks a lot for the great software you are building here! I have a little announcement: "On wednesday, March 03, Packt author Markus Feilner will have a signing event at the german Cebit IT conference (http://www.cebit.de). In hall 2, at the booth of his employer Linux New Medi

Re: [Openvpn-devel] [PATCH] FQDN for routes should expand to all IPs (second round)

>> If someone could give at least some vaguely plausible scenario, >> that'd help. > Maybe there's more than one tunnel and there's some stupid > load balancing going on using a hosts file? (Along with > deleting all non-vpn routes.) [ Setting aside the fact that using OpenVPN's broken handling o

Re: [Openvpn-devel] Openvpn 2.1.1 bad tcp performance but good pingwhen -l 1472 (with packet size = MTU)

I spend much time on this problem and it is not simple question of configuration to be discussed on users forum. I've tried all sort combinations of MTU sizes from extremally small to very big all settings regarding MSS, RWIN, mssfix and so on... I'm not accuseing anyone because of incompetenc

Re: [Openvpn-devel] OpenVPN Pf plugin/small status patch

On 03/01/2010 03:37:07 AM, David Sommerseth wrote: > Even though I do agree with you, Karl, that the vocabulary can be > confusing, I'm not sure it is up to us to change that. Just figured I'd mention it. Karl Free Software: "You don't pay back, you pay forward." -- Robert A

Re: [Openvpn-devel] [PATCH] enhance tls-verify possibility

On 03/01/2010 04:22:04 AM, David Sommerseth wrote: > On 01/03/10 06:32, Karl O. Pinc wrote: > > On 02/28/2010 10:24:36 PM, Peter Stuge wrote: > >> David Sommerseth wrote: > >>> +++ b/options.c > >>> @@ -529,6 +529,9 @@ static const char usage_message[] = > >>>" tests of certifi

Re: [Openvpn-devel] special-case code for OpenBSD - advice needed

On 03/01/2010 01:54:46 AM, Gert Doering wrote: > Hi, > > On Sun, Feb 28, 2010 at 10:13:10PM -0600, Karl O. Pinc wrote: > > So, you should not need to do the ifconfig at all unless you're > > interested in tap functionality or there's other odd > > frobbing going on. > > You need ifconfig to set a

Re: [Openvpn-devel] [PATCH] enhance tls-verify possibility

On 02/28/2010 11:52:56 PM, Karl O. Pinc wrote: > On 02/28/2010 11:39:11 PM, Peter Stuge wrote: > > Karl O. Pinc wrote: > > > > > + "--tls-export-cert [directory] : Get peer cert in PEM > format > > and > > > > > > There is no man page. It's in sample-scripts/. > > > > It's a new option, right?

Re: [Openvpn-devel] Openvpn 2.1.1 bad tcp performance but good ping when -l 1472 (with packet size = MTU)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/03/10 13:04, booyakasha wrote: > Hello, > there are so many complains about openvpn performance in proto tcp mode > that it is almost unbelievable that nobody took care of it. I am using two > 20/20 MB connections and openvpn > tunnel in tcp mod

[Openvpn-devel] Openvpn 2.1.1 bad tcp performance but good ping when -l 1472 (with packet size = MTU)

Hello, there are so many complains about openvpn performance in proto tcp mode that it is almost unbelievable that nobody took care of it. I am using two 20/20 MB connections and openvpn tunnel in tcp mode. without vpn my ping is about 10ms but with vpn it jumps to 520ms. What is most interesting

Re: [Openvpn-devel] [PATCH] Add CID to the management status overview

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 28/02/10 15:28, Gert Doering wrote: > Hi, > > On Sun, Feb 28, 2010 at 01:50:35PM +0100, David Sommerseth wrote: >> There are commands in the management interface which require the cid. The >> only way at the moment to get the cid of connected clien

[Openvpn-devel] Regarding patch reviews

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all! I am delighted to see that more people begin to respond to patches being sent. These discussions are crucially important for us and the OpenVPN community, and even the OpenVPN company I would presume. However, I would like you to do a minor

Re: [Openvpn-devel] OpenVPN Pf plugin/small status patch

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/03/10 12:03, Arne Schwabe wrote: > On 01.03.2010 11:16, David Sommerseth wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> On 28/02/10 15:56, Arne Schwabe wrote: >>> On 28.02.2010 14:22, David Sommerseth wrote: -BEGIN P

Re: [Openvpn-devel] OpenVPN Pf plugin/small status patch

On 01.03.2010 11:16, David Sommerseth wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 28/02/10 15:56, Arne Schwabe wrote: On 28.02.2010 14:22, David Sommerseth wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 26/06/09 17:00, Arne Schwabe wrote: Hi, I have written a simple

Re: [Openvpn-devel] [Feedback needed] Fix cross compile support

Hi, On Sun, Feb 28, 2010 at 10:25:10PM +0100, David Sommerseth wrote: > I'm reviewing this patch in the patch tracker, and cannot make up my > mind if this is correct or not. Can someone please advise if this is > something we should include or not? > >

Re: [Openvpn-devel] [PATCH] enhance tls-verify possibility

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/03/10 06:32, Karl O. Pinc wrote: > On 02/28/2010 10:24:36 PM, Peter Stuge wrote: >> David Sommerseth wrote: >>> +++ b/options.c >>> @@ -529,6 +529,9 @@ static const char usage_message[] = >>>" tests of certification. cmd sho

Re: [Openvpn-devel] OpenVPN Pf plugin/small status patch

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 28/02/10 15:56, Arne Schwabe wrote: > On 28.02.2010 14:22, David Sommerseth wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> On 26/06/09 17:00, Arne Schwabe wrote: >>> Hi, >>> >>> I have written a simple plugin for packet filtering

Re: [Openvpn-devel] OpenVPN Pf plugin/small status patch

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/03/10 04:52, Karl O. Pinc wrote: >>> If one of this files is found the file is used as PF configuration. >> > Maybe >>> > > this plugin is useful for someone else. >> > >> > Hi! >> > >> > Thank you for your patches. I've been looking at both p

Re: [Openvpn-devel] special-case code for OpenBSD - advice needed

Hi, On Sun, Feb 28, 2010 at 10:13:10PM -0600, Karl O. Pinc wrote: > So, you should not need to do the ifconfig at all unless you're > interested in tap functionality or there's other odd > frobbing going on. You need ifconfig to set an IP address :-) - which might be considered "odd frobbing", bu

[Openvpn-devel] [PATCH] Final frobbing of openvpn(8) --tls-verify

From: Karl O. Pinc --- openvpn.8 |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/openvpn.8 b/openvpn.8 index 70e1e68..51d6ac5 100644 --- a/openvpn.8 +++ b/openvpn.8 @@ -4236,7 +4236,7 @@ should return 0 to allow the TLS handshake to proceed, or 1 to fail. Note that .

[Openvpn-devel] [PATCH] Yet another tweak of openvpn(8) --tls-verify

From: Karl O. Pinc --- openvpn.8 |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn.8 b/openvpn.8 index 9512fc3..70e1e68 100644 --- a/openvpn.8 +++ b/openvpn.8 @@ -4235,8 +4235,8 @@ should return 0 to allow the TLS handshake to proceed, or 1 to fail. Note that

Re: [Openvpn-devel] [PATCH] enhance tls-verify possibility

On 02/28/2010 11:39:11 PM, Peter Stuge wrote: > Karl O. Pinc wrote: > > > > + "--tls-export-cert [directory] : Get peer cert in PEM format > and > > > > There is no man page. It's in sample-scripts/. > > It's a new option, right? The sample script has a new option, yes. But the --tls-verify o

Re: [Openvpn-devel] [PATCH] enhance tls-verify possibility

On 02/28/2010 11:32:46 PM, Karl O. Pinc wrote: > However, the openvpn(8) --tls-verify section of the man page > is poor. I just sent another patch that clarifies it. > Perhaps this is what you're looking for? If not then > just ignore my man page patch. I just sent another man page patch to be

[Openvpn-devel] [PATCH] More improvments to openvpn(8) --tls-verify

From: Karl O. Pinc --- openvpn.8 |6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) diff --git a/openvpn.8 b/openvpn.8 index 0150ba7..9512fc3 100644 --- a/openvpn.8 +++ b/openvpn.8 @@ -4235,14 +4235,14 @@ should return 0 to allow the TLS handshake to proceed, or 1 to fail. Note

Re: [Openvpn-devel] [PATCH] enhance tls-verify possibility

Karl O. Pinc wrote: > > > + "--tls-export-cert [directory] : Get peer cert in PEM format and > > There is no man page. It's in sample-scripts/. It's a new option, right? //Peter

Re: [Openvpn-devel] [PATCH] enhance tls-verify possibility

On 02/28/2010 10:24:36 PM, Peter Stuge wrote: > David Sommerseth wrote: > > +++ b/options.c > > @@ -529,6 +529,9 @@ static const char usage_message[] = > >" tests of certification. cmd should return 0 > to allow\n" > >" TLS handshake to proceed, or 1 to fa

[Openvpn-devel] [PATCH] Frob the openvpn(8) man page tls-verify section to clarify

From: Karl O. Pinc --- openvpn.8 | 22 +- 1 files changed, 13 insertions(+), 9 deletions(-) diff --git a/openvpn.8 b/openvpn.8 index f1612a7..0150ba7 100644 --- a/openvpn.8 +++ b/openvpn.8 @@ -4232,11 +4232,23 @@ test). .B cmd should return 0 to allow the TLS handshake

Re: [Openvpn-devel] [PATCH] OpenVPN PKCS11-ID autoselect

I disagree. First certificate tells you nothing, usually you have several (signing, authentication, decryption). First is random, and random is bad. After a while the old certificates also expires and you have new ones added to the card. It would be not wise to enforce your card scheme on others.

Re: [Openvpn-devel] [Feedback needed] Fix cross compile support

Yes, it is better than current. Should use --host= and not --target= for cross compile. 1. I would not touch host_alias it is irrelevant and may lead to problems. Use only host variable in autoconf. 2. The case in autoconf should be '*-*-os*)' and not '*os*)' 3. I don't think it is so important

Re: [Openvpn-devel] [PATCH] FQDN for routes should expand to all IPs (second round)

On 02/28/2010 02:04:01 PM, Stefan Monnier wrote: > > I'm at a loss when it comes to try and imagine someone who's used to > the > current behavior and bothered by the new behavior. Really. How can > the > current behavior ever be preferable? Why would someone ever prefer > that > a route would

Re: [Openvpn-devel] [PATCH] enhance tls-verify possibility

David Sommerseth wrote: > +++ b/options.c > @@ -529,6 +529,9 @@ static const char usage_message[] = >" tests of certification. cmd should return 0 to allow\n" >" TLS handshake to proceed, or 1 to fail. (cmd is\n" >" executed as 'cmd c

Re: [Openvpn-devel] special-case code for OpenBSD - advice needed

On 02/28/2010 08:50:01 AM, Gert Doering wrote: > Hi, > > while working on "make IPv6 payload work on Win32", I found something > quite peculiar for OpenBSD in the OpenVPN code. > > Now, for all operatings systems *except* Win32 and OpenBSD, the > sequence > of execution is > > open_tun() > d

Re: [Openvpn-devel] OpenVPN Pf plugin/small status patch

On 02/28/2010 07:22:16 AM, David Sommerseth wrote: > On 26/06/09 17:00, Arne Schwabe wrote: > > Hi, > > > > I have written a simple plugin for packet filtering that looks up > fw > rules > > in the order > > > > Commonname.pf > > IP_Port.pf > > IP.pf > > default.pf > > > > If one of this files is

Re: [Openvpn-devel] Unpackged Windows binaries? -- Problems building 2.1 rc15 on Windows XP

On 02/28/2010 06:27:54 AM, David Sommerseth wrote: > On 09/04/09 05:03, Karl O. Pinc wrote: > > The OpenVPN devs have a "built" source tree in which they run > > install-win32/buildinstaller. My point being that > > if they would package it up > > and release it alongside the resultant installe

Re: [Openvpn-devel] OpenVPN Pf plugin/small status patch

On 28.02.2010 14:22, David Sommerseth wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 26/06/09 17:00, Arne Schwabe wrote: Hi, I have written a simple plugin for packet filtering that looks up fw rules in the order Commonname.pf IP_Port.pf IP.pf default.pf If one of this files is fou