Re: [Openvpn-devel] script-security 1

2010-12-02 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/12/10 22:58, Jan Just Keijser wrote: [...snip...] | I guess the only platform on which '--script-security 0' can do | something useful is Windows, as the IPAPI calls are "internal", that is, | they do not require an execve() to initialize things

Re: [Openvpn-devel] script-security 1

2010-12-02 Thread Jan Just Keijser
Hi David, David Sommerseth wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/12/10 15:53, Jan Just Keijser wrote: hi all, the openvpn 2.1 man page on script-security reads: --script-security level [method] This directive offers policy-level control over OpenVPN's usage of ex

Re: [Openvpn-devel] PATCH: floating-tls

2010-12-02 Thread Karl O. Pinc
On 12/02/2010 11:56:56 AM, Samuli Seppänen wrote: > Hi Blaise, > > Actually we discussed the floating-tls patch in last community > meeting: > > > The discussion ends with deciding that the feature be "opt-in", I presume via a compile t

Re: [Openvpn-devel] PATCH: floating-tls

2010-12-02 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/12/10 18:44, Blaise Gassend wrote: > Hi, > > Didn't hear back from anybody. Is there really no interest at all in > adding floating TLS? > We discussed this patch on the developers meeting last week. We probably forgot to give an explicit fee

Re: [Openvpn-devel] PATCH: floating-tls

2010-12-02 Thread Samuli Seppänen
Hi Blaise, Actually we discussed the floating-tls patch in last community meeting: This week's meeting is starting in ~5 minutes on #openvpn-devel at irc.freenode.net - perhaps you could join and discuss floating-tls in detail with the o

Re: [Openvpn-devel] PATCH: floating-tls

2010-12-02 Thread Karl O. Pinc
On 12/02/2010 11:44:27 AM, Blaise Gassend wrote: > Hi, > > Didn't hear back from anybody. Is there really no interest at all in > adding floating TLS? Sounds like a nice feature to me, but I don't know enough to ack the code. Karl Free Software: "You don't pay back, you pay forward."

Re: [Openvpn-devel] PATCH: floating-tls

2010-12-02 Thread Blaise Gassend
Hi, Didn't hear back from anybody. Is there really no interest at all in adding floating TLS? Thanks, Blaise On Thu, Oct 21, 2010 at 8:25 PM, Blaise Gassend wrote: > Hi, > > To allow seamless roaming of our robots at willowgarage > (http://willowgarage.com), I have put together a patch that all

Re: [Openvpn-devel] script-security 1

2010-12-02 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/12/10 15:53, Jan Just Keijser wrote: > hi all, > > the openvpn 2.1 man page on script-security reads: > > --script-security level [method] > This directive offers policy-level control over OpenVPN's usage of > external programs and scripts

[Openvpn-devel] Topics for today's meeting

2010-12-02 Thread Samuli Seppänen
Hi, We're having an IRC meeting today, starting at 18:00 UTC on #openvpn-de...@irc.freenode.net. Current topic list is here: If you have any other things you'd like to bring up, respond to this mail, send me mail privately or add the

[Openvpn-devel] script-security 1

2010-12-02 Thread Jan Just Keijser
hi all, the openvpn 2.1 man page on script-security reads: --script-security level [method] This directive offers policy-level control over OpenVPN's usage of external programs and scripts. Lower level values are more restrictive, higher values are more permissive. Settings for level:

Re: [Openvpn-devel] Documentation and alternative SSL backend patches

2010-12-02 Thread Gert Doering
Hi, On Thu, Dec 02, 2010 at 11:50:47AM +0100, David Sommerseth wrote: > Wow, I mean WOW!! This is quite some work you've done! [..] What he said :-) I'm not so pessimistic regarding inclusion in 2.3, though - yes, 2.3 brings large changes, but not yet in the SSL arena. So why not break that as

Re: [Openvpn-devel] Documentation and alternative SSL backend patches

2010-12-02 Thread Farkas Levente
On 12/02/2010 12:10 PM, Matthias Andree wrote: > Am 02.12.2010 10:46, schrieb Farkas Levente: >> On 12/02/2010 10:05 AM, Adriaan de Jong wrote: >>> Hi List, >>> >>> We've been working on OpenVPN in preparation for a security evaluation. >>> This entailed documenting OpenVPN at a relatively high l

Re: [Openvpn-devel] Documentation and alternative SSL backend patches

2010-12-02 Thread Adriaan de Jong
Great to hear positive reactions. I'll wait with the rebase to 2.2 until I get a signal from you. To answer your question: patch 3 only adds a backend for PolarSSL, adding a configure option to select the SSL library to use. I'm still working on a few extra features, such as PolarSSL PKCS #11

Re: [Openvpn-devel] Documentation and alternative SSL backend patches

2010-12-02 Thread Davide Brini
On Thu, 02 Dec 2010 12:10:29 +0100 Matthias Andree wrote: > > most distro switch from openssl to nss. is there any reason you switch > > to polarssl in stead of nss? > > > > What do you base the "most distro" assessment on? > > Are you aware of any website discussing the advantages of the "big

Re: [Openvpn-devel] Documentation and alternative SSL backend patches

2010-12-02 Thread Matthias Andree
Am 02.12.2010 10:46, schrieb Farkas Levente: > On 12/02/2010 10:05 AM, Adriaan de Jong wrote: >> Hi List, >> >> We've been working on OpenVPN in preparation for a security evaluation. This >> entailed documenting OpenVPN at a relatively high level, removing the >> dependencies on OpenSSL, and a

Re: [Openvpn-devel] Documentation and alternative SSL backend patches

2010-12-02 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/12/10 10:05, Adriaan de Jong wrote: > Hi List, > > We've been working on OpenVPN in preparation for a security evaluation. This > entailed documenting OpenVPN at a relatively high level, removing the > dependencies on OpenSSL, and adding supp

Re: [Openvpn-devel] Documentation and alternative SSL backend patches

2010-12-02 Thread Adriaan de Jong
We’re hoping that it is a big step towards modularization for both the data channel crypto and control channel negotiation. As the control channel verification code has been separated, it should also be a first step towards modularization of that code. Adriaan From: chantra [mailto:chan...@deb

Re: [Openvpn-devel] Documentation and alternative SSL backend patches

2010-12-02 Thread chantra
> PolarSSL was a personal choice for us, mostly due to its simplicity and > multi-platform support. The patch is written in such a way that generic > operations from most libraries should work, as long as a new backend is > written for them. > > Adriaan Hi, This seems to be a step forward

Re: [Openvpn-devel] Documentation and alternative SSL backend patches

2010-12-02 Thread Adriaan de Jong
PolarSSL was a personal choice for us, mostly due to its simplicity and multi-platform support. The patch is written in such a way that generic operations from most libraries should work, as long as a new backend is written for them. Adriaan > -Original Message- > From: Farkas Levente

Re: [Openvpn-devel] Documentation and alternative SSL backend patches

2010-12-02 Thread Farkas Levente
On 12/02/2010 10:05 AM, Adriaan de Jong wrote: > Hi List, > > We've been working on OpenVPN in preparation for a security evaluation. This > entailed documenting OpenVPN at a relatively high level, removing the > dependencies on OpenSSL, and adding support for a simpler, easier to evaluate > l

[Openvpn-devel] Documentation and alternative SSL backend patches

2010-12-02 Thread Adriaan de Jong
Hi List, We've been working on OpenVPN in preparation for a security evaluation. This entailed documenting OpenVPN at a relatively high level, removing the dependencies on OpenSSL, and adding support for a simpler, easier to evaluate library (PolarSSL). This was done in a series of patches: -