On 23/04/2014 17:21, Timothe Litt wrote:
On 23-Apr-14 16:06, Steffan Karger wrote:
I generated a matching pair of traces of the failure (client and server)
& posted a summary.
Let me know if you would like the full traces.
Sent off-list.
I've been trying to reproduce the error. I grabbed my
On 23-Apr-14 16:06, Steffan Karger wrote:
I generated a matching pair of traces of the failure (client and server)
& posted a summary.
Let me know if you would like the full traces.
Sent off-list.
I've been trying to reproduce the error. I grabbed my spare pi from the
desk drawer and built 2.
Signed-off-by: Steffan Karger
---
sample/sample-keys/README| 6 ++--
sample/sample-keys/ec-ca.crt | 13 +
sample/sample-keys/ec-ca.key | 6
sample/sample-keys/ec-client.crt | 61
sample/sample-keys/ec-client.key | 6
sa
This patch is based on Jan Just Keijser's patch from Feb 7, 2012.
When OpenSSL 1.0.2+ or PolarSSL is used, lets the crypto library do the
heavy lifting. For OpenSSL builds, if a user specifies a curve using
--ecdh-curve, it first tries to override automatic selection using that
curve.
For older O
Hi,
As discussed earlier today, updated patches for ECDH support. See
http://article.gmane.org/gmane.network.openvpn.devel/8308 for the previous
version.
These patches comprise two changes:
1) Because the PolarSSL 1.3 patches have been merged, I updated the code and
docs to reflect that PolarS
On 23/04/2014 04:17, Arne Schwabe wrote:
Am 21.04.14 21:26, schrieb James Yonan:
On 21/04/2014 05:27, Arne Schwabe wrote:
On 21.04.2014 09:10, James Yonan wrote:
Define PIP_OPT_MASK to represent all flags of interest to
process_ip_header, so that it can have a fast exit path
if no flags are se
Hi,
On 23-04-14 17:36, Timothe Litt wrote:
> Just to confirm that the issue is 1.2, not the negotiation:
>
> I added an unconditional
> sslopt |= SSL_OP_NO_TLSv1_2;
> in tls_ctx_set_options.
>
> With this (and the context initialized to SSL_v23_*_method, so we
> negotiate), the tunnel com
Hi,
On Wed, Apr 23, 2014 at 01:27:19PM -0400, Timothe Litt wrote:
> >now - does that sound like it could be the problem? The initial handshake
> >packet "under some conditions" (like: the local OpenSSL build having
> >more available ciphers, depending on how it was built) being too big,
> >causin
Gert,
while cycling home from $paidwork
Cycling while thinking about TLS might be as bad as texting while driving...
now - does that sound like it could be the problem? The initial handshake
packet "under some conditions" (like: the local OpenSSL build having
more available ciphers, dependin
Hi,
On Wed, Apr 23, 2014 at 11:36:28AM -0400, Timothe Litt wrote:
> Just to confirm that the issue is 1.2, not the negotiation:
>
> I added an unconditional
> sslopt |= SSL_OP_NO_TLSv1_2;
> in tls_ctx_set_options.
>
> With this (and the context initialized to SSL_v23_*_method, so we
> ne
On 23-Apr-14 06:56, Steffan Karger wrote:
Hi,
On 04/23/2014 10:10 AM, Gert Doering wrote:
On Tue, Apr 22, 2014 at 10:58:22PM -0400, Timothe Litt wrote:
It does not appear to be the negotiation, rather it's TLS1.2.
This is quite cool, thank you. (I'm not enough of a crypto geek to
make real s
This is quite cool, thank you.
You're welcome. I don't like unsolved mysteries, and since I have a
solid reproducer, thought I should do what I can.
Some more. I looked into building on Windows, but the doc says one
needs commercial tools; I'm not going to buy them for this.
However, I got
Hi,
On 04/23/2014 10:10 AM, Gert Doering wrote:
> On Tue, Apr 22, 2014 at 10:58:22PM -0400, Timothe Litt wrote:
>> It does not appear to be the negotiation, rather it's TLS1.2.
>
> This is quite cool, thank you. (I'm not enough of a crypto geek to
> make real sense out of it, but it's quite usef
Hi,
On 04/23/2014 12:08 PM, Arne Schwabe wrote:
> ACK.
Thanks for reviewing. Yesterday evening I've been reworking these
patches a bit however. I want to have three things resolved:
1) PolarSSL 1.3 is already in master, and supports elliptic curve
crypto, so the --show-curves and --ecdh-curve opt
Am 21.04.14 21:26, schrieb James Yonan:
> On 21/04/2014 05:27, Arne Schwabe wrote:
>> On 21.04.2014 09:10, James Yonan wrote:
>>> Define PIP_OPT_MASK to represent all flags of interest to
>>> process_ip_header, so that it can have a fast exit path
>>> if no flags are set.
>>
>> I haven't look at th
Am 26.02.14 00:28, schrieb Steffan Karger:
> Signed-off-by: Steffan Karger
> ---
> sample/sample-keys/README| 6 ++--
> sample/sample-keys/ec-ca.crt | 13 +
> sample/sample-keys/ec-ca.key | 6
> sample/sample-keys/ec-client.crt | 61
> ++
Am 26.02.14 00:27, schrieb Steffan Karger:
> This patch is based on Jan Just Keijser's patch from Feb 7, 2012.
>
> When OpenSSL 1.0.2 or newer is used, lets OpenSSL do the heavy lifting.
>
> Otherwise, tries the following things (in order of preference):
> * When supplied, use the ecdh curve speci
Hi,
On Tue, Apr 22, 2014 at 10:58:22PM -0400, Timothe Litt wrote:
> It does not appear to be the negotiation, rather it's TLS1.2.
This is quite cool, thank you. (I'm not enough of a crypto geek to
make real sense out of it, but it's quite useful to understand where
it is failing, and I appreciat
It does not appear to be the negotiation, rather it's TLS1.2.
I debugged the client hello in OpenSSL - a bit tricky due to the
timeouts, but I established that the server is picking TLS1.2.
I then switched the tls_ctx_{client,server}_new to use
TLSv1_2_{client,server}_method in the call to SS
19 matches
Mail list logo
