Re: [Openvpn-devel] [PATCH] Deprecate --no-iv

Hi, On Wed, Dec 07, 2016 at 09:51:16PM +0100, Arne Schwabe wrote: > > +- ``--no-iv`` is deprecated in 2.4 and will be remove in 2.5. > > Typo: removed Since I had not pushed it yet, I've changed Changes.rst to fix that, and added your Acked-By: The new commitish is now commit 4969f0d6bba8a82d4

[Openvpn-devel] Summary of today's (7th Dec 2016) IRC meeting

Hi, Here's the summary of today's IRC meeting. --- COMMUNITY MEETING Place: #openvpn-meeting on irc.freenode.net Date: Wednesday 7th Dec 2016 Time: 20:00 CET (19:00 UTC) Planned meeting topics for this meeting were here: The nex

Re: [Openvpn-devel] [PATCH] Deprecate --no-iv

Am 07.12.16 um 20:20 schrieb Steffan Karger: > This fixes the bug of supporting --no-iv (since we're only accepting > bugfixes in the current release phase ;) ). > > The --no-iv function decreases security if used (CBC *requires* > unpredictable IVs, other modes don't allow --no-iv at all), and ev

[Openvpn-devel] [PATCH applied] Re: Deprecate --no-iv

ACK. We have too many options :-) - tested. Your patch has been applied to the master branch. commit b5bf19b1579343ddccaddf2bb464ef2a5a09664d Author: Steffan Karger Date: Wed Dec 7 20:20:47 2016 +0100 Deprecate --no-iv Signed-off-by: Steffan Karger Acked-by: Gert Doering

[Openvpn-devel] [PATCH applied] Re: Fix (and cleanup) crypto flags in combination with NCP

ACK. Look good, and doesn't break anything in my test scenarios (and we have confirmation from the reporter in trac #784 that it fixes the OFB case). The "we abort if --no-iv is set without explicitly turning off NCP" is a bit drastic, but acceptable, I think. Some people will need to change th

[Openvpn-devel] [PATCH] Deprecate --no-iv

This fixes the bug of supporting --no-iv (since we're only accepting bugfixes in the current release phase ;) ). The --no-iv function decreases security if used (CBC *requires* unpredictable IVs, other modes don't allow --no-iv at all), and even marginally decreases other user's security by adding

[Openvpn-devel] [PATCH applied] Re: Refactor setting close-on-exec for socket FDs

Thanks for the test reports (Agi per Mail, Thermi on IRC) and ACK from Arne. Patch has been applied to the master branch ("this is a bugfix"). commit e35a788339497ec5c179a5d0a23f63824989ec3e Author: Gert Doering Date: Tue Dec 6 13:26:02 2016 +0100 Refactor setting close-on-exec for socket

[Openvpn-devel] [PATCH] Fix (and cleanup) crypto flags in combination with NCP

tls_session_update_crypto_params() did not properly set crypto_flags_or, but instead set crypto_flags_and twice if a OFB/CFB mode was selected. Also, the crypto flags in ks->crypto_options.flags were set before tls_session_update_crypto_params() was called, causing those to not be adjusted. To fi

[Openvpn-devel] OpenVPN 2.3.14 released

The OpenVPN community project team is proud to release OpenVPN 2.3.14. It can be downloaded from here: This release includes many small fixes and improvements. A summary of these changes is available here:

Re: [Openvpn-devel] [PATCH applied] Add "async push" feature to Changes.rst

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Your patch has been applied to the master branch I did a slight modification to the Changes.rst file, making it even more clear that --enable-async-push is an option to ./configure being used at build time. commit 212ef1a409b375174dd81d52da34678ebab6

Re: [Openvpn-devel] [PATCH] Arm inotify only in server mode

On 07/12/16 09:19, Gert Doering wrote: > Hi, > > On Wed, Dec 07, 2016 at 01:45:51AM +0200, Lev Stipakov wrote: >> #ifdef ENABLE_ASYNC_PUSH >>/* arm inotify watcher */ >> - event_ctl (c->c2.event_set, c->c2.inotify_fd, EVENT_READ, >> (void*)&file_shift); >> + if (c->options.mode == MODE_SER

Re: [Openvpn-devel] [PATCH v3] Refactor setting close-on-exec for socket FDs

On Tue, Dec 06, 2016 at 01:36:04PM +0100, Arne Schwabe wrote: > Am 06.12.16 um 13:26 schrieb Gert Doering: > > The existing code can leak socket FDs to the "--up" script, which is > > not desired. Brought up by Alberto Gonzalez Iniesta, based on debian > > bug 367716. > > > > Since different sock

Re: [Openvpn-devel] fuzz testing by google ?

Hi, On Wed, Dec 07, 2016 at 04:51:36PM +0500, ?? wrote: > at least, I recall this commit > https://github.com/OpenVPN/openvpn/commit/0d8da22ae36d5efd03fba36c1d783b907589e321 *That* commit is "the 2.3.6 release", but I see what you mean. > it used to crash on simple tcp conne

Re: [Openvpn-devel] fuzz testing by google ?

2016-12-07 2:18 GMT+05:00 Gert Doering : > Hi, > > On Fri, Dec 02, 2016 at 08:48:29AM +0500, ?? wrote: > > https://opensource.googleblog.com/2016/12/announcing-oss- > fuzz-continuous-fuzzing.html > > This is generally interesting, of course. > > Fuzzing openvpn "as a whole" is

Re: [Openvpn-devel] [PATCH] Correctly state the default dhcp server address in man page

Il 07/12/2016 10:29, Gert Doering ha scritto: > Hi, > > On Tue, Dec 06, 2016 at 05:37:15PM -0500, Selva Nair wrote: >> Yes, it does work in tun mode (easy to test just use offset 0 on command >> line) > > Good :-) > >> I had posted a patch ( a year ago?) which sets the offset to 0. I did not >> rem

[Openvpn-devel] [PATCH] Add "async push" feature to Changes.rst

From: Lev Stipakov --- Changes.rst | 5 + 1 file changed, 5 insertions(+) diff --git a/Changes.rst b/Changes.rst index 843f2bd..44fe346 100644 --- a/Changes.rst +++ b/Changes.rst @@ -147,6 +147,11 @@ Control channel encryption (``--tls-crypt``) channel packets. Provides more privacy,

Re: [Openvpn-devel] [PATCH] Correctly state the default dhcp server address in man page

Hi, On Tue, Dec 06, 2016 at 05:37:15PM -0500, Selva Nair wrote: > Yes, it does work in tun mode (easy to test just use offset 0 on command > line) Good :-) > I had posted a patch ( a year ago?) which sets the offset to 0. I did not > remove the offset variable though it makes sense to get rid of

Re: [Openvpn-devel] [PATCH] Arm inotify only in server mode

Hi, On Wed, Dec 07, 2016 at 01:45:51AM +0200, Lev Stipakov wrote: > #ifdef ENABLE_ASYNC_PUSH >/* arm inotify watcher */ > - event_ctl (c->c2.event_set, c->c2.inotify_fd, EVENT_READ, > (void*)&file_shift); > + if (c->options.mode == MODE_SERVER) > +event_ctl (c->c2.event_set, c->c2.inot