Current default gateway selection for zero destination address just
dumps and parses all the routing tables. If any of non-main table
with default route comes first, wrong default gateway can be picked.
Since adding/removing routes currently handles only main table,
let's stick to RT_TABLE_MAIN whi
Load balancing setup over multiple upstreams may include multipath
gateway route, which is not not supported by OpenVPN.
Let's add basic support for that for selecting best route for zero
destination address - use any one of nexthop addresses as a gateway,
weights are not handled.
Setup example:
Hi Arne,
On 08/04/2021 16:02, Arne Schwabe wrote:
> Instead maintaining two different representation of the data channel
> options in struct options and struct tls_options, use the same
> flags variable that tls_options uses.
>
> Signed-off-by: Arne Schwabe
Thia patch looks good, but I Was wond
Hi,
On 08/04/2021 14:00, Arne Schwabe wrote:
> OpenSSL also allows ARIA-GCM and that works well with our implementation
> While the handpicked list was needed for earlier OpenSSL versions (and
> is still needed for Chacha20-Poly1305), the API nowadays with OpenSSL
> 1.0.2 and 1.1.x works as expect
Hi,
On 07/04/2021 17:49, Arne Schwabe wrote:
> This patch also refactors the if condition that checks the result of
> the authentication since that has become quite unreadable. It renames
> s1/s2 and extracts some parts of the condition into individual variables
> to make the condition better unde
Hi,
On 15/04/2021 13:45, Arne Schwabe wrote:
> Most of the functions remove were either already have a version check
> against LibreSSL 2.9.0 or are also now deprecated in LibreSSL as well
> according to the man pages in OpenBSD 6.8 like SSL_CTX_set_ecdh_auto
> and SSL_library_init.
>
> Signed-of
Most of the functions remove were either already have a version check
against LibreSSL 2.9.0 or are also now deprecated in LibreSSL as well
according to the man pages in OpenBSD 6.8 like SSL_CTX_set_ecdh_auto
and SSL_library_init.
Signed-off-by: Arne Schwabe
---
src/openvpn/ssl_openssl.c | 17 ++
Now that the path for the CRL file is handled correctly when using
chroot, there's no good reason for the file to be inaccessible during
ssl_init().
This commit ensures that the CRL file is accessed successfully at least
once, which fixes a bug where the mbedtls version of OpenVPN wouldn't
use a r
When using the chroot option, the init_ssl function can be called before
entering the chroot or, when OpenVPN receives a SIGHUP, afterwards. This
commit ensures that OpenVPN tries to open the correct path for the CRL
file in either situation.
This commit does not address key and certificate files.
