On Tue, 08 Apr 2014 11:08:59 +0200, Tore Anderson wrote:
> I'm guessing that everyone has seen http://heartbleed.com/ by now.
>
> My question is simple: Could anyone confirm whether or not OpenVPN is
> vulnerable (when linked to a vulnerable version of OpenSSL)?
This is James' reply on the dev
]
is still supported and [up] is expected to contain username and password
on two lines.
Signed-off-by: Davide Brini
---
src/openvpn/init.c|6 +--
src/openvpn/misc.c|2 +-
src/openvpn/options.c | 54 +--
src/openvpn/options.h |2 +
src/openvpn/ssl.c
So here we go, your points are all valid. The patch you attached has a
spurious line, or maybe it's just my client that doesn't show it correctly,
I see
@@ -5835,7 +5872,12 @@
VERIFY_PERMISSION (OPT_P_GENERAL);
if (p[1])
{
- options->auth_user_pass_file = p[1];
+
ication (only tested inline
settzing, not with a file).
Joerg
Original-Nachricht
Gesendet: Samstag, 05. Oktober 2013 um 15:57 Uhr
Von: "Max Muster"
An: "Davide Brini"
Cc: openvpn-devel@lists.sourceforge.net
Betreff: Re: [Openvpn-devel] [PATCH]
syntax
auth-user-pass [up]
is still supported and [up] is expected to contain username and password
on two lines.
Signed-off-by: Davide Brini
---
src/openvpn/init.c|6 +--
src/openvpn/misc.c|2 +-
src/openvpn/options.c | 56
src/openvpn/options.h |2
username and password
on two lines.
Signed-off-by: Davide Brini
---
src/openvpn/init.c|9 +++--
src/openvpn/misc.c|2 +-
src/openvpn/options.c | 56
src/openvpn/options.h |2 +
src/openvpn/ssl.c | 98
It looks like it's possible to specify an optional authfile as third
argument of the "socks-proxy" directive. This patch updates the man page to
document that.
Signed-off-by: Davide Brini
---
doc/openvpn.8 |5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git
On Tue, 4 Jun 2013 12:15:30 +0200, wen lui wrote:
> let me explain my understanding on tun/tap
>[snip]
Sorry, but what does all this have to do with OpenVPN development?
--
D.
Very simple fix.
---
src/openvpn/init.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 2a0ba85..9a9c49a 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2547,7 +2547,7 @@ do_option_warnings (struct context *c)
el
On Tue, 8 Jan 2013 07:41:59 -0600, Eric Crist
wrote:
> I'm certain this is the behavior for TAP, but I'll do some due-dilligence
> and generate a few different scenarios and verify. It's entirely
> possible this behavior is only present with the TAP adapter. I'll post
> my findings later this w
On Mon, 7 Jan 2013 14:30:01 -0600, Eric Crist
wrote:
> This is something I've been meaning to address for quite some time, since
> the documentation is very, very wrong. I'm not very good at reading the
> code (yet), so please correct me if I'm wrong. This update is based on
> behavior I've see
On Mon, 24 Sep 2012 19:20:18 +0200, Krzysztof Witek wrote:
> From: Krzysztof Witek
>
> If multiple ip addresses of the same subnet are configured on an
> interface, openvpn may not send udp datagrams to the peer
> using the correct source ip address.
>
> If a host sends the udp datagrams to th
On Fri, 31 Aug 2012 06:39:31 -0600, joshua gross
wrote:
> Hi,
> I working on an authentication plugin for openvpn (remote authentication).
> I would like to be able to send a reason to the client for denying
> authentication. Is this possible through a plugin? or the management
> console? I've
On Mon, 24 Oct 2011 12:07:49 +0200, David Sommerseth
wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 19/09/11 19:19, Davide Brini wrote:
> > Signed-off-by: Davide Brini
> >
> > This patch creates two new environment variables: "multihome_i
Signed-off-by: Davide Brini
This patch creates two new environment variables: "multihome_iface" and
"multihome_ip", which contain respectively the interface name and IP address
where the client connection came in, so scripts can use them.
Tested on IPv4, "works for me&q
On the "TesterDocumentation" page, the instructions say
When testing this version of OpenVPN, we would appreciate if all deprecated
features would be disabled by default. We want to know how OpenVPN behaves
for you without these features. When doing the compile-time configuration
of OpenVPN, pleas
On Sat, 12 Mar 2011 00:35:17 -0300 Federico Heinz wrote:
> The reason I looked into this in the first place was that, unlike
> those TCP-based protocols, I couldn't get OpenVPN to work on a
> firewall with two external IP addresses without running two deamons,
> each one bound to one interface on
On Friday 28 Jan 2011 11:57:30 Stefan Hellermann wrote:
> > Are you using the "multihome" option in the server configuration? As far
> > as I can tell, using "multihome" uses the PKTINFO information to source
> > UDP replies from the correct IP address; however, while it does work for
> > IPv4, I
On Friday 28 Jan 2011 00:07:37 Stefan Hellermann wrote:
> I have a problem with proto udp6 (tun inside). My Openvpn-server should
> be reachable on multiple IPv6-addresses over UDP6. The packets arrive at
> the correct IP, but Openvpn answers them on a default ip, not on the one
> where the packe
On Thu, 30 Dec 2010 21:02:25 + Mr Dash Four
wrote:
> On a side note, could you let me know how to submit a bug with the Trac
> system - I spent a good couple of hours and still didn't manage to find
> a way to submit a bug?
You have to register. Start here:
https://community.openvpn.net/p
On Thu, 02 Dec 2010 12:10:29 +0100 Matthias Andree
wrote:
> > most distro switch from openssl to nss. is there any reason you switch
> > to polarssl in stead of nss?
> >
>
> What do you base the "most distro" assessment on?
>
> Are you aware of any website discussing the advantages of the "big
On Mon, 18 Oct 2010 13:19:53 -0500 "Daniel Johnson"
wrote:
> I want to set up company laptops and remote desktops to use OpenVPN
> as a service, but it should *only* connect if the computer does not
> already have a connection (such as locally wired or internal
> wireless).
Sorry for the silly q
On Sat, 24 Jul 2010 12:30:09 -0700 Alex T wrote:
> I have 2 suggestions regarding openvpn (client mode):
> - the use of SHA512 with the TLS ciphers
OpenVPN does not implement any encryption; it relies on OpenSSL. So, if
the OpenSSL library used by OpenVPN supports it, so does OpenVPN.
> - some
On Wednesday 16 Jun 2010 13:03:39 David Balažic wrote:
> Hi!
>
> Is there some crash course for using git with openvpn sources?
>
> I know svn and other tools, but not git.
>
> So i need steps list like:
>
> apt-get install git
> svn co http://repo.openvpn.net/patchme # translated into git synt
On Sunday 06 June 2010, Toby Thain wrote:
> >> Most of the common GNU utilities (including gcc) are in the standard
> >> Solaris install, either via /usr/sfw/ or by using g prefix (e.g.
> >> gawk,
> >> gmake).
> >
> > Possibly, but it still means that either scripts using standard
> > names and ex
On Saturday 05 June 2010, Toby Thain wrote:
> >
> > I'm not sure why Solaris has been insisting for ages now in shipping
> > default tools that are either old, with less features or downright broken.
> > It's not just about sh; other popular tools like awk are also pretty much
> > unusable by def
On Saturday 05 June 2010, David Sommerseth wrote:
> Yes, that can be seen as a solution for some people. But then it would
> be better for us to explicitly require the needed shell rather to tell
> them to (w)hack their system "because easy-rsa don't support old Solaris
> /bin/sh".
>
> We should
On Saturday 05 June 2010, David Sommerseth wrote:
> On 05/06/10 00:49, Matthias Andree wrote:
> > Note that some parts of the scripts may be Solaris /bin/sh unfriendly,
> > for instance, Solaris's sh doesn't support test -e or [ -e. My patch
> > does not address this.
>
> This makes me very reluc
e
packet is not a ping or TLS control packet.
openvpn.8:
Updated the description of --inactive to describe the new semantics.
ping.c:
Set c->c2.buf.len = 0 after the ping packet has been generated and
encrypted.
Signed-off-by: Davide Brini
---
forward.c |5 +++--
openvpn.8
On Friday 30 April 2010, Davide Brini wrote:
> Well, the obvious (and probably wrong, probably inefficient) way could
> be to just check if the packet at hand is a ping message, and if it is
> do not record it as "activity", eg
>
> if (! is_ping_msg (&c->c2.buf))
On Friday 30 April 2010, Gert Doering wrote:
> On Fri, Apr 30, 2010 at 06:24:20PM +0100, Davide Brini wrote:
> > Well, the obvious (and probably wrong, probably inefficient) way could be
> > to just check if the packet at hand is a ping message, and if it is do
> > not record
On Friday 30 April 2010, Davide Brini wrote:
> if (! is_ping_msg (&c->c2.buf))
>register_activity (c, size);
>
> This is in two places: in process_outgoing_tun() and
> process_outgoing_link().
Actually that would probably need to be done only in process_outgoing_lin
On Friday 30 April 2010, David Sommerseth wrote:
> >> I agree that that would be a wise change. However, I wonder: why change
> >> the amount of bytes, if you can also simply not count the ping packets?
> >> To me, it would seem a much more accurate way of determining whether the
> >> connection i
On Wednesday 28 April 2010, David Sommerseth wrote:
> > +status=$(openssl ocsp -issuer "$issuer" \
> > +"$nonce" \
> > +-CAfile "$verify" \
> > +-url "$ocsp_url" \
> > +-serial "0x${serial}" 2>/dev/null)
> > +
> >
and explicitly looks for a
"0x: good"
line, and exit if either the command has a non-zero exit status, or the
above line is not found.
Doing that portably without bashisms requires some juggling around, so
perhaps the code is slightly less clean now, but it does have many
co
nvpn.devel/3588
for more details.
Signed-off-by: Davide Brini
---
contrib/OCSP_check/OCSP_check.sh | 89 ++
openvpn.8|7 +++-
ssl.c| 27 ++-
3 files changed, 119 insertions(+), 4 deletions(
On Monday 26 Apr 2010 16:19:20 David Sommerseth wrote:
> > (I still think it would be nice to have some sort of channel to send
> > errors to OpenVPN's main log from the children scripts or programs, so
> > users could inspect it.)
>
> This begins to look very good!
>
> Just for the errors ... t
On Monday 26 Apr 2010 15:50:56 Karl O. Pinc wrote:
> > > itself. So if the script could fail gracefully giving a hint like
> > > "you've not done as I told you to", some support issues will be
> > > avoided.
> >
> > Ok, that makes sense. I didn't look at it this way, but then I
> > perfectly know
On Monday 26 Apr 2010 11:04:16 David Sommerseth wrote:
> >> ... and have a check that this variable is set? If unset, exit with
> >> error.
> >
> > Ah well, as I said the script is meant to be a barebone skeleton to
> > demonstrate basic usage. That is by no means the only thing that lacks
> > pr
On Monday 26 Apr 2010 00:13:39 David Sommerseth wrote:
> Btw! Very good idea by introducing the OCSP_check.sh example! And even
> a proper git patch! I like that :)
Thanks!
> > +# OCSP responder URL (mandatory)
> > +ocsp_url="http://some.ocsp.server/";
> > +#ocsp_url="https://some.secure.ocsp
"openssl ocsp".
Signed-off-by: Davide Brini
---
contrib/OCSP_check.sh | 67 +
openvpn.8 |7 -
ssl.c | 26 +--
3 files changed, 96 insertions(+), 4 deletions(-)
create m
On Saturday 24 April 2010, David Sommerseth wrote:
> From: David Sommerseth
>
> This is a first-cut of removing misleading warnings from the logs.
>
> The main task of this patch is to avoid reporting the
> SCRIPT_SECURITY_WARNING over and over again, in addition to not show this
> warning whe
On Friday 23 Apr 2010 11:13:21 David Sommerseth wrote:
> On 22/04/10 23:37, Davide Brini wrote:
> > --- openvpn-2.1.1/ssl.c 2010-02-28 22:17:45.0 +
> > +++ openvpn-2.1.1-a/ssl.c 2010-04-22 22:33:40.0 +0100
> > @@ -788,9 +788,28 @@ verify_callback (in
On Friday 23 Apr 2010 00:34:38 Peter Stuge wrote:
> Davide Brini wrote:
> > the serial number is just an (almost) arbitrarily large number. Why
> > would a CA choose such a serial number?
>
> In order to avoid a chosen-prefix collision that works among other
> things
On Thursday 22 April 2010, Jan Just Keijser wrote:
> > The only doubt I have is about error handling; in this case, if the
> > allocation of the BIO fails, an error message is logged and nothing is
> > done. Is this the right thing to do?
>
> I don't know if a FATAL error is such a good thing - n
On Thursday 22 April 2010, Davide Brini wrote:
> (moving to -devel as this is obviously pertains there more than -users)
Sorry, too quick! I posted an incomplete version of the patch. The attached
one should be better.
The only doubt I have is about error handling; in this case, if
(moving to -devel as this is obviously pertains there more than -users)
On Thursday 22 April 2010, Davide Brini wrote:
> > > RFC 5280 says that "certificate users MUST be able to handle
> > > serialNumber values up to 20 octets", so a 16-byte value looks valid to
&g
On Thursday 22 Apr 2010 09:02:23 David Sommerseth wrote:
> For future patches, would you mind adding a little bit more descriptive
> text which can be used as commit log messages. I do write those commit
> logs when I find it is needed, but adding a little bit more descriptions
> of what the patc
On Wednesday 21 Apr 2010 14:49:13 Richard Monk wrote:
> I had an issue come up where the clients were getting DNS entries in the
> reverse order the server sends them when using the client.up contrib
> script. Since the DNS servers on our system are in order from
> closest->farthest network wise
On Monday 19 April 2010, David Sommerseth wrote:
> I've done a quick test on one of my connections on Fedora 12 without any
> resolvconf package (meaning it invokes the simple cp approach), and it
> worked like a charm.
>
> Applied to bugfix2.1 and merged into allmerged.
> Commit a9c9a89e96dc1e4e
On Sunday 18 Apr 2010 23:27:31 David Sommerseth wrote:
> Added as commit 38025abb47f74363c3ee87ca7265e99a4055459e to bugfix2.1
> and merged into allmerged.
Thanks. Though I understand it's not critical, in case you didn't notice,
there's also another pending patch I submitted more than one month
On Friday 16 Apr 2010 10:35:54 Gert Doering wrote:
> On Fri, Apr 16, 2010 at 11:16:32AM +0200, David Sommerseth wrote:
> > I'll look more into this, as the only advantage is that if open() with
> > O_EXCL|O_CREAT fails if the file exists, it should be used instead.
>
> Unfortunately, this won't h
The man page does not mention that the default value of "mssfix" is 1450.
--- openvpn-2.1.1/openvpn.8 2010-02-28 22:17:45.0 +
+++ openvpn-2.1.1-a/openvpn.8 2010-04-15 19:43:53.0 +0100
@@ -1223,7 +1223,8 @@ their send packet sizes such that after
the resulting UDP packet
On Wednesday 17 March 2010, open...@rkmorris.us wrote:
> Hi Davide,
>
>
>
> Yes, that makes sense - and I was going to do that originally, but I
> figured the real-time bytecount would result in less traffic (and text
> parsing). One question though ... you say "status file". Do you really
>
On Wednesday 17 March 2010, open...@rkmorris.us wrote:
> I am trying to write an application that monitors traffic over an OpenVPN
> link - by using bytecount information from the management interface.
> However, after I telnet in, and enter "bytecount 1" (for 1 second
> updates), I find that t
On Wednesday 10 March 2010, David Sommerseth wrote:
> > Well, I was actually going to write a patch, but shortly after starting I
> > found out that it would end up being essentially the same as Gentoo's
> > scripts. Would it be worth separately maintaining something that has
> > already been writ
On Wednesday 10 Mar 2010 15:45:32 David Sommerseth wrote:
> On 01/03/10 00:26, Davide Brini wrote:
> > On Sunday 28 February 2010, David Sommerseth wrote:
> >> From: Dan Nelson
> >>
> >> Many of the scripts in the openvpn source have their shell set to
&
On Sunday 28 February 2010, David Sommerseth wrote:
> From: Dan Nelson
>
> Many of the scripts in the openvpn source have their shell set to
> /bin/bash, but only two use bash features. The attached patch (against
> openvpn-2.1_rc9) sets the shell on the rest of the scripts to /bin/sh for
> bette
On Saturday 12 December 2009, James Yonan wrote:
> Using nobind on the client for UDP client connections generates a socket
> with a dynamic source port number. This is key because it means that
> when the client reconnects, it does so with a new source port number,
> and this allows OpenVPN to d
On Friday 11 December 2009, James Yonan wrote:
> Try adding the "nobind" directive to your client config file. I think
> this will solve the problem.
That seems indeed to do it. Thank you very much!
However, never in my life could I have imagined that this was due to a setting
*on the client*.
On Thursday 12 November 2009, David Sommerseth wrote:
> On 12/11/09 19:33, Olaf Fraczyk wrote:
> > Hello,
> >
> > No, I wasn't using --multihome - I didn't know that this option exists
> > and that is necessary. I haven't found it in man page and in
> > documentation on the web page. The only plac
61 matches
Mail list logo
