Re: [Openvpn-devel] [L] Change in openvpn[master]: dns: don't publish env vars to non-dns scripts

On Mon, Jan 20, 2025 at 7:00 PM Heiko Hund wrote: > > Right, the plan is to ship this in 2.7, as it is a way too large change for > slipping it in somewhere in between. Ok, thanks! ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net htt

Re: [Openvpn-devel] [L] Change in openvpn[master]: dns: don't publish env vars to non-dns scripts

Hi. On Mon, Jan 20, 2025 at 2:38 PM Heiko Hund wrote: > Hi Jon > > On Montag, 20. Januar 2025 00:02:46 CET Jonathan K. Bullard wrote: > > On Mon, Jan 13, 2025 at 8:13 AM d12fk (Code Review) > > wrote: > > > With --dns-script in place we no longer need DNS related

Re: [Openvpn-devel] [L] Change in openvpn[master]: dns: don't publish env vars to non-dns scripts

HI. On Mon, Jan 13, 2025 at 8:13 AM d12fk (Code Review) wrote: > With --dns-script in place we no longer need DNS related vars in the > environment for other script hooks. Code for doing that is removed and > the function to set --dns stuff made static, for internal use only. > > Another thing:

Re: [Openvpn-devel] [PATCH applied] Re: Static-challenge concatenation option

Hi, On Mon, Sep 9, 2024 at 1:11 PM Gert Doering wrote: > > Hi, > > On Mon, Sep 09, 2024 at 12:01:54PM -0400, Selva Nair wrote: > > > Is the GUI support already committed? I seem to remember seeing a PR > > > for that "weeks ago"... and someone needs to bring Tunnelblick on board. > > > > I've se

Re: [Openvpn-devel] OpenVPN 2.5.9 released

On Thu, Feb 16, 2023 at 9:24 AM Arne Schwabe wrote: > > Am 16.02.23 um 14:11 schrieb Jonathan K. Bullard: > > Not yet seeing anything about 2.5.9 at > > https://openvpn.net/community-downloads/ > > <https://openvpn.net/community-downloads/>. (From the New Y

Re: [Openvpn-devel] OpenVPN 2.5.9 released

(Sorry for my earlier top-post.) On Thu, Feb 16, 2023 at 7:51 AM Frank Lichtenheld wrote: > > The OpenVPN community project team is proud to release OpenVPN 2.5.9. This is > a small bugfix release. > Was this sent a bit early? There is no 2.5.9 tag at https://github.com/OpenVPN/openvpn/tags. Be

Re: [Openvpn-devel] OpenVPN 2.5.9 released

Not yet seeing anything about 2.5.9 at https://openvpn.net/community-downloads/. (From the New York City metropolitan area.) Maybe caches need updating? Best regards, Jon Bullard On Thu, Feb 16, 2023 at 7:51 AM Frank Lichtenheld wrote: > The OpenVPN community project team is proud to relea

Re: [Openvpn-devel] [PATCH 7/7] add message about changing default values

Hi, On Mon, Sep 13, 2021 at 8:37 AM Gert Doering wrote: > > Hi, > > On Sat, Sep 04, 2021 at 11:56:29AM +0200, Antonio Quartulli wrote: > > Add warning at startup to notify users about the change. > [..] > > +/* Give a general warning at the end of initialisation that defaults > > + * have

Re: [Openvpn-devel] [PATCH] Include utun device number in utun error messages

Hi, On Sat, Jul 25, 2020 at 7:51 PM Arne Schwabe wrote: > > For lack of a better API (or knowledge about a better API) we try to > open utun devices on macOS by trying utun0 to utun255 and use the > first one that works. On my Mac I have already 4 devices that > do nothing but are just there and

Re: [Openvpn-devel] [PATCH applied] Re: Unified success messages for setting mtu

Hi, On Mon, Jul 6, 2020 at 11:43 AM Gert Doering wrote: > > Acked-by: Gert Doering > > Thanks :-) - given that this is somewhat trivial, I have not actually > run a binary to look at the messages. I have counted arguments and done > a test build to see if new warnings show up (no). > > I *do* s

Re: [Openvpn-devel] [RFC] Challenges with OpenVPN and configuring DNS

Hi. There's a lot here and I haven't digested all of it, but have a couple of comments about macOS and Tunnelblick, below. On Tue, Jun 23, 2020 at 6:57 PM David Sommerseth wrote: > > > Hi, > > Arne and I have discussed the challenge of DNS configuration and we have paid > attention to a recent di

Re: [Openvpn-devel] [Openvpn-users] Multiple DNS search suffixes on Windows

Hi, On Fri, Jul 3, 2020 at 3:39 AM Jan Just Keijser wrote: > > Hi, > > On 02/07/20 23:04, David Sommerseth wrote: > > On 30/06/2020 16:15, Jan Just Keijser wrote: > >> hi, > >> > >> On 30/06/20 16:11, Gert Doering wrote: > >>> Hi, > >>> > >>> On Tue, Jun 30, 2020 at 04:07:52PM +0200, Jan Just Kei

Re: [Openvpn-devel] [Patch] New man page corrections - windows-options.rst

Improves English diction and/or grammar of man page. Acked-by: Jonathan K. Bullard On Tue, Jun 30, 2020 at 9:11 PM Richard Bonhomme wrote: > > Signed-off-by: Richard Bonhomme > --- > doc/man-sections/windows-options.rst | 4 ++-- > 1 file changed, 2 insertions(+), 2 deleti

Re: [Openvpn-devel] [Openvpn-users] Multiple DNS search suffixes on Windows

Hi, On Sun, Jun 21, 2020 at 11:15 AM Selva Nair wrote: > > Hi, > > On Sun, Jun 21, 2020 at 7:14 AM Gert Doering wrote: > > > > Hi, > > > > going through OpenVPN threads that went stale - I think this is > > actually a nice addition (read: other people have already asked > > me if this can be don

Re: [Openvpn-devel] [Openvpn-users] Multiple DNS search suffixes on Windows

Hi! On Sun, Jun 21, 2020 at 7:15 AM Gert Doering wrote: > > Hi, > > going through OpenVPN threads that went stale - I think this is > actually a nice addition (read: other people have already asked > me if this can be done). > > On Thu, Mar 05, 2020 at 01:53:12PM +0100, Jan Just Keijser wrote: >

Re: [Openvpn-devel] OpenVPN 2.4.9 released

Hi, On Fri, Apr 17, 2020 at 9:22 PM Antonio Quartulli wrote: > > Hi, > > On 18/04/2020 00:41, Jonathan K. Bullard wrote: > > Hi, > > > > On Fri, Apr 17, 2020 at 5:35 PM Gert Doering wrote: > >> > >> ... the new subkeys are just a few weeks old,

Re: [Openvpn-devel] OpenVPN 2.4.9 released

Hi, On Fri, Apr 17, 2020 at 5:35 PM Gert Doering wrote: > > ... the new subkeys are just a few weeks old, so we need to publish > a new key bundle with the new subkeys. So until a new security-keys-2020.asc (or whatever you will call it) is published on the OpenVPN website, I can't verify the do

Re: [Openvpn-devel] OpenVPN 2.4.9 released

IHi, On Fri, Apr 17, 2020 at 8:47 AM Samuli Seppänen wrote: > > The OpenVPN community project team is proud to release OpenVPN 2.4.9. It > can be downloaded from here: > > I'm having trouble verifying 2.4.9.tar.gz with GPG. I'm pretty clueless about gp

Re: [Openvpn-devel] [PATCH v2 2/2] When auth-user-pass file has no password, query the management

Hi, On Mon, Mar 30, 2020 at 2:06 PM wrote: > > From: Selva Nair > > When only username is found in the file, redirect the auth-user-pass > query to the management if management-query-passwords is enabled. > Otherwise the user is prompted on console, if available, as before. > > This changes the

Re: [Openvpn-devel] [PATCH 2/2] When auth-user-pass file has no password, query the management

On Mon, Mar 30, 2020 at 12:30 PM Selva Nair wrote: > That is, if management-query-passwords is enabled and auth file is > missing password, query the management, not on console irrespective > of other options and OS. If that's acceptable, I'll submit a v2. That's fine with me (and Tunnelblick),

Re: [Openvpn-devel] [PATCH 2/2] When auth-user-pass file has no password, query the management

Hi, On Mon, Mar 30, 2020 at 11:12 AM Selva Nair wrote: > Jonathan K. Bullard wrote: > > > > If the OS X command line user was using --management-query-passwords > > (as Tunnelblick does), they wouldn't see the password prompt on > > /dev/tty, would they?

Re: [Openvpn-devel] [PATCH 2/2] When auth-user-pass file has no password, query the management

Hi, On Sun, Mar 29, 2020 at 7:58 PM Selva Nair wrote: > > Hi, > > On Sun, Mar 29, 2020 at 7:13 PM Jonathan K. Bullard > wrote: > > On a Mac using Tunnelblick (which uses the management interface with > > management-query-passwords enabled), if the auth-user-pass

Re: [Openvpn-devel] [PATCH 2/2] When auth-user-pass file has no password, query the management

Hi, On Sun, Mar 29, 2020 at 4:34 PM wrote: > > From: Selva Nair > > If only username is found in the file, redirect the auth-user-pass > query to the management on Windows if (i) management-query-passwords > is enabled and (ii) stdout is redirected to a log file. These > restrictions avoid regre

Re: [Openvpn-devel] Removing --disable-server option from OpenVPN

Oops. On Wed, Sep 18, 2019 at 6:54 AM Jonathan K. Bullard wrote: > > Hi, > > On Wed, Sep 18, 2019 at 6:38 AM Samuli Seppänen wrote: > > > > Hi, > > > > We are considering removing the --disable-server option from OpenVPN in 2.5. > > > > Do you u

Re: [Openvpn-devel] Removing --disable-server option from OpenVPN

Hi, On Wed, Sep 18, 2019 at 6:38 AM Samuli Seppänen wrote: > > Hi, > > We are considering removing the --disable-server option from OpenVPN in 2.5. > > Do you use (and need) it, or know of somebody using (and needing) it? As far as I know, it is not used by any Tunnelblick users. Also, note tha

Re: [Openvpn-devel] [PATCH 0/5] Implement additional two step authentication methods

Hi, On Thu, Jun 13, 2019 at 2:35 PM Selva Nair wrote: > > Hi > > On Thu, Jun 13, 2019 at 10:42 AM Arne Schwabe wrote: > > > > These patches mainly implement forwarding passing/forwarding extra > > messages between management interface on server and client side. > > > > These new extra messages c

Re: [Openvpn-devel] Adding Google Analytics code to Trac?

Hi, On Wed, Oct 24, 2018 at 5:22 AM David Sommerseth wrote: > > On 24/10/18 13:47, Samuli Seppänen wrote: > > Hi, > > > > The OpenVPN Inc. webmaster would like to add Google Analytics to > > community.openvpn.net, i.e. our Trac wiki/bug tracker. I said we need to > > consult the community first b

[Openvpn-devel] Fwd: [PATCH] Remove deprecated --compat-x509-names and --no-name-remapping

Sorry, sent to Steffan but not the list: -- Forwarded message - From: Jonathan K. Bullard Date: Wed, Oct 24, 2018 at 7:00 AM Subject: Re: [Openvpn-devel] [PATCH] Remove deprecated --compat-x509-names and --no-name-remapping To: Steffan Karger Hi, The actual option name is

[Openvpn-devel] [PATCH v2] Clarify and expand management interface documentation

--auth-retry none" (the default) is in effect. * Fix a typo. ("posesses" => "possesses"). Signed-off-by: Jonathan K. Bullard --- v2: * Incorporate Selva Nair’s suggestions (thanks!). * Remove incorrect quotes in Example 8. * Use &

Re: [Openvpn-devel] [PATCH] Clarify and expand management interface documentation

Thanks, Selva. I agree with all of your comments except two, details below: On August 2, 2018 11:32 AM, Selva Nair wrote: > > >NEED-OK:Need 'token-insertion-request' confirmation MSG:Please insert > > your cryptographic token > > > > > > - The management client, if it is a GUI, can flash

[Openvpn-devel] [PATCH] Clarify and expand management interface documentation

--auth-retry none" (the default) is in effect. * Update the list of UIs that support challenge/response. * Fix a typo. ("posesses" => "possesses"). Signed-off-by: Jonathan K. Bullard --- doc/management-notes.txt | 213 --- 1 file

Re: [Openvpn-devel] Dynamic challenge/response questions

Hi, On Tue, Jul 24, 2018 at 12:02 AM, Selva Nair wrote: > Hi, > > On Mon, Jul 23, 2018 at 10:58 PM, Jonathan K. Bullard > wrote: >> I was testing Tunnelblick with Selva's C/R server and config (thanks >> again for that) and there was a problem. Maybe I'm (st

Re: [Openvpn-devel] Dynamic challenge/response questions

Hi, On Mon, Jul 23, 2018 at 10:31 PM, Selva Nair wrote: > On Sat, Jul 21, 2018 at 1:21 PM, Jonathan K. Bullard > wrote: > >> Some, perhaps including Selva's $payingCustomer, may not want to use >> Tunnelblick betas or use OpenVPN 2.5 until it is released. > > I m

Re: [Openvpn-devel] Dynamic challenge/response questions

wrote: >> Hi, >> >> On Thu, Jul 19, 2018 at 02:38:55PM -0400, Selva Nair wrote: >>> On Thu, Jul 19, 2018 at 1:52 PM, Gert Doering wrote: >>> > On Thu, Jul 19, 2018 at 11:43:17AM -0400, Jonathan K. Bullard wrote: >>> >> Thank you, Selva! (Now all

Re: [Openvpn-devel] Dynamic challenge/response questions

Thanks, Selva, On Mon, Jul 23, 2018 at 1:30 PM, Selva Nair wrote: > > Hi, > > > On Sat, Jul 21, 2018 at 1:21 PM, Jonathan K. Bullard > wrote: > > Hi, > > > > On Thu, Jul 19, 2018 at 2:38 PM, Selva Nair wrote: > >> Jon: I have a server

Re: [Openvpn-devel] Dynamic challenge/response questions

Hi, On Thu, Jul 19, 2018 at 2:38 PM, Selva Nair wrote: > Jon: I have a server for testing static and dynamic challenge. If > interested I can send you a config. Or use access server with a free > test license. Mine will just challenge with 1 + 1 = ? kind of > questions, nothing fancy. Thanks, Se

Re: [Openvpn-devel] Dynamic challenge/response questions

Hi Arne, (For some reason Gmail put your post in my spam folder, so I just saw it now.) On Thu, Jul 19, 2018 at 11:49 AM, Arne Schwabe wrote: > Am 19.07.18 um 17:43 schrieb Jonathan K. Bullard: >> Thank you, Selva! (Now all I need to do is get it working!) >> > > If you

Re: [Openvpn-devel] Dynamic challenge/response questions

Hi, Selva, On Thu, Jul 19, 2018 at 2:38 PM, Selva Nair wrote: >> Jon: I have a server for testing static and dynamic challenge. If > interested I can send you a config. Or use access server with a free > test license. Mine will just challenge with 1 + 1 = ? kind of > questions, nothing fancy. Th

Re: [Openvpn-devel] Dynamic challenge/response questions

Thank you, Selva! (Now all I need to do is get it working!) Best regards, Jon On Thu, Jul 19, 2018 at 11:39 AM, Selva Nair wrote: > Hi, > > On Thu, Jul 19, 2018 at 10:48 AM, Jonathan K. Bullard > wrote: >> Thank you very much, Selva. >> >> On Wed, Jul 18, 2018

Re: [Openvpn-devel] Dynamic challenge/response questions

Thank you very much, Selva. On Wed, Jul 18, 2018 at 10:48 PM, Selva Nair wrote: > There are two messages involved: > > 1. First comes the fake auth failure message which contains the > challenge string. The format of this is as you have quoted above. The > single quoted string between the square

[Openvpn-devel] Dynamic challenge/response questions

I'm trying to implement dynamic challenge/response in Tunnelblick and have some questions. I've been using the management-interface documentation [1] as my guide. 1. Is what the management interface sends something like (all on one line): >PASSWORD:Verification Failed: 'Auth' >['CRV1:R,E:Om01u7F

Re: [Openvpn-devel] [OpenVPN/openvpn-gui] UI showing green connected status despite not beeing able to create a route (#9)

Hi, On Fri, Jul 6, 2018 at 3:24 PM, Selva Nair wrote: > > Hi, > > Copying the devel list as a reminder that "we" have been asking for this > change for a long time :) > > On Fri, Jul 6, 2018 at 2:48 PM, Gert Doering wrote: >> >> Hi, >> >> On Fri, Jul 06, 2018 at 08:25:02AM -0700, Selva Nair wro

Re: [Openvpn-devel] [PATCH] Make up/down script errors not FATAL

Hi. On Mon, Jul 2, 2018 at 9:24 PM, wrote: > > From: Selva Nair > > Instead log only a warning. > > This helps user interfaces enforce a safer script-security setting > without causing a FATAL error. Can you expand on that? What "safer script secuity settings' do you have in mind? Tunnelblick

Re: [Openvpn-devel] [PATCH v5] Add Interactive Service developer documentation

Hi, On Sat, Jun 9, 2018 at 12:23 PM, Selva Nair wrote: > > Hi, > > On Thu, Apr 19, 2018 at 7:23 AM, Simon Rozman wrote: > > The OpenVPN Interactive Service documentation from > > https://community.openvpn.net/openvpn/wiki/OpenVPNInteractiveService was > > upgraded with a description of the clien

Re: [Openvpn-devel] [PATCH] Specify platform and version on command line.

Hi. On Fri, Apr 13, 2018 at 1:23 PM, Micah Morton wrote: > From 557d2e73bf21ddb9d07b43f716c7914d610e7392 Mon Sep 17 00:00:00 2001 > From: Micah Morton > Date: Fri, 13 Apr 2018 09:55:22 -0700 > Subject: [PATCH] Specify platform and version on command line. > > Add --iv-plat and --iv-plat-rel comm

Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.

Hi, On Sun, Apr 1, 2018 at 11:34 AM, Gert Doering wrote: > Hi, > > On Sun, Apr 01, 2018 at 10:19:37AM -0400, Selva Nair wrote: >> On Sun, Apr 1, 2018 at 2:30 AM, Gert Doering wrote: >> >> > As discussed in trac #208 and on IRC with Antonio, OpenVPN 2.5 will >> > be IPv6-only. Removal of IPv4-re

Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.

Hi, On Sun, Apr 1, 2018 at 2:30 AM, Gert Doering wrote: > As discussed in trac #208 and on IRC with Antonio, OpenVPN 2.5 will > be IPv6-only. Removal of IPv4-related code and options will dramatically > reduce code complexity, confusing options, bugs and user questions. > > Add deprecation warn

Re: [Openvpn-devel] OpenSSL version(s) officially supported by OpenVPN?

Hi. On Wed, Mar 7, 2018 at 4:25 AM, Steffan Karger wrote: > > Hi, > > On 06-03-18 23:16, Jonathan K. Bullard wrote: > > Can someone clarify which versions of OpenSSL OpenVPN supports (that > > is, "works with when linked statically")? > > > >

[Openvpn-devel] OpenSSL version(s) officially supported by OpenVPN?

Hi. Inspired by the recent discussion about LibreSSL support: Can someone clarify which versions of OpenSSL OpenVPN supports (that is, "works with when linked statically")? >From what I gather: * OpenVPN 2.3.18 supports OpenSSL 1.0.2n * OpenVPN 2.4.5 supports OpenSSL 1.0.2n and 1.1.0g * Open

Re: [Openvpn-devel] [PATCH] Properly respond to SIGTERM received during DNS resolution.

I'm not sure I'm reading the description right, to understand the > actual issue this is fixing - but if I'm reading it right, then this > makes sense :-) - what about SIGINT?) On Tue, Apr 12, 2016 at 11:48 AM, Fish Wang wrote: > > Right, it's for the "on DNS

[Openvpn-devel] Fwd: [PATCH 2/3] Allow external EC key through --management-external-key

Hi. On Mon, Jan 22, 2018 at 12:31 PM, Selva Nair wrote: > What about extending the current "version" command with an argument > where the client states the version of "management-speak" that it > supports. Current management version is 1, we increase it to 1.1 and > unless the client says "versio

Re: [Openvpn-devel] On testing with openssl 0.9.8

Hi, On Mon, Jan 22, 2018 at 7:33 AM, David Sommerseth wrote: > Let me rather twist this question around ... Do we want to support OpenSSL > 0.9.8? Are there any Linux distributions or other OSes out there in the wild > which is still supported which are also based on openssl-0.9.8? > > Officiall

Re: [Openvpn-devel] Follow up on sending messages to the GUI

Hi, On Sat, Dec 2, 2017 at 7:08 AM, Jonathan K. Bullard wrote: > Hi, > > On Fri, Dec 1, 2017 at 10:58 AM, Selva Nair wrote: >> >> Hi, >> >> On Fri, Dec 1, 2017 at 8:53 AM, Arne Schwabe wrote: >>> >>> Am 30.11.2017 um 03:03 schrieb Selva Nai

Re: [Openvpn-devel] Follow up on sending messages to the GUI

Hi, On Fri, Dec 1, 2017 at 10:58 AM, Selva Nair wrote: > > Hi, > > On Fri, Dec 1, 2017 at 8:53 AM, Arne Schwabe wrote: >> >> Am 30.11.2017 um 03:03 schrieb Selva Nair: >> >> Cross-posting to users and devel as this may be of interest to both. >> >> Hi, >> >> I have made a draft implementation of

Re: [Openvpn-devel] Follow up on sending messages to the GUI

Hi, On Thu, Nov 30, 2017 at 10:26 PM, Selva Nair wrote: > Hi Jon, > > On Thu, Nov 30, 2017 at 8:41 PM, Jonathan K. Bullard > wrote: > >> Thanks, Selva, >> >> On Wed, Nov 29, 2017 at 9:03 PM, Selva Nair wrote: >> > >> > I have made a draf

Re: [Openvpn-devel] Follow up on sending messages to the GUI

Thanks, Selva, On Wed, Nov 29, 2017 at 9:03 PM, Selva Nair wrote: > > I have made a draft implementation of this feature that was discussed in a > previous thread. A test executable (GUI only) is in this pre-release: > > https://github.com/selvanair/openvpn-gui/releases/tag/v11-echo-msg > > Als

Re: [Openvpn-devel] [PATCH] Implement "status 4" (JSON) for management interface

Hi, On Tue, Nov 14, 2017 at 7:40 AM, David Sommerseth wrote: > > On 14/11/17 12:02, Gert Doering wrote: >> JSON is very trivial to produce (unlike XML, or netlink). The escaping >> rules on producing are also very easy - basically, encode things in double >> quotes, and escape the set of { BS, F

Re: [Openvpn-devel] [PATCH] Implement "status 4" (JSON) for management interface

Hi, On Tue, Nov 14, 2017 at 3:31 AM, Gert Doering wrote: > Hi, > > On Mon, Nov 13, 2017 at 01:16:46PM +0100, David Sommerseth wrote: >> But we should consider if we want to make use of a JSON library >> producing the JSON streams. The reason is to ensure the output is >> according to the specifi

Re: [Openvpn-devel] [PATCH] contrib: Remove keychain-mcd code

On Tue, Jul 25, 2017 at 9:03 AM, David Sommerseth wrote: > After the security audits performed by Cryptography Engineering the > spring of 2017 [1], there were several concerns about the contrib code > for the macOS keychain support. After more careful review of this > code base, it was considere

Re: [Openvpn-devel] [PATCH] Implement block-ipv6

Hi. I have one small nit-pick. On Thu, Jul 6, 2017 at 11:33 AM, Arne Schwabe wrote: > This can be used to redirect all IPv6 traffic to the tun interface, > effectively black holing the IPv6 traffic. Without ICMPv6 error messages this > will result in timeouts when the server does not send erro

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

On Wed, Jun 21, 2017 at 12:48 PM, Matthias Andree wrote: > > Am 21.06.2017 um 16:33 schrieb Samuli Seppänen: > > On 21/06/2017 17:06, Simon Matter wrote: > >>> On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen > >>> wrote: > The OpenVPN community project team is proud to release OpenVPN 2.4.3

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

On Wed, Jun 21, 2017 at 7:48 AM, Jonathan K. Bullard wrote: > On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen > wrote: > > The OpenVPN community project team is proud to release OpenVPN 2.4.3. It > > can be downloaded from here: > > > > <http://openvpn.net/ind

Re: [Openvpn-devel] ***UNCHECKED*** Re: OpenVPN 2.4.3 released (with security fixes)

On Wed, Jun 21, 2017 at 8:40 AM, David Sommerseth wrote: > On 21/06/17 14:30, David Sommerseth wrote: >> On 21/06/17 13:48, Jonathan K. Bullard wrote: >>> On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen wrote: >>>> The OpenVPN community project team is prou

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen wrote: > The OpenVPN community project team is proud to release OpenVPN 2.4.3. It > can be downloaded from here: > > Hi. Thanks for this release. Verifying the PGP signature on 2.3.17.tar.g

Re: [Openvpn-devel] Problem with sig for 2.3.16?

On Fri, May 19, 2017 at 6:41 PM, David Sommerseth wrote: > On 19/05/17 21:23, Jonathan K. Bullard wrote: [snip] > > OK, I get that, but the key file from the link David provided (and > > which was also in his reply to the email announcing 2.3.16): > > > > <http:/

Re: [Openvpn-devel] Problem with sig for 2.3.16?

On Fri, May 19, 2017 at 1:44 PM, Samuli Seppänen wrote: > On 19/05/2017 17:50, David Sommerseth wrote: >> On 19/05/17 16:28, Jonathan K. Bullard wrote: >>> When I try to verify the signature on openvpn-2.3.16.tar.gz (using >>> openvpn-2.3.16.tar.gz.asc) from the &quo

[Openvpn-devel] Problem with sig for 2.3.16?

When I try to verify the signature on openvpn-2.3.16.tar.gz (using openvpn-2.3.16.tar.gz.asc) from the "Downloads" page [1], I get the following: gpg: assuming signed data in `XXX/openvpn-2.3.16.tar.gz' gpg: Signature made Thu May 18 16:56:48 2017 EDT using RSA key ID 8CC2B034 gpg:

Re: [Openvpn-devel] OpenVPN 2.3.16 released

On Fri, May 19, 2017 at 5:29 AM, Samuli Seppänen wrote: > > The OpenVPN community project team is proud to release OpenVPN 2.3.16. > It can be downloaded from here: > > > > This is a minor release that fixes a few bugs. This release was mad

Re: [Openvpn-devel] The future of contrib/keychain-mcd

Hi. Several weeks ago "kaloprominat" submitted PR #369 [1] to Tunnelblick. It incorporates the keychain-mcd code into Tunnelblick. (I don't know if that triggered your scrutiny of keychain-mcd or if that is a coincidence.) I have not finished reviewing the PR, but it includes fixes for several pr

Re: [Openvpn-devel] [PATCH] Use SHA256 for the internal digest, instead of MD5

On Sun, Dec 25, 2016 at 6:20 PM, Steffan Karger wrote: > Hi, > > On 18-12-16 22:26, Gert Doering wrote: >> On Sun, Dec 18, 2016 at 05:40:55PM +0100, Steffan Karger wrote: >>> Our internal options digest uses MD5 hashes to store the state, instead of >>> storing the full options string. There's no

Re: [Openvpn-devel] Summary of today's (Monday, 10th Oct 2016) community meeting

Hi, On Thu, Nov 3, 2016 at 8:26 AM, Gert Doering wrote: > > On Wed, Nov 02, 2016 at 06:19:26AM -0400, Jonathan K. Bullard wrote: > > On Mon, Oct 10, 2016 at 4:26 PM, Samuli Seppänen > wrote: > > > Discussed OpenVPN 2.3.13 release. Three things are missing: > >

Re: [Openvpn-devel] Summary of today's (Monday, 10th Oct 2016) community meeting

On Wed, Nov 2, 2016 at 6:52 AM, Gert Doering wrote: > On Wed, Nov 02, 2016 at 06:19:26AM -0400, Jonathan K. Bullard wrote: >> Sorry to be a pest, but is there an update on when 2.3.13 might be released? > > Tomorrow ("noon-time-ish for Europe") > > (We decided this

Re: [Openvpn-devel] Summary of today's (Monday, 10th Oct 2016) community meeting

On Mon, Oct 10, 2016 at 4:26 PM, Samuli Seppänen wrote: > Discussed OpenVPN 2.3.13 release. Three things are missing: > > 1. recursive routing > 2. block-outside-dns v2 > 3. 64MB renegotiation for 64-bit block ciphers > > Cron2 will take care of 1-2, and syzzer will tackle 3. > > -- > > Preliminar

Re: [Openvpn-devel] [PATCH v4] Remove tun-ipv6 Option. Instead assume that IPv6 is always supported.

Thanks to both Gert and Arne for their answers. On Wed, Oct 12, 2016 at 9:12 AM, Arne Schwabe wrote: >> What I should have asked is: with this patch will an OpenVPN client >> still send out IPv4 packets if there are no IPv6 options specified or >> pulled from the server?

Re: [Openvpn-devel] [PATCH v4] Remove tun-ipv6 Option. Instead assume that IPv6 is always supported.

Thanks, Arne. Sorry if I wasn't a clear as I should have been. On Wed, Oct 12, 2016 at 8:08 AM, Arne Schwabe wrote: > > Am 12.10.16 um 13:17 schrieb Jonathan K. Bullard: > > Hi. > > > > On Wed, Oct 12, 2016 at 5:13 AM, Arne Schwabe wrote: > >> This optio

Re: [Openvpn-devel] [PATCH v4] Remove tun-ipv6 Option. Instead assume that IPv6 is always supported.

Hi. On Wed, Oct 12, 2016 at 5:13 AM, Arne Schwabe wrote: > > This option was useful when Ipv6 tun support was > non standard and was an internal/user specified flag > that tracked the Ipv6 capability of the tun device. > > All supported OS support IPv6. Also tun-ipv6 is > pushable by the remote s

Re: [Openvpn-devel] Topics for today's (Monday, 10th Oct 2016) community meeting

On Mon, Oct 10, 2016 at 8:56 AM, Samuli Seppänen wrote: > > We're going to have an IRC meeting today starting at 20:00 CEST (18:00 > UTC) on #openvpn-meeting irc.freenode.net. You do not have to be > logged in to Freenode to join the channel. I can't attend the meeting, so here is a simple (mayb

Re: [Openvpn-devel] [PATCH] Have the same username/password length regardless of PKCS#11 enablement

On Thu, Sep 22, 2016 at 6:04 AM, David Sommerseth wrote: > If running an OpenVPN client with --enable-pkcs11 and a server without > and having a username and/or password with more than 128 characters, > the authentication will fail as the server truncates the password > to 128 bytes. > > This make

Re: [Openvpn-devel] Modernising the management interface

On Wed, Aug 31, 2016 at 2:55 PM, David Sommerseth wrote: > > > One of the things which have struck me is that D-Bus is adopted a lot > of places, and its internal API have been considered stable for about > 10 years or more. Even though there are areas where D-Bus seems a bit > over-engineered, i

[Openvpn-devel] The end of the Gmane archive

Yesterday Lars Ingebrigtsen, who established and has run Gmane since 2002, posted an article saying that Gmane might go away [1]. He posted an update [2] which says the Gmane archive *has* gone away and unless someone steps up to take it over, it is gone for good. The OpenVPN mailing list archive

Re: [Openvpn-devel] [PATCH 3/7] vlan: Add global, per-client 802.1q-based options

On Sun, Apr 3, 2016 at 2:51 PM, Mike Auty wrote: > > This patch add the new global "--vlan-tagging" boolean switch. This specifies > whether openvpn should handle 802.1q tagged packets in any way. > > This patch also adds the new global '--vlan-accept tagged|untagged|all' which > specifies the be

Re: [Openvpn-devel] [PATCH 09/10] Added directive to specify HTTP proxy credentials in config.

On Thu, Mar 3, 2016 at 3:19 AM, James Yonan wrote: > > The inline directive http-proxy-user-pass can be used to > specify proxy credentials in config, e.g.: > > http-proxy proxy.tld 3128 auto-nct > > foo > bar > > > This usage is already supported by OpenVPN 3. > > Signed-off-by: James Yonan >

Re: [Openvpn-devel] Options that are "safe" for users to modify?

Thanks, Selva. On Sat, Dec 12, 2015 at 5:43 PM, Selva Nair wrote: > I suppose, not just adding but also removing options will be allowed. There > could be more options that are ok (i.e not unsafe) to remove but not change. What I'm proposing isn't to allow "add/remove/modify" options in the Open

Re: [Openvpn-devel] Options that are "safe" for users to modify?

Hi. On Sat, Dec 12, 2015 at 5:23 PM, Arne Schwabe wrote: > Might not really be related to this but have looked into the work that > provides the certificates and keys via the managment console? We have > even have a contrib program that gets certificates from the Mac OS X > keychain and provides

[Openvpn-devel] Options that are "safe" for users to modify?

Inspired by Gert, I am considering adding a new feature to Tunnelblick (FOSS GUI for OpenVPN on OS X) and would like your reactions. In an earlier thread on openvpn-users, my original more grandiose idea was (with good reason) NAKed. It was also suggested that openvpn-devel was a better place for t

Re: [Openvpn-devel] [PATCH] Remove --enable-password-save option

Hi. On Sun, Nov 29, 2015 at 9:55 AM, Arne Schwabe wrote: > This options is enabled in virtually all distributions and gives no real > security benefit. > --- > configure.ac | 8 > src/openvpn/misc.c | 8 > src/openvpn/misc.h | 2 +- > src/openvpn/ssl.c | 8 > 4

Re: [Openvpn-devel] Docs or Bug: --push options no longer require double quotes

On Sat, Jul 25, 2015 at 3:45 PM, Gert Doering wrote: > Hi, > > On Sat, Jul 25, 2015 at 01:34:46PM +0100, debbie...@gmail.com wrote: >> As the title states --push no longer requires options to be double quoted. > > Well, *did* it require double quotes at some point? If yes, when? Double-quotes ma

Re: [Openvpn-devel] [PATCH v2] Add TFTP and WPAD DHCP options

On Thu, Jul 2, 2015 at 6:24 AM, Jan Just Keijser wrote: > I fully agree. Here's v2 with Jonathan's remarks addressed as well. ACK as to my concerns, thanks!

Re: [Openvpn-devel] [PATCH] Add TFTP and WPAD DHCP options

On Thu, Jul 2, 2015 at 2:56 AM, Jan Just Keijser wrote: > Attached is the patch to add the TFTP and WPAD DHCP options. The patch > is based on openvpn 2.3.7 as I did not know how to do a windows mingw > build of the git version ... > The patch was tested on Windows XP 32bit and Windows 7sp1 64bit.

Re: [Openvpn-devel] [Patch] Version 2: Fail if options have extra parameters

On Wed, Jun 3, 2015 at 2:33 AM, Arne Schwabe wrote: > ACK. But some things I noticed (should go into separate patch) > > We do not catch > > --connection foo, it is silently ignored I noticed a few such problems, mostly in options that I couldn't find consistent documentation for. I didn't want t

[Openvpn-devel] [Patch] Version 2: Fail if options have extra parameters

This is a new thread with version 2 of the patch; the first submission included the wrong .patch file and was withdrawn. The attached patch causes an error if an option has extra parameters; previously they were ignored (ticket #557 at https://community.openvpn.net/openvpn/ticket/557). This featu

Re: [Openvpn-devel] [Patch] Fail if options have extra parameters

Please ignore this patch; it is an old version. I will resubmit. Sorry for the noise. On Fri, May 29, 2015 at 11:54 AM, Jonathan K. Bullard wrote: > Sorry, forgot to add a link to the ticket for this: > > https://community.openvpn.net/openvpn/ticket/557 > > On Fri, May 29, 2

Re: [Openvpn-devel] [Patch] Fail if options have extra parameters

Sorry, forgot to add a link to the ticket for this: https://community.openvpn.net/openvpn/ticket/557 On Fri, May 29, 2015 at 11:38 AM, Jonathan K. Bullard wrote: > The attached patch causes an error if an option has are extra > parameters; previously they were ignored. > > This

[Openvpn-devel] [Patch] Fail if options have extra parameters

The attached patch causes an error if an option has are extra parameters; previously they were ignored. This feature was discussed on the openvpn-devel mailing list: http://thread.gmane.org/gmane.network.openvpn.devel/9599 The patch is for the master branch only -- the consensus of the mailing li

[Openvpn-devel] [Patch] Fix null pointer dereference in options.c

(At Gert's request, I am posting this to openvpn-devel.) This patch fixes a null pointer dereference in options.c. Below are versions for openvpn-master and openvpn-2.3; they differ only in the line number reference. 2.3 branch diff -U 4 -r openvpn-release-2.3/src/openvpn/optio

Re: [Openvpn-devel] OpenVPN argument parsing of most options ignores "extra" parameters

On Mon, May 4, 2015 at 9:26 AM, Jonathan K. Bullard wrote: > If I have a > configuration that has worked for many years I might be more likely to > not notice one warning among all the output in a typical log at the > default "verb 3" setting. Correction: the default se

Re: [Openvpn-devel] Request peer review of modified OpenVPN client software

On Tue, May 12, 2015 at 7:27 AM, Lisa Minogue wrote: > Can I conclude from your above statements that applying obfuscation > patches to the standard OpenVPN client software may actually introduce > security vulnerabilities? > The openvpn_xorpatch

Re: [Openvpn-devel] OpenVPN argument parsing of most options ignores "extra" parameters

On Sun, May 3, 2015 at 12:33 PM, Steffan Karger wrote: > On 17-04-15 11:28, Jonathan K. Bullard wrote: > > I would like to propose a patch which complains if OpenVPN options > > include parameters that are not expected. > > I agree that silently ignoring extra parameters is

[Openvpn-devel] OpenVPN argument parsing of most options ignores "extra" parameters

I would like to propose a patch which complains if OpenVPN options include parameters that are not expected. If possible, I would like to get a "feature ACK" consensus before I create the patch. (If I get a "feature NAK" then I won't create the patch.) The patch would be to reject options that ar

Re: [Openvpn-devel] [PATCH v3] Mac OS X Keychain management client

On Mon, Feb 23, 2015 at 8:10 AM, David Woodhouse wrote: > On Mon, 2015-02-23 at 13:59 +0100, Arne Schwabe wrote: >> >> All fine. My rationale was like, if I want a certificate with a certain >> SUBJECT (e.g. CN=schw...@mycoolca.com) etc. it should not matter for men >> wether I get it from OS X, W

  1   2   >