Implement a long standing todo in the code, now that we use mbed TLS 2.x,
which provides an interface for the check.
v2: bail out immediately on failure.
Signed-off-by: Steffan Karger
---
src/openvpn/ssl_mbedtls.c | 11 ++-
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/s
Hello,
I had a doubt about the cipher none config in OpenVPN.
I realized that OpenVPN initiates an SSL handshake, even if I choose not to
use any encryption-decryption operations through the cipher none config. It
chooses a particular cipher in the handshake as well.
Is it supposed to happen this
Am 05.05.16 um 11:02 schrieb Steffan Karger:
> Implement a long standing todo in the code, now that we use mbed TLS 2.x,
> which provides an interface for the check.
>
> v2: bail out immediately on failure.
>
ACK from me.
Arne
Your patch has been applied to the master branch.
commit 5c4acf3f7b2885270a9fb2d051a18759ab458c32
Author: Steffan Karger
List-Post: openvpn-devel@lists.sourceforge.net
Date: Thu May 5 11:02:13 2016 +0200
mbedtls: check that private key and certificate match on start
Signed-off-by: St
Am 03.05.16 um 22:14 schrieb Steffan Karger:
> Instead of just printing the contents of the flags variable, try to
> convert it to a human-readable error string and print that instead.
>
> This will for example print "The certificate is signed with an
> unacceptable key (eg bad curve, RSA too shor
Your patch has been applied to the master branch.
ACK from me as well, as it nicely shows the problem with our test certs
in the logs now
Thu May 5 12:53:54 2016 VERIFY ERROR: depth=0, subject=C=US, ST=California, L=P
leasanton, O=OpenVPN community project, CN=server, emailAddress=samuli@ope
Hi,
On Sun, May 01, 2016 at 08:23:06PM +0200, Steffan Karger wrote:
> When for some reason the dependencies of the compiled mbed TLS libaries
> (libmbedtls, libmbedcrypto and libmbedx509) are not correct, the configure
> script will fail to link against libmbedcrypto and/or libmbedx509. This
> is
On Thu, May 5, 2016 at 1:50 PM, Gert Doering wrote:
> --- a/configure.ac
> +++ b/configure.ac
> @@ -844,11 +844,11 @@ elif test "${with_crypto_library}" = "mbedtls"; then
>
> if test -z "${MBEDTLS_CFLAGS}" -a -z "${MBEDTLS_LIBS}"; then
> # if the user did not explicitly spe
Patch has been applied to the master branch.
commit 1ae17b7e97881ab57352b0bd525f15e6e9b60011
Author: Gert Doering
List-Post: openvpn-devel@lists.sourceforge.net
Date: Thu May 5 13:48:16 2016 +0200
Fix library order in -lmbedtls test.
Signed-off-by: Gert Doering
Acked-by: Steffa
Hi,
On Thu, May 5, 2016 at 12:26 PM, Shubham Chauhan
wrote:
> I had a doubt about the cipher none config in OpenVPN.
> I realized that OpenVPN initiates an SSL handshake, even if I choose not to
> use any encryption-decryption operations through the cipher none config. It
> chooses a particular c
Signed-off-by: Steffan Karger
---
src/openvpn/ssl_verify_mbedtls.c | 4
1 file changed, 4 insertions(+)
diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c
index a97161b..d018938 100644
--- a/src/openvpn/ssl_verify_mbedtls.c
+++ b/src/openvpn/ssl_verify_mbedtls.
Hello. Thanks for the reply.
> Disabling crypto is possible, but not what OpenVPN was designed for.
> Also, disabling encryption (using --cipher) does not disable
> authentication (--auth) too. If you want to control the TLS crypto,
> use --tls-cipher. Note however that the TLS control channel i
On 5 May 2016 3:24 p.m., "Shubham Chauhan" wrote:
> So, what I get from this is that OpenVPN will do a ssl/tls handshake
irrespective of the --cipher none option, because this configuration will
only be used in the data channel. Is this right?
Yes.
> Also, will using --cipher none get me a faste
Thank you for the help. Appreciate it.
On May 5, 2016 7:00 PM, "Steffan Karger" wrote:
>
> On 5 May 2016 3:24 p.m., "Shubham Chauhan"
> wrote:
> > So, what I get from this is that OpenVPN will do a ssl/tls handshake
> irrespective of the --cipher none option, because this configuration will
> on
Add SHA256 fingerprint support for both the normal exported fingerprints
(tls_digest_n -> tls_digest_sha256_n), as well as for --x509-track.
Also switch to using the SHA256 fingerprint instead of the SHA1 fingerprint
internally, in cert_hash_remember() / cert_hash_compare(). And instead of
updati
ACK.
Your patch has been applied to the master branch.
commit d54a2488a0b7a678817b50e1518d0f31397b2e7b
Author: Steffan Karger
List-Post: openvpn-devel@lists.sourceforge.net
Date: Thu May 5 15:02:27 2016 +0200
Remove trailing newline from verify callback error messages
Signed-off-by:
Add SHA256 fingerprint support for both the normal exported fingerprints
(tls_digest_n -> tls_digest_sha256_n), as well as for --x509-track.
Also switch to using the SHA256 fingerprint instead of the SHA1 fingerprint
internally, in cert_hash_remember() / cert_hash_compare(). And instead of
updati
17 matches
Mail list logo
