We're considering to use shorter-lived client certificates for our VPN
users. In an effort to prevent negative impact for our staff due to
expired certificates, we 'd like to keep track of imminent expiration
of certificates in the client-connect script (which we're using anyway
to check is the cer
On 16/08/2019 10:27, Rolf Fokkens via Openvpn-devel wrote:
> We're considering to use shorter-lived client certificates for our VPN
> users. In an effort to prevent negative impact for our staff due to
> expired certificates, we 'd like to keep track of imminent expiration
> of certificates in the
On 15/08/2019 17:53, Gert Doering wrote:
> For reasons historically unknown, OpenVPN sets the listen() backlog
> queue to "1", which signals the kernel "while there is one TCP connect
> waiting for OpenVPN to handle it, refuse all others" - which, on
> restarting a busy TCP server, will create conn
This patch adds the option to use wolfSSL as the ssl backend. To build
this patch:
1. wolfSSL needs to be built with the `--enable-all` configure option.
2. OpenVPN must be built with the `--with-crypto-library=wolfssl`
configure option.
Documentation regarding the wolfSSL SSL library may be
Hi,
On 16/08/2019 13:49, David Sommerseth wrote:
> On 15/08/2019 17:53, Gert Doering wrote:
>> For reasons historically unknown, OpenVPN sets the listen() backlog
>> queue to "1", which signals the kernel "while there is one TCP connect
>> waiting for OpenVPN to handle it, refuse all others" - whi
Am 16.08.19 um 16:14 schrieb Juliusz Sosinowicz:
> This patch adds the option to use wolfSSL as the ssl backend. To build
> this patch:
>
That is great and it is also a very big patch. I skimmed only through
the patch.
+#ifdef ENABLE_CRYPTO_WOLFSSL
+o->ciphername = "AES-256-CBC";
+#else
Hi Juliusz,
On 16/08/2019 16:14, Juliusz Sosinowicz wrote:
> This patch adds the option to use wolfSSL as the ssl backend. To build
> this patch:
>
> 1. wolfSSL needs to be built with the `--enable-all` configure option.
> 2. OpenVPN must be built with the `--with-crypto-library=wolfssl`
> conf
On 08/08/2019 16:51, Arne Schwabe wrote:
> The previous auth-token implementation had a serious problem, especially when
> paired with an unpatched OpenVPN client that keeps trying the auth-token
> (commit e61b401a).
>
> The auth-token-gen implementation forgot the auth-token on reconnect, this
>
Hi,
On Fri, Aug 16, 2019 at 05:22:27PM +0200, Antonio Quartulli wrote:
> The reason why I ask is that adding a new crypto backend drastically
> increases the maintenance cost for us.
... and since we're already struggling with providing proper maintenance
and getting new stuff integrated in a ti
Wow, more ACKs than actual lines of codes affected .-) - I hear you
wrt "have a #define somewhere" (and yes, we could do that) or "make it
easier to configure for users" (nah... for the reasons Antonio gave) :-)
Patch has been applied to the master and release/2.4 branch.
2.4, because (see the di
Hi,
On Mon, Aug 05, 2019 at 11:25:26AM +0200, Antonio Quartulli wrote:
> From: Antonio Quartulli
>
> Networking backend implementations may need to allocate dynamic
> resources that require an explicit free/release.
> Since these cleanup are perfomed not very often, and only at specific
> times,
On 08/08/2019 16:52, Arne Schwabe wrote:
> From: Arne Schwabe
>
> This allows an external authentication method
> (e.g. management interface) to track the connection and distinguish a
> reconnection from multiple connections.
>
> Addtionally this now also checks to workaround a problem with
> Op
Hi,
On Fri, Aug 16, 2019 at 07:13:14PM +0200, David Sommerseth wrote:
> On 08/08/2019 16:51, Arne Schwabe wrote:
> > The previous auth-token implementation had a serious problem, especially
> > when
> > paired with an unpatched OpenVPN client that keeps trying the auth-token
> > (commit e61b401a)
Your patch has been applied to the master branch.
Is this also suitable for release/2.4? "You folks tell me, I do the
cherry-picking" (if it applies) :-)
I have removed the extra spaces in "# if" constructs, as this is not
something we use elsewhere on nested CPP expressions (it came up in the
d
On Fri, Aug 16, 2019 at 12:31 PM Gert Doering wrote:
>
> Your patch has been applied to the master branch.
>
> Is this also suitable for release/2.4? "You folks tell me, I do the
> cherry-picking" (if it applies) :-)
2.4 is what I did my testing on, so yes.
>
> I have removed the extra spaces in
Hi,
On Fri, Aug 16, 2019 at 09:31:52PM +0200, Gert Doering wrote:
> Your patch has been applied to the master branch.
>
> Is this also suitable for release/2.4? "You folks tell me, I do the
> cherry-picking" (if it applies) :-)
>
> I have removed the extra spaces in "# if" constructs, as this i
From: Antonio Quartulli
Networking backend implementations may need to allocate dynamic
resources that require an explicit free/release.
Since these cleanup are perfomed not very often, and only at specific
times, it makes sense to have the upper layer signal when it's the right
time to do so, by
Commit ("openssl: Fix compilation without deprecated OpenSSL 1.1 APIs")
has removed the cipher_ctx_cleanup() API, as it is not anymore required
to be a distinct call. However, while doing so it also touched the
mbedtls backend in a wrong way causing a systematic segfault upon connection.
Basically
18 matches
Mail list logo
