Re: [Openvpn-devel] [ovpn-dco] Is cbc-hmac supported?

2020-12-04 Thread Jan Just Keijser
Hi Tony, On 04/12/20 08:41, Tony He wrote: Hi Jan, Yeah, need option " -elapsed" because OpenSSL counts user time instead of total time(user+sys time) without this option. You can see: * aes-128-cbc and sha1 are accelerated by HW engine. I believe speed is faster for openvpn dco module because

Re: [Openvpn-devel] [ovpn-dco] Is cbc-hmac supported?

2020-12-04 Thread Gert Doering
Hi, On Fri, Dec 04, 2020 at 10:49:04AM +0100, Jan Just Keijser wrote: > as far as I > know no openvpn release supports CCM thus far (which is a shame, really). I have heard rumors that someone got nerdsniped by this already... :-) gert -- "If was one thing all people took for granted, was con

Re: [Openvpn-devel] [ovpn-dco] Is cbc-hmac supported?

2020-12-04 Thread Tony He
Hi Jan, >what HW engine is this? I think your best bet is to actually get the engine to support GCM; with AES and SHA acceleration in place there is very little to stop the HW engine from not being able to support GCM.. The HW engine is a part of SoC al314. It connects with A15 CPU via PCI in SoC

Re: [Openvpn-devel] [ovpn-dco] Is cbc-hmac supported?

2020-12-04 Thread Jan Just Keijser
hi Tony, On 04/12/20 11:12, Tony He wrote: Hi Jan, >what HW engine is this?  I think your best bet is to actually get the engine to support GCM; with AES and SHA acceleration in place there is very little to stop the HW engine from not being able to support GCM.. The HW engine is a part of So

[Openvpn-devel] [PATCH applied] Re: tls-crypt-v2: fix server memory leak

2020-12-04 Thread Gert Doering
I have not done much testing, and not even stared much at the code. But it's your code and Antonio has a keen eye :-) Your patch has been applied to the master and release/2.5 branch. commit fb169c3b8fdfa9792c0eee8441956f062dfd7982 (master) commit 06e769552481729ddae28ee46b30f2dc8ca77509 (releas

[Openvpn-devel] [PATCH applied] Re: tls-crypt-v2: also preload tls-crypt-v2 keys (if --persist-key)

2020-12-04 Thread Gert Doering
As for 1/2, I have not really reviewed or tested anything here. Trusting you and Arne here. >From a quick view this looks like a nice "code cleanup en passant", though :-) (and it does pass the client side tests, of course). Your patch has been applied to the master and release/2.5 branch. comm

[Openvpn-devel] weird issue with server failover when *Not* using keepalive

2020-12-04 Thread Jan Just Keijser
hey guys, I'm posting this on behalf of the eduVPN team. François Kooman spent a long time debugging an issue and finally managed to find the piece of code that causes the weird behavior. Let me explain: For eduVPN, multiple openvpn instances are offered , both on UDP and TCP ports and the c

[Openvpn-devel] [PATCH applied] Re: Fix port-share option with TLS-Crypt v2

2020-12-04 Thread Gert Doering
Magic heuristics... but if Arne and Steffan agree that this is correct, who am I to dispute it :-) - it passes client tests and is not "obviously wrong". Your patch has been applied to the master and release/2.5 branch. commit 1387f52682dcd3789c56c9979ccedca281ff88f4 (master) commit c27f97dc0ac99

Re: [Openvpn-devel] [PATCH v9] Add DNS SRV remote host discovery support

2020-12-04 Thread Gert Doering
Hi, On Mon, Nov 16, 2020 at 03:08:57AM +0500, Vladislav Grishenko wrote: > DNS SRV remote host discovery allows to have multiple OpenVPN servers for > a single domain w/o explicit profile enumeration, to move services from > host to host with little fuss, and to designate hosts as primary servers

Re: [Openvpn-devel] weird issue with server failover when *Not* using keepalive

2020-12-04 Thread Arne Schwabe
Am 04.12.20 um 11:59 schrieb Jan Just Keijser: > hey guys, > > I'm posting this on behalf of the eduVPN team. François Kooman spent a > long time debugging an issue and finally managed to find the piece of > code that causes the weird behavior. > Let me explain: > > For eduVPN, multiple openvpn i

Re: [Openvpn-devel] weird issue with server failover when *Not* using keepalive

2020-12-04 Thread Arne Schwabe
>> If I change the client config to list only a single >>   remote 1194 udp >> line then this reconnect behavior does NOT occur ?!?!?!? >> > This might be a bug in the initialisation order. That the ping timer is > armed before next_connection_entry is called. If you force it reconnect > by restar

Re: [Openvpn-devel] weird issue with server failover when *Not* using keepalive

2020-12-04 Thread Jan Just Keijser
Hi, On 04/12/20 15:38, Arne Schwabe wrote: Am 04.12.20 um 11:59 schrieb Jan Just Keijser: hey guys, I'm posting this on behalf of the eduVPN team. François Kooman spent a long time debugging an issue and finally managed to find the piece of code that causes the weird behavior. Let me explain:

[Openvpn-devel] [PATCH] Drop EAI_NODATA, absent on FreeBSD and obsoleted by RFC3493

2020-12-04 Thread Vladislav Grishenko
--- src/openvpn/socket.c | 14 +- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c index bd085e8f..31e8fe9a 100644 --- a/src/openvpn/socket.c +++ b/src/openvpn/socket.c @@ -625,10 +625,8 @@ query_servinfo(const char *domain, int

[Openvpn-devel] [PATCH] Add DNS SRV remote host discovery support

2020-12-04 Thread Vladislav Grishenko
DNS SRV remote host discovery allows to have multiple OpenVPN servers for a single domain w/o explicit profile enumeration, to move services from host to host with little fuss, and to designate hosts as primary servers for a service and others as backups. Feature has been asked several times alread

[Openvpn-devel] [PATCH v10] Add DNS SRV remote host discovery support

2020-12-04 Thread Vladislav Grishenko
DNS SRV remote host discovery allows to have multiple OpenVPN servers for a single domain w/o explicit profile enumeration, to move services from host to host with little fuss, and to designate hosts as primary servers for a service and others as backups. Feature has been asked several times alread

Re: [Openvpn-devel] weird issue with server failover when *Not* using keepalive

2020-12-04 Thread Arne Schwabe
> This code path is present from 2.1 on, in more or less unaltered form Yes but only used for profiles with . For version before that profiles with only --remote entries used a different (now removed) code path. Arne ___ Openvpn-devel mailing