Hi,
On Fri, Mar 26, 2021 at 12:12:40AM +0100, Antonio Quartulli wrote:
> > -#ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH
> > +/* This serves as a check that the keylen is the correct as this fails
> > + * when key_len and the fixed size of cipher disagree */
> > if (!EVP_CIPHER_CTX_set_k
Hi,
On Fri, Mar 26, 2021 at 02:25:13AM +, tincanteksup wrote:
> Perhaps this would be better suited as:
> ./configure --enable-recursive-routing
> make
No.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures
Hi,
On Tue, Oct 30, 2018 at 02:53:59PM +0200, Lev Stipakov wrote:
> From: Lev Stipakov
>
> This patch provides additional information, such as
> source address/port and destination address/port, to a
> "recursive routing" warning message. It also mentiones
> possible workaround.
I still do not
Hi,
On Thu, Mar 25, 2021 at 01:01:20AM +0100, Arne Schwabe wrote:
> The non-TLS mode is a relict from OpenVPN 1.x or 2.0. When tls mode was
> introduce the advantages of TLS over non-tls were small but tls mode
> evolved to include a lot more features. (NCP, multipeer, AEAD ciphers to name
> a few
Hi,
On 26/03/2021 08:12, Gert Doering wrote:
> Now... if we consider a scenario where OpenVPN packets are not subject
> to be routed into the tunnel (Linux VRF, policy routing, ...) - which
> is actually something I want to see happen :-) - twisting this feature
> into some other direction might
Hi,
On Fri, Mar 26, 2021 at 11:30:31AM +0100, Antonio Quartulli wrote:
> We have two options now:
> 1) extend documentation (basically what part of this patch is doing);
> 2) rework this feature entirely.
>
> If we go with 2 I guess we don't even need 1.
>
> I'd go with 2, because this feature a
Am 26.03.21 um 00:15 schrieb Antonio Quartulli:
> Hi,
>
> On 25/03/2021 18:44, Arne Schwabe wrote:
>> These have been troublesome in the past and also today's CVE-2021-3449
>> DOS is only exploitable if renegotiation is enabled.
>>
>> Signed-off-by: Arne Schwabe
>
> What is the practical effect
Am 26.03.21 um 07:58 schrieb Gert Doering:
> Hi,
>
> On Fri, Mar 26, 2021 at 12:12:40AM +0100, Antonio Quartulli wrote:
>>> -#ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH
>>> +/* This serves as a check that the keylen is the correct as this fails
>>> + * when key_len and the fixed size of ciph
Am 26.03.21 um 11:30 schrieb Antonio Quartulli:
> Hi,
>
> On 26/03/2021 08:12, Gert Doering wrote:
>> Now... if we consider a scenario where OpenVPN packets are not subject
>> to be routed into the tunnel (Linux VRF, policy routing, ...) - which
>> is actually something I want to see happen :-) -
Hi,
On Fri, Mar 26, 2021 at 12:11:10PM +0100, Arne Schwabe wrote:
> On Android where VPN setup is a bit different from normal setup.
> Different enoguh that the recursive routing message is easily triggered
> and the client always sets the allow-recursive-roouting option. I cannot
> remember the e
Am 25.03.21 um 23:37 schrieb Antonio Quartulli:
> Hi,
>
> On 15/12/2020 17:42, Arne Schwabe wrote:
>> For --nobind clients OpenVPN reuses the context and tls_multi structs
>> of the previous clients and does not rerun the connect scripts on
>> connect. But since it is a new client connection, the
Hi,
On 26/03/2021 12:03, Arne Schwabe wrote:
> Am 26.03.21 um 00:15 schrieb Antonio Quartulli:
>> Hi,
>>
>> On 25/03/2021 18:44, Arne Schwabe wrote:
>>> These have been troublesome in the past and also today's CVE-2021-3449
>>> DOS is only exploitable if renegotiation is enabled.
>>>
>>> Signed-of
Hi,
On 25/03/2021 18:44, Arne Schwabe wrote:
> These have been troublesome in the past and also today's CVE-2021-3449
> DOS is only exploitable if renegotiation is enabled.
>
> Signed-off-by: Arne Schwabe
> ---
> src/openvpn/ssl_mbedtls.c | 3 +++
> src/openvpn/ssl_openssl.c | 3 +++
> 2 files
Renegotiations have been troublesome in the past and also the recent OpenSSL
security problem (CVE-2021-3449) is only exploitable if TLS renegotiation
is enabled.
mbed TLS disables it by default and says in the documentation:
Warning: It is recommended to always disable renegotation unless you kn
Hi,
On 26/03/2021 17:05, Arne Schwabe wrote:
> Renegotiations have been troublesome in the past and also the recent OpenSSL
> security problem (CVE-2021-3449) is only exploitable if TLS renegotiation
> is enabled.
>
> mbed TLS disables it by default and says in the documentation:
>
> Warning: It
Hi,
On Fri, Mar 26, 2021 at 05:05:45PM +0100, Arne Schwabe wrote:
> +/* Disable TLS renegotiations. OpenVPN's renegotiation creates new SSL
> + * session and does not depend on this feature. And TLS renegotiations
> have
> + * been problematic in the past */
> +sslopt |= SSL_OP_NO
This commit cleans up the logic in the function a bit. It also makes it
more clear the the details printed in the second part of the message are
details about the peer certificate and not the TLS connection as such.
Also print the signature algorithm as this might help to identify
peer certificate
17 matches
Mail list logo
