[Openvpn-devel] [PATCH v2 0/2] CRL reloading and chroot with mbedtls

After a lot of discussion on IRC on Friday, here's a new attempt at fixing the mbedtls certificate reloading issue. To sum up the background: Compumatica discovered the following pair of bugs in OpenVPN-NL, which are also present in stock OpenVPN with mbedtls. 1) With mbedtls, if the CRL file can

[Openvpn-devel] [PATCH v2 1/2] In init_ssl, open the correct CRL path pre-chroot

When using the chroot option, the init_ssl function can be called before entering the chroot or, when OpenVPN receives a SIGHUP, afterwards. This commit ensures that OpenVPN tries to open the correct path for the CRL file in either situations. This commit does not address key and certificate files

[Openvpn-devel] [PATCH v2 2/2] Abort if CRL file can't be stat-ed in init_ssl

Now that the path for the CRL file is handled correctly when using chroot, there's no good reason for the file to be inaccessible during init_ssl(). This commit ensures that the CRL file is accessed successfully at least once, which fixes a bug where the mbedtls version of OpenVPN wouldn't use a r

[Openvpn-devel] [PATCH] Fix build with mbedtls w/o SSL renegotiation support

In mbedtls, support for SSL renegotiation can be disabled at compile-time. However, OpenVPN cannot be built with such a library because it calls mbedtls_ssl_conf_renegotiation() to disable this feature at runtime. This function doesn't exist when mbedtls was built without support for SSL renegotiat

Re: [Openvpn-devel] [PATCH] Fix build with mbedtls w/o SSL renegotiation support

Hi, On 12/04/2021 19:46, Max Fillinger wrote: > In mbedtls, support for SSL renegotiation can be disabled at > compile-time. However, OpenVPN cannot be built with such a library > because it calls mbedtls_ssl_conf_renegotiation() to disable this > feature at runtime. This function doesn't exist wh

[Openvpn-devel] [PATCH applied] Re: Fix build with mbedtls w/o SSL renegotiation support

Your patch has been applied to the master branch. commit e4bd17c86e01aaf6f809d9ea355419c86c4defdc Author: Max Fillinger Date: Mon Apr 12 19:46:17 2021 +0200 Fix build with mbedtls w/o SSL renegotiation support Signed-off-by: Max Fillinger Acked-by: Antonio Quartulli Messa

Re: [Openvpn-devel] [PATCH applied] Re: Fix build with mbedtls w/o SSL renegotiation support

Hi, On Tue, Apr 13, 2021 at 07:57:03AM +0200, Gert Doering wrote: > Your patch has been applied to the master branch. > > commit e4bd17c86e01aaf6f809d9ea355419c86c4defdc > Author: Max Fillinger > Date: Mon Apr 12 19:46:17 2021 +0200 > > Fix build with mbedtls w/o SSL renegotiation support