Hi,
On Tue, Feb 20, 2018 at 7:23 AM, Gert Doering wrote:
> Acked-by: Gert Doering
>
> "Because it makes sense" (checked with the Windows API documentation, and
> compile-tested on ubuntu 16.04).
>
> Your patch has been applied to the master and release/2.4 branch.
>
> There was one issue with yo
From: Selva Nair
- This codepath uses some openssl-1.1 specific API and is enabled only
for openssl 1.1 and higher versions. But, due to incompatible
version numbering in libressl, it gets wrongly enabled with libressl
versions that do not support the reqired API. As an easy workaround
Hi,
On Tue, Feb 20, 2018 at 10:10 AM, Илья Шипицин wrote:
> Hello,
>
> is there any step-by-step example of implementing either static or dynamic
> challenge response ?
Static is easy:
On client: add --static-challenge "Enter OTP" 1 to the client config.
On server, merge my auth-pam plugin patch
From: Selva Nair
- RegGetValue with flags = RRF_RT_REG_SZ|RRF_RT_REG_EXPAND_SZ
fails in Windows 7 with an "invalid parameter" error.
Fix by using RRF_RT_REG_SZ alone.
Note: This is not a regression as in no released version did the
service support expandable strings (ones with emb
clear the host bits.
Windows 10 did fail, but even that has appeared to have learned to
ignore the host bits after some very recent updates (surprise).. But
JJK had reported failure in Windows 7.
Acked-by: Selva Nair
Fixes Trac #1003.
Selva
---
From: Selva Nair
- Correct an instance of %s used for wchar_t * (should be %ls)
and some %d for DWORD or %lu for int.
- Cast socket descriptor to (int) during i/o as its unsigned int
or int64 in Windows but signed int in other platforms.
Signed-off-by: Selva Nair
---
Unlike master, use of
From: Selva Nair
- "%ll" is not supported by Windows run time, so use PRIi64
and cast the variable to (int64_t) in output statements
(as in commit 9ba36639abcac4367c8227d2dd87b18fb56267c4)
- Fix an instance of wchar_t * printed using %s -- should be %ls.
- Cast variables
Hi,
On Wed, Feb 21, 2018 at 10:18 PM, Илья Шипицин wrote:
>
>
> 2018-02-21 22:03 GMT+05:00 Selva Nair :
>>
>> Hi,
>>
>> On Tue, Feb 20, 2018 at 10:10 AM, Илья Шипицин
>> wrote:
>> > Hello,
>> >
>> > is there any step-by-step ex
Hi
On Thu, Feb 22, 2018 at 1:46 AM, Илья Шипицин wrote:
>
>
> 2018-02-22 8:52 GMT+05:00 Selva Nair :
>>
>> Hi,
>>
>> On Wed, Feb 21, 2018 at 10:18 PM, Илья Шипицин
>> wrote:
>> >
>> >
>> > 2018-02-21 22:03 GMT+05:00 Selva Nair :
Hi,
On Thu, Feb 22, 2018 at 2:17 AM, Gert Doering wrote:
> Acked-by: Gert Doering
>
> Thanks.
>
> (Stared-at-code, stared-at-compiler output on 16.04, before and after)
>
> Your patch has been applied to the release/2.4 branch.
>
>
Wow, that's pretty early morning over there for patch merging..
Hi,
On Thu, Feb 22, 2018 at 4:47 PM, Steffan Karger wrote:
> Hi,
>
> On 26-01-18 16:53, selva.n...@gmail.com wrote:
>> From: Selva Nair
>>
>> - Also add reference counting to CAPI_DATA (application data):
>>
>> When the application data is assigned to
Hi,
This just caught my fancy :)
On Tue, Jan 2, 2018 at 5:28 PM, Steffan Karger wrote:
> As reported in trac #922, the wakeup computation in
> event_timeout_trigger() could overflow. Since time_t and int are signed
> types, that is officially undefined behvaiour.
>
> On systems with a 64-bit si
Hi,
On Thu, Feb 22, 2018 at 5:37 PM, Selva Nair wrote:
>> +/** Return true if the addition of a and b would overflow. */
>> +static inline bool
>> +time_t_add_overflow(time_t a, time_t b) {
>> +static_assert(((time_t) -1) < 0, "OpenVPN assumes time_t is
From: Selva Nair
- Also add reference counting to CAPI_DATA (application data):
When the application data is assigned to the private key
we free it in the key's finish method. Proper error handling
requires to keep track of whether data is assigned to the
key or not before an
From: Selva Nair
Requires openssl 1.1.0 or higher
Signed-off-by: Selva Nair
---
v3 of 2/3 changed the context of one chunk, so sending a v2 rebased
to current master.
src/openvpn/cryptoapi.c | 199 +++-
1 file changed, 198 insertions(+), 1 deletion
Hi,
Thanks a bunch for the review..
All good points:
On Sat, Feb 24, 2018 at 11:52 AM, Steffan Karger wrote:
> Hi,
>
> Patch looks good in general, and works as expected on my Win 10 test
> box. Some minor comments below:
>
> On 23-02-18 19:10, selva.n...@gmail.com wrote:
&
From: Selva Nair
Requires openssl 1.1.0 or higher
Signed-off-by: Selva Nair
---
v3 changes:
- check return value of ECDSA_SIG_set0
- ensure buffer size needed by i2d_ECDSA_SIG does not exceed the expected
capacity of the sig buffer
- Fix a typo and add contextual info to a debug message
On Sat, Feb 24, 2018 at 3:57 PM, wrote:
> From: Selva Nair
>
> Requires openssl 1.1.0 or higher
>
> Signed-off-by: Selva Nair
> ---
> v3 changes:
> - check return value of ECDSA_SIG_set0
> - ensure buffer size needed by i2d_ECDSA_SIG does not exceed the expect
Hi,
On Tue, Feb 20, 2018 at 8:07 AM, Gert Doering wrote:
> Your patch has been applied to the master and release/2.4 branch.
>
> commit 437be780996501becb18f0d34c256ab9c9fe27af (master)
> commit b7aea67aa11b73417eeff595d13b0e2a7b9c925c (release/2.4)
> Author: Ilya Shipitsin
> Date: Mon Jan 15 1
From: Selva Nair
Requires openssl 1.1.0 or higher
Signed-off-by: Selva Nair
---
v3 changes:
- check return value of ECDSA_SIG_set0
- ensure buffer size needed by i2d_ECDSA_SIG does not exceed the expected
capacity of the sig buffer
- Fix a typo and add contextual info to a debug message
Hi,
Sourceforge keeps rejecting my attempts to send a patch through
gmail.com as smtp server. Something like "this message scored x.y.
Congratulations!" is the response from mx.sourceforge.net. Tripping
some spam filter? I had to send it via another server to get through.
This started only a coup
Hi,
On Tue, Feb 20, 2018 at 2:59 PM, Gert Doering wrote:
> Hi,
>
> On Tue, Feb 20, 2018 at 11:19:23AM -0500, Selva Nair wrote:
>> Hmm.. I thought I had tested the patch.. Looking at it right now -- hold on
>> :)
>
> Missed you on IRC...
>
> 18:21 < selvanair&
Hi,
On Wed, Feb 21, 2018 at 2:36 AM, Gert Doering wrote:
> Hi,
>
> On Wed, Feb 21, 2018 at 02:07:03AM -0500, Selva Nair wrote:
>> >> *This* one breaks LibreSSL compilation (namely, the OpenBSD buildbot),
>> >> because
> [..]
>> Tested using the fre
Hi,
On Wed, Feb 21, 2018 at 8:20 AM, Selva Nair wrote:
> Hi,
>
> On Wed, Feb 21, 2018 at 2:42 AM, Gert Doering wrote:
>> Hi,
>>
>> On Tue, Feb 20, 2018 at 06:33:35PM -0500, Selva Nair wrote:
>>> > (It does happen for my own binary and for the installe
Hi,
On Wed, Feb 21, 2018 at 2:42 AM, Gert Doering wrote:
> Hi,
>
> On Tue, Feb 20, 2018 at 06:33:35PM -0500, Selva Nair wrote:
>> > (It does happen for my own binary and for the installers Samuli builds,
>> > so it's not "my build environment" - theor
Hi,
On Wed, Feb 28, 2018 at 8:34 AM, Arne Schwabe wrote:
> Am 28.02.18 um 14:19 schrieb David Sommerseth:
>> It is not recommended to use --management on a TCP port without also
>> adding a password authentication, as this can easily be abused by other
>> users or processes being able to connect
Hi,
On Tue, Jan 2, 2018 at 5:28 PM, Steffan Karger wrote:
> As reported in trac #922, the wakeup computation in
> event_timeout_trigger() could overflow. Since time_t and int are signed
> types, that is officially undefined behvaiour.
>
> On systems with a 64-bit signed time_t (most if not all 6
nly change needed. So ACK, assuming a commit message and Author: may
be slapped on during merge.
Acked-by: Selva Nair
Selva
--
Check out the vibrant tech community on one of the world's most
engaging tech sites,
This one is too old to cleanly apply, but still sending again
just to get it into patchwork.
(For some reason bouncing to patchwork somehow never works for me, else
this could have beaten the oldest pending patch record :)
-- Forwarded message --
From: Selva Nair
Date: Thu, Nov
t 2d705accea3e538a555631ef7c39eb4bc4fd4acf cherry-picked
> from f8a92a4393a was not fully ripe..
>
> As we do not support Windows build using pre 1.0 openssl, this is the
> only change needed. So ACK, assuming a commit message and Author: may
> be slapped on during merge.
>
> Ack
Hi,
On Thu, Mar 1, 2018 at 12:51 PM, Gert Doering wrote:
> Hi,
>
> On Thu, Mar 01, 2018 at 11:09:32AM -0500, Selva Nair wrote:
>> This one is too old to cleanly apply, but still sending again
>> just to get it into patchwork.
>
> Oh, completely fell of my radar. But n
From: Selva Nair
This was missing on Windows when interactive service is in use.
v3: Mar 1, 2017: avoid code repetition and rebase to master
Signed-off-by: Selva Nair
---
src/openvpn/tun.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/openvpn/tun.c b/src
Hi,
These days many (all?) trac tickets appears with an owner set. When I
see an owner it gives the impression that person is looking into it
and makes me less inclined to investigate.
But it looks like this is automatically assigned and in many cases the
so-called owner is MIA. It only gives a w
From: Selva Nair
Openssl docs do not explicitly state these to be macros although they
are currently defined as such. Use AC_CHECK_DECLS to test for these so that
both function and macro forms could be detected.
Signed-off-by: Selva Nair
---
Though not meant as a fixup for libressl, as a side
Hi,
On Sun, Mar 4, 2018 at 11:47 AM, Jeremie Courreges-Anglas
wrote:
> On Sun, Mar 04 2018, Gert Doering wrote:
>
> [...]
>
>> "Please note that LibreSSL is not a supported crypto backend. We
>> accept patches and we do test on OpenBSD 6.0 which comes with
>> LibreSSL, but if newer versions of
Hi,
On Sun, Mar 4, 2018 at 1:48 PM, Jeremie Courreges-Anglas
wrote:
> On Sun, Mar 04 2018, selva.n...@gmail.com wrote:
>> From: Selva Nair
>>
>> Openssl docs do not explicitly state these to be macros although they
>> are currently defined as such.
>
> Actually
Hi,
On Sun, Mar 4, 2018 at 6:22 PM, Steffan Karger wrote:
>
> On 05-03-18 00:13, Jeremie Courreges-Anglas wrote:
>> On Sun, Mar 04 2018, Selva Nair wrote:
>> --8<--
>> [...]. OpenSSL itself only provided said setters (since 2015)[2]. The
>> getters were ad
From: Selva Nair
Signed-off-by: Selva Nair
---
src/openvpn/options.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index f7995c6..c5bce9f 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -2171,7 +2171,8
From: Selva Nair
Time interval arithmetic can overflow especially when user
defined intervals are involved. E.g., see Trac #922.
Avoid this by reordering the arithmetic operation in
event_timeout_trigger(). Also avoid unnecessary casting of time
variable to int.
Time until wakeup is now
Hi,
Based on the commit message this appears to cover all that is wrong
with current auth-token implementation. I haven't carefully reviewed the
code or tested it, but some initial remarks that looks relevant.
On Mon, Mar 5, 2018 at 10:50 AM, Arne Schwabe wrote:
> Auth-token is documented as a t
Hi,
On Sun, Mar 4, 2018 at 6:17 AM, Steffan Karger wrote:
> Check the return values of management_query_cert() and
> tls_ctx_use_external_private_key(), and error out with a more descriptive
> error message. To do so, we make the openssl-backed implementation of
> tls_ctx_use_external_private_ke
Hi,
On Wed, Mar 7, 2018 at 6:52 AM, Arne Schwabe wrote:
> Am 06.03.18 um 22:04 schrieb Selva Nair:
>
..
>> I want to stress this point: when the server sends back AUTH_FAILED,
>> the client does behave somewhat sanely, but not otherwise. And on that
>> count this pat
Hi,
...some good stuff snipped...
>
> I'll admit I might see this with a bit too narrow perspective. But how I have
> understood this issue is that OpenVPN 2.x does not behave correctly as it
> doesn't understand *why* the authentication failed. If the client side would
> understand why auth fa
Hi,
On Wed, Mar 7, 2018 at 6:52 PM, David Sommerseth
wrote:
> On 08/03/18 00:22, Selva Nair wrote:
>> Hi,
>>
>> ...some good stuff snipped...
>>
>>>
>>> I'll admit I might see this with a bit too narrow perspective. But how I
>>>
Hi,
I wanted to give this a quick test, but it doesn't apply.
It seems you have patch 116 (Antonio's "inline-tag changed to bool"
patch) in your local repo.
By the way, the M_FATAL after management_query_cert() looks like a
regression. One problem with these FATAL exits is that it makes it
hard
From: Selva Nair
Have the cryptoapicert option find the first matching certificate
in store that is valid at the present time. Currently the first
found item, even if expired, is returned.
This makes it possible to update certifiates in store without having
to delete old ones. As a side effect
From: Selva Nair
Currently when the certificate is specified as "SUBJ:foo", the
string foo is assumed to be ascii. Change that and interpret
it as utf-8, convert to a wide string, and flag it as unicode
in CertFindCertifcateInStore().
Signed-off-by: Selva Nair
---
src/openvpn/crypto
Hi,
On Mon, Mar 12, 2018 at 4:21 AM, Gert Doering wrote:
>
> Hi Selva,
>
> On Sun, Mar 11, 2018 at 09:17:58PM -0400, selva.n...@gmail.com wrote:
> > From: Selva Nair
> >
> > Have the cryptoapicert option find the first matching certificate
> > in sto
Hi,
On Tue, Mar 13, 2018 at 7:36 AM, Jiří Engelthaler wrote:
>
> Any discussion / opinions ? Here
> https://github.com/OpenVPN/openvpn/pull/97#issuecomment-372530059
> one user reported, that this patch were useful for him.
Though I agree that checking for whether media sense is globally
disabl
Hi,
On Wed, Mar 14, 2018 at 3:32 AM, Jiří Engelthaler wrote:
> Hi.
> You right. Disabled dhcp media sense can be set as global for all
> interfaces or in adapter specific setting if it supports it (TAP supports
> it).
> But for must users is the global settings hidden deep in the system and for
Hi,
Apologies in advance if I'm misreading the intent of this patch.
On Fri, Mar 16, 2018 at 12:40 PM, Ning Wei via Openvpn-devel
wrote:
> Increase TLS_CHANNEL_BUF_SIZE to 4096. When the build is enabled with
> ENABLE_PKCS11, the password field can be 4096. The old size of
> TLS_CHANNEL_BUF_SIZ
From: Selva Nair
(i) Let the management-client predictably cycle through remote entries. This
is done by not aborting after two cycles. The client can abort or restart
the connection using signals (USR/HUP/TERM) as necessary.
In the current behaviour, the daemon can unexpectedly exit when the
From: Selva Nair
Currently this prompt is only output once, not re-written to the
management interface when the management client connects. It is thus
not seen by a client that connects after the prompt is output or one that
disconnects and reconnects. This leads to a deadlock: the daemon
e didn't make sense to me.
>
> "Further, even a TLS_CHANNEL_BUF_SIZE of 4096 does not support a
> password that long as there are other things like username, key-source,
> local-options that have to fit into the buffer (see key_method_2_write). So
> what's the logic
Hi,
On Thu, Mar 22, 2018 at 12:16 PM, Jan Just Keijser wrote:
> Hi Eric, all,
>
> On 22/03/18 04:25, Eric Thorpe wrote:
>
> Hi All,
>
> One of the Viscosity developers here. The TAP driver used by Viscosity is
> based on the OpenVPN TAP-Windows driver. We're surprised to hear of any
> performance
Hi,
On Sun, Apr 1, 2018 at 2:30 AM, Gert Doering wrote:
> As discussed in trac #208 and on IRC with Antonio, OpenVPN 2.5 will
> be IPv6-only. Removal of IPv4-related code and options will dramatically
> reduce code complexity, confusing options, bugs and user questions.
>
> Add deprecation warn
Hi,
Thanks for looking at this.
On Mon, Apr 2, 2018 at 8:37 AM, Steffan Karger wrote:
>
> Hi,
>
> One comment based on stare-at-code only:
>
> On 12-03-18 02:17, selva.n...@gmail.com wrote:
> > @@ -636,6 +640,8 @@ find_certificate_in_store(const char *cert_prop,
> > HCERTSTORE cert_store)
> >
Hi,
This one applies cleanly on top of master.
On Mon, Apr 2, 2018 at 7:44 AM, Steffan Karger wrote:
>
> Check the return values of management_query_cert() and
> tls_ctx_use_external_private_key(), and error out with a more descriptive
> error message. To do so, we make the openssl-backed imple
From: Selva Nair
Have the cryptoapicert option find the first matching certificate
in store that is valid at the present time. Currently the first
found item, even if expired, is returned.
This makes it possible to update certifiates in store without having
to delete old ones. As a side effect
From: Selva Nair
Currently when the certificate is specified as "SUBJ:foo", the
string foo is assumed to be ascii. Change that and interpret
it as utf-8, convert to a wide string, and flag it as unicode
in CertFindCertifcateInStore().
Signed-off-by: Selva Nair
---
v2: rebased to v2
Hi,
On Wed, Apr 4, 2018 at 8:13 AM, David Sommerseth wrote:
> Be more explicit that --auth-gen-token is to be considered a workaround
> for authentication scripts/plug-ins not supporting --auth-token.
>
> Also be more explicit that invalidated --auth-token values will result
> in the client disco
Hi,
On Thu, Apr 12, 2018 at 4:26 AM, Gert Doering wrote:
> Hi Eric,
>
> On Thu, Mar 22, 2018 at 02:25:56PM +1100, Eric Thorpe wrote:
> > One of the Viscosity developers here. The TAP driver used by Viscosity
> > is based on the OpenVPN TAP-Windows driver. We're surprised to hear of
> > any perfo
Hi,
On Thu, Apr 12, 2018 at 10:50 AM, Gert Doering wrote:
> Hi,
>
> On Thu, Apr 12, 2018 at 10:27:08AM -0400, Selva Nair wrote:
> > > > This change was made not because of any actual performance gains, but
> > > > because of user reports that certain firewall or
Hi,
On Thu, Apr 12, 2018 at 2:48 PM, Simon Rozman wrote:
Moving up the most important part:
Hi,
> I'm back. :)
>
Welcome back!
> I took the short Interactive Service introduction found at
> https://community.openvpn.net/openvpn/wiki/OpenVPNInteractiveService and
> extended it with my experie
Hi,
A couple of things I noticed
(i) On a slightly outdated Windows 7 box (last update in Sep 2017),
previously running 2.4.5, the install appeared to succeed but the tap
adapter was no longer usable -- openvpn errors out with CreateFile()
failure when opening the adapter. Reinstalling or recreat
Hi,
On Wed, Apr 18, 2018 at 2:58 AM, Gert Doering wrote:
> On Tue, Apr 17, 2018 at 09:45:24PM -0400, Selva Nair wrote:
> > (ii) The driver version shows up as 9.0.0.21 -- this is apparently taken
> > from the inf file. Why is it not 9.21.3? The file version is 9.21.3 9/21
&g
Hi,
On Tue, Apr 17, 2018 at 3:01 AM, Samuli Seppänen wrote:
>
>
> Excellent and thanks for testing! This gives me a lot more confidence in
> the Authenticode signature.
>
I don't want to question that as none of my Windows hosts complains about
the signature. But the driver details tab shows th
Hi,
Looks good now except for an error introduced by my sloppy comment. See below:
On Fri, Apr 13, 2018 at 10:24 AM, Simon Rozman wrote:
> The OpenVPN Interactive Service documentation from
> https://community.openvpn.net/openvpn/wiki/OpenVPNInteractiveService was
> upgraded with a description o
Hi
On Fri, Apr 20, 2018 at 4:00 AM, Gert Doering wrote:
> Hi,
>
> On Fri, Apr 20, 2018 at 03:20:26PM +1000, Eric Thorpe wrote:
>> This patch allows for a client reason to be returned from an auth plugin
>> and sent to the connecting client on an auth fail. This change is
>> backwards compatible w
From: Selva Nair
The driver version (taken from the INF) and the file version of
tap0901.sys file (from its resource) will now display like
9.22.1.601.
The driver details tab will continue to show the text form of
the version as "major.minor.revision (major/minor)".
Eg., "9.22.1
On Sat, Apr 14, 2018 at 3:26 AM, Gert Doering wrote:
> Malformed input data on the service pipe towards the OpenVPN interactive
> service (normally used by the OpenVPN GUI to request openvpn instances
> from the service) can result in a double free() in the error handling code.
>
> This usually o
Hi,
On Wed, Apr 25, 2018 at 3:04 AM, Samuli Seppänen wrote:
> Feature-ACK, but I have not tested this yet. I think we should increment
> version to 9.22.2 (a.k.a. 9,22,2,601) though. The current release is 9.22.1.
Treating this like any other patch, I think version bump should not be
a part of i
Hi,
On Tue, Apr 24, 2018 at 4:16 PM, Christian Hesse wrote:
> Antonio Quartulli on Tue, 2018/04/24 23:08:
>> OTOH I understand that there are people that don't care about having a
>> working tunnel reconfiguration and are fine with starting openvpn as
>> root (and then dropping privileges).
>>
>
From: Selva Nair
The driver version (taken from the INF) and the file version of
tap0901.sys file (from its resource) will now display like
9.22.1.601.
The driver details tab will continue to show the text form of
the version as "major.minor.revision major/minor".
Eg., "9.22.1 9/
Hi
Thanks for the patch.This feature (and a similar support for plugins)
is something very nice to have
But this implementation is inadequate.
The main problem is that multi->client_reason is sent back to the client only
during the initial auth not during reauth (renegotiations). So this will wo
From: Selva Nair
In case of TLS 1.2 signatures, the callback rsa_priv_enc() gets
the hash with the DigestInfo prepended. Signing this using
NCryptSignHash() with hash algorithm id set to NULL works in most cases.
But when using some hardware tokens, the data gets interpreted as the pre
TLS 1.2
Hi,
On Wed, May 2, 2018 at 2:30 PM, Steffan Karger wrote:
> Hi,
>
> On 26-03-18 18:36, Ning Wei via Openvpn-devel wrote:
>> Both of key_method_2_write and key_method_2_read take
>> TLS_Channel_Bug_Size as buffer size. The current size, 2048 is not
>> enough to read/write a long password response
Hi,
On Fri, May 25, 2018 at 9:51 AM, Jan Just Keijser wrote:
> Hi,
>
> On 25/05/18 03:41, Simon Rozman wrote:
Private and public key are still used. The patch stil uses
certificates and TLS, it only replaces the check certificate of the
peer's certificate against the CA with a
Hi,
It builds fine even with the openssl 1.1.1 dev branch:
$ openvpn --version:
OpenVPN 2.5_git [git:master/1394192b210cb3c6] x86_64-unknown-linux-gnu
[SSL (OpenSSL)] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 31 2018
library versions: OpenSSL 1.1.1-dev xx XXX
>
> When
Hi,
>
> No, OpenSSL 1.1.0 is configured with
>
> --api=1.1.0 \
>
> as it should be to NOT have/use deprecated compat interfaces,
I think that is identical to setting -DOPENSSL_API_COMPAT to 1.1 and
will not work.
OpenVPN still supports openssl 1.0 and you can't build with api
restricted to 1
Hi,
On Sun, Jun 3, 2018 at 6:11 AM, Steffan Karger wrote:
> Can be suppressed by adding a "nowarn" flag to the compress options, for
> those that are really sure that compression is fine for their use case.
>
> Signed-off-by: Steffan Karger
> ---
> This patch is also meant to discuss how far we
Hi,
On Mon, Jun 4, 2018 at 2:23 PM, wrote:
> On 5/31/18 10:33 PM, Selva Nair wrote:
> > OpenVPN still supports openssl 1.0 and you can't build with api
> > restricted to 1.1. At least not yet. So it will build only if you use
> > the "default build" of Op
Hi,
On Tue, Jun 5, 2018 at 10:36 AM, Gert Doering wrote:
>
> Hi,
>
> Prelimiaries: I think this whole series should only go to 2.5, as it
> has the potential to be fairly intrusive and uncover hidden bugs - I've
> discussed this with Antonio already (and we're in agreement) but for
> the sake of
Hi,
On Tue, Jun 5, 2018 at 12:22 PM, Antonio Quartulli wrote:
> Hi,
>
> On 05/06/18 23:54, Selva Nair wrote:
> [cut]
>>> ACK on the feature, but NAK on "we can do this more nicely" reasons :-)
>>>
>>> First, I'd leave off the bits about &q
Hi,
On Tue, Jun 5, 2018 at 2:53 PM, Gert Doering wrote:
> Hi,
>
> On Tue, Jun 05, 2018 at 01:30:35PM -0400, Selva Nair wrote:
>> How to work around that depends on what the tap driver expects in the
>> v4 address. Ideally, we should patch the driver to work wi
From: Selva Nair
M_DEBUG only indicates the type of the message and will print even
at verb 0. Use D_LOW which is M_DEBUG combined with verb = 4 and
a mute level.
---
Moving towards what the man page says:
verb 0 means "No output except fatal errors."
M_WARN also needs replacemen
Hi,
On Tue, Jun 5, 2018 at 3:59 PM, Gert Doering wrote:
> Hi,
>
> On Tue, Jun 05, 2018 at 03:38:44PM -0400, Selva Nair wrote:
>> FWIW, I did a quick test --- looking into tap-windows sources it seems
>> the address is used only for ARP so passing some random address to
Hi
On Tue, Jun 5, 2018 at 10:30 PM, Antonio Quartulli wrote:
> Hi,
>
> On 06/06/18 03:38, Selva Nair wrote:
>> Here is the diff of what I did for the Windows build run:
>>
>> diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
>> index 2e33880..75336a9 100644
&g
Hi,
On Wed, Jun 6, 2018 at 7:33 AM, Antonio Quartulli wrote:
> Hi,
>
> On 06/06/18 04:30, Selva Nair wrote:
>>>> However, even with !ipv4, redirect-gateway ipv6 appears to error out
>>>> -- it fails with
>>>>
>>>> "TEST ROUTES: 0/2 su
Hi
On Wed, Jun 6, 2018 at 12:02 PM, Antonio Quartulli wrote:
> Hi,
>
> On 06/06/18 23:40, Selva Nair wrote:
>>> I am not sure why you get those 2 routes. Do you have a more extensive
>>> log to show? It may help clearing up some doubts.
>>
..
>>
>>
Hi
On Wed, Jun 6, 2018 at 11:40 AM, Selva Nair wrote:
> Hi,
>
> On Wed, Jun 6, 2018 at 7:33 AM, Antonio Quartulli wrote:
>> Hi,
>>
>> On 06/06/18 04:30, Selva Nair wrote:
..
>>
>> I am not sure why you get those 2 routes. Do you have a more extensive
Hi,
On Thu, Jun 7, 2018 at 1:51 AM, Antonio Quartulli wrote:
>
> Hi Selva,
>
> I have tried to account most of your comments, but something might still
> be off. Building openvpn for Windows might need some time here as I
> don't have the entire environment ready yet.
>
> Would you mind giving my
Hi,
>
>> Note: All that said, I can't seem to connect to the server via ipv6
>> when there is no v4 address. tracert fails before the first hop.
>> v6 does work when ifconfig is not filtered out.
>>
>> One difference from my earlier test using your previous
>> version with the minor change to allo
Hi,
Failed to respond to some other points in the last reply:
>>
>> Did some quick tests and this seems to work quite well (but see the
>> note at the bottom):
>>
>> - v4 routes via tun just fail with a warning which is good (our route
>> errors not being FATAL pays off here)
>> - v4 routes via n
Hi,
On Thu, Jun 7, 2018 at 12:57 PM, Gert Doering wrote:
> Hi,
>
> On Thu, Jun 07, 2018 at 12:14:51PM -0400, Selva Nair wrote:
>> Note: All that said, I can't seem to connect to the server via ipv6
>> when there is no v4 address. tracert fails before the first hop.
>
Hi,
On Thu, Jun 7, 2018 at 1:29 PM Antonio Quartulli wrote:
> On 08/06/18 01:05, Selva Nair wrote:
> > Hi,
> >
> > On Thu, Jun 7, 2018 at 12:57 PM, Gert Doering
> wrote:
> >> Hi,
> >>
> >> On Thu, Jun 07, 2018 at 12:14:51PM -0400, Selva Nai
Hi,
> > [*] Topology subnet uses ip, nework and netmask, while net30 passes in
> the
> > second IP of the /30 in network as "netmask". The two ioctls interprets
> > their parameters differently such that in the end only valid ARP packets
> > get a response from the driver !
>
> Is ARP still to be
Hi,
On Fri, Jun 8, 2018 at 10:01 AM Gert Doering wrote:
>
> Hi,
>
> On Tue, Jun 05, 2018 at 04:06:10PM -0400, selva.n...@gmail.com wrote:
> > From: Selva Nair
> >
> > M_DEBUG only indicates the type of the message and will print even
> > at verb 0. Use D_LOW
Hi,
On Thu, Apr 19, 2018 at 7:23 AM, Simon Rozman wrote:
> The OpenVPN Interactive Service documentation from
> https://community.openvpn.net/openvpn/wiki/OpenVPNInteractiveService was
> upgraded with a description of the client-service communication flow,
> service registry configuration, and no
Hi,
I thought of updating the docs
https://community.openvpn.net/openvpn/wiki/OpenVPNInteractiveService
with Simon's vastly expanded version in doc/interactive-service-notes.rst
See commit 62b1cc161c53d900b6fe56f6924ef2ec1c1b8a00 (master)
Tried this using rst converted to mediawiki format (usi
201 - 300 of 1455 matches
Mail list logo
