Re: [Openvpn-devel] tls-version-min in Openvpn-devel Digest, Vol 95, Issue 27

2014-04-22 Thread Timothe Litt
1_server_method"); } void @@ -109,10 +109,10 @@ tls_ctx_client_new(struct tls_root_ctx *ctx) { ASSERT(NULL != ctx); - ctx->ctx = SSL_CTX_new (SSLv23_client_method ()); + ctx->ctx = SSL_CTX_new (TLSv1_client_method ()); if (ctx->ctx == NULL) -msg (M_SSLERR, "SSL_

[Openvpn-devel] Progress on Version negotiation

2014-04-23 Thread Timothe Litt
r end? Let me know if there's more I can do. -- Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. smime.p7s Description: S/MIME Cryptographic Signature

Re: [Openvpn-devel] Progress on Version negotiation

2014-04-23 Thread Timothe Litt
to [AF_INET]192.168.148.43:1194: P_ACK_V1 kid=0 sid=65fbeaf3 0672d359 tls_hmac=51cd68bb cd99bd7e 4988f67d 6c385535 7b4dfa06 pid=[ #41 / time = (1398259578) Wed Apr 23 09:26:18 2014 ] [ 33 sid=95747581 daf31aa7 ] Hope this helps. Timothe Litt ACM Distinguished Engineer ---

Re: [Openvpn-devel] Progress on Version negotiation

2014-04-23 Thread Timothe Litt
On 23-Apr-14 06:56, Steffan Karger wrote: Hi, On 04/23/2014 10:10 AM, Gert Doering wrote: On Tue, Apr 22, 2014 at 10:58:22PM -0400, Timothe Litt wrote: It does not appear to be the negotiation, rather it's TLS1.2. This is quite cool, thank you. (I'm not enough of a crypto geek to

Re: [Openvpn-devel] Progress on Version negotiation

2014-04-23 Thread Timothe Litt
CBC-SHA TLS-RSA-EXPORT-WITH-DES40-CBC-SHA TLS-RSA-EXPORT-WITH-RC2-CBC-40-MD5 TLS-RSA-EXPORT-WITH-RC4-40-MD5 Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. On 23-Apr-1

Re: [Openvpn-devel] Progress on Version negotiation

2014-04-23 Thread Timothe Litt
On 23-Apr-14 16:06, Steffan Karger wrote: I generated a matching pair of traces of the failure (client and server) & posted a summary. Let me know if you would like the full traces. Sent off-list. I've been trying to reproduce the error. I grabbed my spare pi from the desk drawer and built 2.

Re: [Openvpn-devel] Progress on Version negotiation

2014-04-24 Thread Timothe Litt
. On 23-Apr-14 19:57, James Yonan wrote: On 23/04/2014 17:21, Timothe Litt wrote: On 23-Apr-14 16:06, Steffan Karger wrote: I generated a matching pair of traces of the failure (client and server) & posted a summary. Let me know if you would like the full traces. Sent off-list. I'

Re: [Openvpn-devel] Progress on Version negotiation

2014-04-24 Thread Timothe Litt
that the config file writer gets involved. And since once 'things work' they aren't changed, I suspect people will tend to stay with less secure configurations forever. Especially on the client end. I'll leave sorting that out to you folks. Timothe Litt ACM Distinguished Engin

Re: [Openvpn-devel] Progress on Version negotiation

2014-04-24 Thread Timothe Litt
On 24-Apr-14 04:17, Gert Doering wrote: I do run these on a windows 7 machine, but can't reconfigure them just for debugging OpenVPN. No, I wasn't suggesting that you do that, I was just trying to clarify what build options we have. I find "add msg() calls, build on linux, run on windows, see

Re: [Openvpn-devel] Topics for today's community meeting

2014-04-24 Thread Timothe Litt
The tls_read_plaintext error discussion continued past the e-mail chains pointed to on the meeting topic. I don't know if I'll be able to make the IRC meeting (and I'm just a user, not a developer), so here are a couple of notes: Both the read_plaintext error (mine) and the george ross report

Re: [Openvpn-devel] Topics for today's community meeting

2014-04-24 Thread Timothe Litt
On 24-Apr-14 10:52, George Ross wrote: On our server side the certificate chain goes: University CA -> School CA -> service-signing CA -> service cert. The first two of these are kept off-line. On the client side it goes: University CA -> School CA -> KCA -> kx509-cert. I wonder if that's just

Re: [Openvpn-devel] More on the George Ross failure

2014-04-24 Thread Timothe Litt
3_SEND_CLIENT_VERIFY, ERR_R_EVP_LIB); goto err; } s2n(u,p); n = u + 4; if (!ssl3_digest_cached_records(s)) goto err; } . Timothe Litt ACM Distinguished Engineer

Re: [Openvpn-devel] Topics for today's community meeting

2014-04-28 Thread Timothe Litt
"why is it breaking for you in particular, while it works for other Linux users just fine" (half of my testbed is Linux...) Indeed, that is the interesting question.This has to do with how the client certificate is signed by the client, which in TLS1.2 is negotiated between the client and

[Openvpn-devel] [PATCH] Add support for specifying the syslog facility, as requested in trac #188.

2014-04-28 Thread Timothe Litt
ports. The old method of -DLOG_OPENVPN still provides the facility used by default. Thus, the priority is: --syslog-facility --daemon [facility] or --syslog [facility] -DLOG_OPENVPN This is forward and backward compatible with existing scripts & initfiles. Signed-off-by: Timothe Litt

[Openvpn-devel] [PATCH] Remove validation hook in syslog facility patch.

2014-04-28 Thread Timothe Litt
Cosmetic issue. Apply this after the full patch. (Or just delete the 5 characters from the full patch before applying.) Sorry about the noise. From 0ec2da0e86dd39a474705e099a1b4085b9602590 Mon Sep 17 00:00:00 2001 From: Timothe Litt List-Post: openvpn-devel@lists.sourceforge.net Date: Mon

[Openvpn-devel] IRC & Community...

2014-05-01 Thread Timothe Litt
think that's a good thing... I know that everyone is busy and most have 'real' jobs. And it's natural to respond quickly to people you know. But the current culture of 'it's OK to leave submissions in limbo for months' won't get the project much help from "the community". FWIW. -- Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. smime.p7s Description: S/MIME Cryptographic Signature

[Openvpn-devel] [PATCH] Add support for specifying the syslog facility, requested in, trac #188. (Rev 2)

2014-05-02 Thread Timothe Litt
Reflects review comments from David; doc changes, single patch, one name change, some clarification in the commit message. No functional changes. Detailed response/rationale in previous email. From 4af33b94ad4e2509fb9bc195eb50404c0d2b7581 Mon Sep 17 00:00:00 2001 From: Timothe Litt List-Post

Re: [Openvpn-devel] [Openvpn-users] [PATCH] Add support for specifying the syslog facility, as requested in trac #188.

2014-05-02 Thread Timothe Litt
here are any, they will happen the first time it's compiled on some (probably obscure) platform that doesn't have a required facility code. It's unlikely, but possible. It won't be something subtle in the field -- like TLS1.2 :-( But if you want to hold it for 2.4, it