1_server_method");
}
void
@@ -109,10 +109,10 @@ tls_ctx_client_new(struct tls_root_ctx *ctx)
{
ASSERT(NULL != ctx);
- ctx->ctx = SSL_CTX_new (SSLv23_client_method ());
+ ctx->ctx = SSL_CTX_new (TLSv1_client_method ());
if (ctx->ctx == NULL)
-msg (M_SSLERR, "SSL_
r end?
Let me know if there's more I can do.
--
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
smime.p7s
Description: S/MIME Cryptographic Signature
to
[AF_INET]192.168.148.43:1194: P_ACK_V1 kid=0 sid=65fbeaf3 0672d359
tls_hmac=51cd68bb cd99bd7e 4988f67d 6c385535 7b4dfa06 pid=[ #41 / time =
(1398259578) Wed Apr 23 09:26:18 2014 ] [ 33 sid=95747581 daf31aa7 ]
Hope this helps.
Timothe Litt
ACM Distinguished Engineer
---
On 23-Apr-14 06:56, Steffan Karger wrote:
Hi,
On 04/23/2014 10:10 AM, Gert Doering wrote:
On Tue, Apr 22, 2014 at 10:58:22PM -0400, Timothe Litt wrote:
It does not appear to be the negotiation, rather it's TLS1.2.
This is quite cool, thank you. (I'm not enough of a crypto geek to
CBC-SHA
TLS-RSA-EXPORT-WITH-DES40-CBC-SHA
TLS-RSA-EXPORT-WITH-RC2-CBC-40-MD5
TLS-RSA-EXPORT-WITH-RC4-40-MD5
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
On 23-Apr-1
On 23-Apr-14 16:06, Steffan Karger wrote:
I generated a matching pair of traces of the failure (client and server)
& posted a summary.
Let me know if you would like the full traces.
Sent off-list.
I've been trying to reproduce the error. I grabbed my spare pi from the
desk drawer and built 2.
.
On 23-Apr-14 19:57, James Yonan wrote:
On 23/04/2014 17:21, Timothe Litt wrote:
On 23-Apr-14 16:06, Steffan Karger wrote:
I generated a matching pair of traces of the failure (client and
server)
& posted a summary.
Let me know if you would like the full traces.
Sent off-list.
I'
that the config file writer gets involved. And since once 'things
work' they aren't changed, I suspect people will tend to stay with less
secure configurations forever. Especially on the client end.
I'll leave sorting that out to you folks.
Timothe Litt
ACM Distinguished Engin
On 24-Apr-14 04:17, Gert Doering wrote:
I do run these on a windows 7 machine, but can't reconfigure them just
for debugging OpenVPN.
No, I wasn't suggesting that you do that, I was just trying to clarify
what build options we have.
I find "add msg() calls, build on linux, run on windows, see
The tls_read_plaintext error discussion continued past the e-mail chains
pointed to on the meeting topic.
I don't know if I'll be able to make the IRC meeting (and I'm just a
user, not a developer), so here are a couple of notes:
Both the read_plaintext error (mine) and the george ross report
On 24-Apr-14 10:52, George Ross wrote:
On our server side the certificate chain goes: University CA -> School CA ->
service-signing CA -> service cert. The first two of these are kept
off-line. On the client side it goes: University CA -> School CA -> KCA ->
kx509-cert.
I wonder if that's just
3_SEND_CLIENT_VERIFY,
ERR_R_EVP_LIB);
goto err;
}
s2n(u,p);
n = u + 4;
if (!ssl3_digest_cached_records(s))
goto err;
}
.
Timothe Litt
ACM Distinguished Engineer
"why is it breaking for you
in particular, while it works for other Linux users just fine" (half
of my testbed is Linux...)
Indeed, that is the interesting question.This has to do with how the
client certificate is signed by the client, which in TLS1.2 is
negotiated between the client and
ports.
The old method of -DLOG_OPENVPN still provides the facility used by
default. Thus, the
priority is:
--syslog-facility
--daemon [facility] or --syslog [facility]
-DLOG_OPENVPN
This is forward and backward compatible with existing scripts & initfiles.
Signed-off-by: Timothe Litt
Cosmetic issue.
Apply this after the full patch. (Or just delete the 5 characters from
the full patch before applying.)
Sorry about the noise.
From 0ec2da0e86dd39a474705e099a1b4085b9602590 Mon Sep 17 00:00:00 2001
From: Timothe Litt
List-Post: openvpn-devel@lists.sourceforge.net
Date: Mon
think that's a good thing...
I know that everyone is busy and most have 'real' jobs. And it's natural
to respond quickly to people
you know. But the current culture of 'it's OK to leave submissions in
limbo for months' won't get
the project much help from "the community".
FWIW.
--
Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
smime.p7s
Description: S/MIME Cryptographic Signature
Reflects review comments from David; doc changes, single patch, one name
change,
some clarification in the commit message. No functional changes.
Detailed response/rationale in previous email.
From 4af33b94ad4e2509fb9bc195eb50404c0d2b7581 Mon Sep 17 00:00:00 2001
From: Timothe Litt
List-Post
here are any, they will happen the first
time it's compiled on some (probably obscure) platform that doesn't have
a required facility code. It's unlikely, but possible. It won't be
something subtle in the field -- like TLS1.2 :-(
But if you want to hold it for 2.4, it
18 matches
Mail list logo