fy "dir" mode for better
consistency with crl file (non-dir) mode.
Signed-off-by: Vladislav Grishenko
---
src/openvpn/ssl_verify.c | 7 ---
src/openvpn/ssl_verify_mbedtls.c | 5 +++--
src/openvpn/ssl_verify_openssl.c | 5 +++--
3 files changed, 10 insertions(+), 7 dele
OpenVPN has the ability to choose different x509 field in case "CN"
can't be use used to be unique connected username since commit
935c62be9c0c8a256112df818bfb8470586a23b6.
Unfortunately it's not enough in case client has multiple and valid
certificates from PKI for different devices (ex. laptop, m
;*' as the last trailing
symbol of kill command parameter.
Single '*' wildcard would be too greedy and can be too harmful,
therefore not allowed. Wildcards in the middle of parameter string
are not supported to keep the the things simple at the moment.
Signed-off-by: Vladislav Grish
t; only.
Openssl backend is the only supported at the moment, since so far MbedTLS
has no alt user name support at all.
v2: conform C99, man update, fix typos
Signed-off-by: Vladislav Grishenko
---
doc/man-sections/tls-options.rst | 9 --
src/openvpn/init.c
Hi, Lev
Thanks for review, I'll make improvements in V2.
--
Best Regards, Vladislav Grishenko
-Original Message-
From: Lev Stipakov
Sent: Wednesday, August 5, 2020 1:29 PM
To: Vladislav Grishenko
Cc: openvpn-devel
Subject: Re: [Openvpn-devel] [PATCH] Log serial number of re
fy "dir" mode for better
consistency with crl file (non-dir) mode.
v2: log if serial is not availble, require it in crl-verify dir mode
Signed-off-by: Vladislav Grishenko
---
src/openvpn/ssl_verify.c | 14 +++---
src/openvpn/ssl_verify_mbedtls.c | 5 +++--
src/openvpn/ssl_ve
Aug 5 17:18:12 2020 127.0.0.1:16001 TLS_ERROR: BIO read
tls_read_plaintext error
--
Best Regards, Vladislav Grishenko
-Original Message-
From: Gert Doering
Sent: Wednesday, August 5, 2020 4:55 PM
To: Vladislav Grishenko
Cc: openvpn-devel@lists.sourceforge.net
Subject: [PATCH applie
Tested-By: Vladislav Grishenko
Read-checked with --ignore-space-change, build & tested with sample
server/client profile.
--
Best Regards, Vladislav Grishenko
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
h
Tested-By: Vladislav Grishenko
Read-checked with --ignore-space-change, build & tested with sample
server/client profile.
--
Best Regards, Vladislav Grishenko
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
h
d-off-by: Vladislav Grishenko
---
doc/management-notes.txt | 2 ++
src/openvpn/multi.c | 15 ++-
2 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/doc/management-notes.txt b/doc/management-notes.txt
index 61daaf07..91073693 100644
--- a/doc/management-notes.txt
+++
kill cn [mode]: Kill the client instance(s) having common name cn.
--
Best Regards, Vladislav Grishenko
-Original Message-
From: Selva Nair
Sent: Friday, August 14, 2020 11:22 PM
To: openvpn-devel
Subject: Re: [Openvpn-devel] [PATCH v2] Allow management to kill client
instances by CN wi
limit can be kept for each backend_x509_get_username() call,
subsequent appending will be done via buffer methods - this way buffer size
will be untied from TLS_USERNAME_LEN.
> C89 style instead C99. The !!i feels weird. It is the same as max(i, 1)
> but less readable.
Yes, sure.
--
Best
t; only.
Openssl backend is the only supported at the moment, since so far MbedTLS
has no alt user name support at all.
v2: conform C99, man update, fix typos
v3: reuse buffer methods, drop delimiter define, use memcpy
Signed-off-by: Vladislav Grishenko
---
doc/man-sections/tls-options.rst
argument, etc), almost all the required mechanics
is implemented for that.
References:
https://tools.ietf.org/html/rfc2782
https://en.wikipedia.org/wiki/SRV_record
https://sourceforge.net/p/openvpn/mailman/message/34364911/
https://forums.openvpn.net/viewtopic.php?f=10&t=1366
Hi, Arne
Many thanks the review, please refer comments inline
--
Best Regards, Vladislav Grishenko
> -Original Message-
> From: Arne Schwabe
> Sent: Tuesday, August 25, 2020 2:10 PM
> Am 25.08.20 um 00:15 schrieb Vladislav Grishenko:
> > DNS SRV (rfc2782) support all
eded
split windows/unix-specific parts into extra functions
rename functions into servinfo scope, add doxygen comments when appropriate
remove addrinfo hack, use servinfo containers of addrinfo list instead
better proxy support (tcp mode not supported so far)
log discovery attem
ned-off-by: Vladislav Grishenko
---
src/openvpn/options.c | 24 +---
1 file changed, 17 insertions(+), 7 deletions(-)
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 8bf82c57..02ac08d8 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -5682,1
dump along
with specifying correct dst perfix size.
Tested on 5.4.0, 4.1.51 and 2.6.36 kernels.
Signed-off-by: Vladislav Grishenko
---
src/openvpn/networking_sitnl.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/networking_sitnl.c b/src/openvpn/networking_sitnl.c
d, so we can stop
w/o additional iteration for metric comparison.
Tested on 5.4.0, 4.1.51 and 2.6.36 kernels.
Signed-off-by: Vladislav Grishenko
---
src/openvpn/networking_sitnl.c | 47 +-
1 file changed, 41 insertions(+), 6 deletions(-)
diff --git a/src/openvpn
Sorry, comment typo:
- /* kernel cat return 0.0.0.0/128 host route */
+ /* kernel can return ::/128 host route */
--
Best Regards, Vladislav Grishenko
> -Original Message-
> From: Vladislav Grishenko
> Sent: Tuesday, September 8, 2020 7:54 AM
> To: openvpn-devel@lists.sou
For IPv6, no behavior is changed - request ::/128 route,
so just clarify the sizes via netlink route api.
Tested on 5.4.0, 4.1.51, 2.6.36 and 2.6.22 kernels.
Signed-off-by: Vladislav Grishenko
---
doc/man-sections/advanced-options.rst | 7 +++--
src/openvpn/networking_sitnl.c
Hi David,
> -Original Message-
> From: David Sommerseth
> Sent: Tuesday, September 8, 2020 6:23 PM
> To: Vladislav Grishenko ; openvpn-
> de...@lists.sourceforge.net
> Subject: Re: [Openvpn-devel] [PATCH] Fix --remote protocol can't be set
> without
> port a
Hi, Arne
> From: Arne Schwabe
> Sent: Wednesday, September 9, 2020 4:29 PM
> Am 26.08.20 um 18:51 schrieb Vladislav Grishenko:
> > DNS SRV host discovery allows to have multiple OpenVPN servers for a
> > single domain w/o explicit profile enumeration, to move services from
; Is it good enough in this form?
>
> I don't really see the need for that but it doesn't break the normal case of
> just
> one remote-srv, so fine with me.
>
> Arne
>
--
Best Regards, Vladislav Grishenko
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Ok, thank you for clarification
--
Best Regards, Vladislav Grishenko
> -Original Message-
> From: David Sommerseth
> Sent: Wednesday, September 9, 2020 10:49 PM
> To: Vladislav Grishenko ; openvpn-
> de...@lists.sourceforge.net
> Subject: Re: [Openvpn-devel] [P
Hi, Antonio
Thank you for review
--
Best Regards, Vladislav Grishenko
> -Original Message-
> From: Antonio Quartulli
> Sent: Thursday, September 10, 2020 2:02 PM
> To: Vladislav Grishenko ; openvpn-
> de...@lists.sourceforge.net
> Subject: Re: [Openvpn-devel] [PATCH v3
Hi Gert,
Great, many thanks
--
Best Regards, Vladislav Grishenko
> -Original Message-
> From: Gert Doering
> Sent: Thursday, September 10, 2020 2:23 PM
> To: Vladislav Grishenko
> Cc: openvpn-devel@lists.sourceforge.net
> Subject: [PATCH applied] Re: Fix best gate
bedTLS
has no --x509-username-field support at all.
v2: conform C99, man update, fix typos
v3: reuse buffer methods, drop delimiter define, use memcpy
v4: man update, change delimeter "_" to avoid path issues on windows
Signed-off-by: Vladislav Grishenko
---
doc/man-sections/tls-optio
drinfo list instead
better proxy support (tcp mode not supported so far)
log discovery attempts and results, if enabled
v3: complete logic rewrite
use separate --remote-srv [service] [proto] option
remove fallback, same is achieved with additiona --remote/--remote-srv
add "
covered
add support for tcp / http proxy (natively)
man update
v4: due RFC 2782 ambiguity, prefer to use all resolved DNS SRV records, even
ones with weight 0 after the records containing weights greater than 0
were all selected, keep related code disabled for historical reasons.
ma
mote == NULL)
Fix this behaviour by cleaning stale addinfo objects.
Signed-off-by: Vladislav Grishenko
---
src/openvpn/init.c | 10 ++
1 file changed, 10 insertions(+)
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index a785934a..508270a7 100644
--- a/src/openvpn/init.c
+++ b/src/op
mote == NULL)
Fix this behaviour by cleaning stale addinfo objects.
v2: better comment placement and too long length fix
Signed-off-by: Vladislav Grishenko
---
src/openvpn/init.c | 11 +++
1 file changed, 11 insertions(+)
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index a78593
> You disable this test here, but you don't add this in any of the
> later checks. So it seems this test is just completely removed when
> using remote-srv?
Right, this check should be moved into options_postprocess_verify_ce_proto()
and seems forgotten, will add
Hi, Frank
Observing behavior is not desired, indeed. I'll look into
--
Best Regards, Vladislav Grishenko
> -Original Message-
> From: Frank Lichtenheld
> Sent: Thursday, December 1, 2022 6:37 PM
> To: Gert Doering
> Cc: openvpn-devel@lists.sourceforge.net
> Subj
rv, need to use C_IN/T_SRV instead
v12:
add get_cached_srv_entry() for servinfo vs addrinfo cache split
add check for mixed --remote and --remote-srv
add doxygen dns srv functions comments
use query_servinfo() for both unix and windows
fix undefined NS_MAXMSG issue on macOS
f
Hi, please refer diff against v14 https://pastebin.com/XA0dWiih
--
Best Regards, Vladislav Grishenko
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Hi, sure, will do.
Yes, I’ve noticed undesired code dup in v14 and have fixed everything found
in v15 rebase, same will be rechecked in v16 of course.
Thanks!
Ср, 11 янв. 2023 г. в 01:05, Gert Doering :
> Hi,
>
> On Thu, Dec 29, 2022 at 12:27:46PM +0500, Vladislav Grishenko wrote:
>
Thank you a lot,
That "fix for real" is about persist_remote_ip option as far as I
understand, not directly related to this fatal assert fix.
--
Best Regards, Vladislav Grishenko
> -Original Message-
> From: Gert Doering
> Sent: Thursday, September 17, 2020 1:46
Hi, Gert
> > That "fix for real" is about persist_remote_ip option as far as I
> > understand, not directly related to this fatal assert fix.
>
> Well, the whole preresolve / connection entry "complex" is old and has
been
> extended and updated a few times, and your SVR patch also builds on top o
l reasons.
man update
v5: rebase against upstream with connection advancing fix
allow management skip/accept for exact remote service hosts as for --remote
improve compability with a way "--persist-remote-ip" is handled
ensure max line length is 80
Signed
l reasons.
man update
v5: rebase against upstream with connection advancing fix
allow management skip/accept for exact remote service hosts as for --remote
improve compatibility with a way "--persist-remote-ip" is handled
ensure max line length is 80
v6: pick out co
Per https://community.openvpn.net/openvpn/wiki/CodeStyle the maximum line
length is 80 characters. This patch allows to split upcoming changes into
CodeStyle-conformant (w/o real code change) and more feature-specific.
Signed-off-by: Vladislav Grishenko
---
src/openvpn/init.c| 3 ++-
src
th
Since update_time() and openvpn_gettimeofday() calls are mixed in runtime,
to fix their coexistance update_time() must update "now_usec" as well,
calling just update_now() is not enough.
Signed-off-by: Vladislav Grishenko
---
src/openvpn/otime.h | 6 +-
1 file changed, 1 insert
time adj code at all -> returned time
will always be monotonic by design.
At least on supported platforms (!_WIN32).
--
Best Regards, Vladislav Grishenko
> -Original Message-
> From: Arne Schwabe
> Sent: Tuesday, September 22, 2020 1:41 PM
> To: Vladislav Grishenko ;
() w/o checking the previous and possibly obsolete
value with no performance changes against the current implementation.
This patch implements the second way.
Signed-off-by: Vladislav Grishenko
---
src/openvpn/otime.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/openvpn/o
API or storage or output reasons.
This patch implements the first stage only.
v2: move from gettimeofday() (1st way) back to time(), don't check previous
value of "now_usec" in update_usec() instead
v3: recover "now_usec" checks against time jumps within one second, ze
reformatted as well.
v7: prefer line breaks before long string parameters
reformat proto_names array
Signed-off-by: Vladislav Grishenko
---
src/openvpn/init.c| 3 +-
src/openvpn/options.c | 80 +--
src/openvpn/socket.c | 52
Hi Antonio,
Here's I have aligned the last line to add next new proto, already aligned.
Yes, you’re right “UDPv6” also needs to be aligned, and space needs to be added
for all lines, thank you.
V7 is sent
--
Best Regards, Vladislav Grishenko
> -Original
,
revents=POLLOUT}])
If connection still can't established - this should be treated as either too
slow/far or non-responding server, so imprecise connection checks every next
one second in loop will be performed as usual.
Signed-off-by: Vladislav Grishenko
---
src/openvpn/socket.c
it in total
Signed-off-by: Vladislav Grishenko
---
src/openvpn/socket.c | 22 +-
1 file changed, 21 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
index 76bdbfc5..049216ff 100644
--- a/src/openvpn/socket.c
+++ b/src/openvpn/socket.c
@@ -14
on-negative value and
managemet_event_loop_n_seconds() can take negative values to have infinite
wait, if necessary.
Since there were no negative or zero parameter for management_sleep() users, no
side effect behavior change is expected.
Seems, a bit simpler can't be achieved :)
--
Best Re
=POLLOUT}])
v2: cosmetics, decrease connection_timeout to avoid wait more than it
v3: teach management_sleep() to handle zero timeout and reject negative
use 1s timeout for connection and 0s timeout for management events
Signed-off-by: Vladislav Grishenko
---
src/openvpn/manage.c | 30
em - /path/to/outdir
cat /path/to/crl.crl | extractcrl.py -f der - /path/to/outdir
Output example:
Loaded: 309797 revoked certs in 4.136s
Scanned: 312006 files in 0.61s
Created: 475 files in 0.05s
Removed: 2684 files in 0.116s
Signed-off-by: Vladislav Grishenko
---
contrib/extra
nges near around.
In this case I had to follow Antonio suggestion about the breaks, previous
version w/o them hasn't pass review.
As for blame, most of git ui tools allows to traverse blame in depth, incl.
tig - console git shell, anyway any refactoring brings the same issue.
--
Best Regards, Vladi
against upstream with connection advancing fix
allow management skip/accept for exact remote service hosts as for --remote
improve compatibility with a way "--persist-remote-ip" is handled
ensure max line length is 80
v6: pick out code-style conformant changes into separate pat
s and comments
v7:
- prefer line breaks before long string parameters
- use win32/posix suffixes for query_servinfo
v8:
- rework compatibility with --preresolve and --persist-remote-ip
- fix dns data structures leak on wine/win32
- add priority and weight logging
Signed-off
;_" separator in man
capitalize hex serialNumber value
Signed-off-by: Vladislav Grishenko
---
doc/man-sections/tls-options.rst | 21 ++
src/openvpn/init.c | 6 ++--
src/openvpn/options.c| 49 +---
src/openvpn/options.h
Hi Arne,
> From: Arne Schwabe
> Sent: Monday, October 5, 2020 1:26 PM
> Am 05.10.20 um 02:51 schrieb Vladislav Grishenko:
> > OpenVPN has the ability to choose different X509 field in case "CN"
> > can not be use used to be unique
Hi Gert,
Thank you.
--
Best Regards, Vladislav Grishenko
> -Original Message-
> From: Gert Doering
> Sent: Monday, October 5, 2020 3:36 PM
> To: Vladislav Grishenko
> Cc: openvpn-devel@lists.sourceforge.net
> Subject: [PATCH applied] Re: Support X509 field list to be
Hi Gert,
Thanks for that.
Perhaps same approach can be applied to server's tcp listening, would
require testing of more management cases.
--
Best Regards, Vladislav Grishenko
> -Original Message-
> From: Gert Doering
> Sent: Sunday, October 4, 2020 5:19 PM
> To: Vl
Hi Gert,
> "--tcp-server"
Yep, mean it, even poll doesn't used there. Have no any prio about it tho,
just related thoughts.
--
Best Regards, Vladislav Grishenko
> -Original Message-
> From: Gert Doering
> Sent: Monday, October 5, 2020 10:28 PM
> To: Vl
r no valid records were returned,
client will move on to the next connection entry.
v9:
add get_cached_srv_entry() for servinfo vs addrinfo cache split
add check for mixed --remote and --remote-srv
add doxygen dns srv functions comments
use query_servinfo() for both unix and windows
Hi Arne,
Thank you for the review and please refer v9 where all the mentioned parts are
handled.
--
Best Regards, Vladislav Grishenko
> -Original Message-
> From: Arne Schwabe
> Sent: Tuesday, October 20, 2020 11:58 AM
> To: Vladislav Grishenko ; openvpn-
> de...@lists.
---
src/openvpn/socket.c | 14 +-
1 file changed, 5 insertions(+), 9 deletions(-)
diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
index bd085e8f..31e8fe9a 100644
--- a/src/openvpn/socket.c
+++ b/src/openvpn/socket.c
@@ -625,10 +625,8 @@ query_servinfo(const char *domain, int
no valid records were returned,
client will move on to the next connection entry.
v10:
add get_cached_srv_entry() for servinfo vs addrinfo cache split
add check for mixed --remote and --remote-srv
add doxygen dns srv functions comments
use query_servinfo() for both unix and windows
no valid records were returned,
client will move on to the next connection entry.
v10:
add get_cached_srv_entry() for servinfo vs addrinfo cache split
add check for mixed --remote and --remote-srv
add doxygen dns srv functions comments
use query_servinfo() for both unix and windows
of EAI_NODATA.
--
Best Regards, Vladislav Grishenko
> -Original Message-
> From: Gert Doering
> Sent: Friday, December 4, 2020 7:02 PM
> To: Vladislav Grishenko
> Cc: openvpn-devel@lists.sourceforge.net
> Subject: Re: [Openvpn-devel] [PATCH v9] Add DNS SRV remote host discov
Hello and happy holidays,
Is there a chance to get back to this patch since v9 was acked and minor fix
for undefined EAI_NODATA on FreeBSD was applied?
--
Best Regards, Vladislav Grishenko
> -Original Message-
> From: Vladislav Grishenko
> Sent: Friday, December 4, 2020 9:1
no valid records were returned,
client will move on to the next connection entry.
v11:
add get_cached_srv_entry() for servinfo vs addrinfo cache split
add check for mixed --remote and --remote-srv
add doxygen dns srv functions comments
use query_servinfo() for both unix and windo
feedback regarding the SRV feature.
Would be great, if you could kindly suggest when re-review/merge can be
scheduled if no issue found.
--
Best Regards, Vladislav Grishenko
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https
ample:
ip route add default \
nexthop via 192.168.1.1 dev eth1 weight 1 \
nexthop via 192.168.2.1 dev eth2 weight 1
Signed-off-by: Vladislav Grishenko
---
src/openvpn/networking_sitnl.c | 37 ++
1 file changed, 37 insertions(+)
diff --git
_MAIN while selecting default route too.
Signed-off-by: Vladislav Grishenko
---
src/openvpn/networking_sitnl.c | 18 +-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/networking_sitnl.c b/src/openvpn/networking_sitnl.c
index 2bc70a50..56543648 100644
---
ample:
ip route add default \
nexthop via 192.168.1.1 dev eth1 weight 1 \
nexthop via 192.168.2.1 dev eth2 weight 1
Reported-By: Donald Sharp
Signed-off-by: Vladislav Grishenko
---
src/openvpn/networking_sitnl.c | 35 ++
1 file changed, 35 inser
_MAIN while selecting default route too.
Reported-By: Donald Sharp
Signed-off-by: Vladislav Grishenko
---
src/openvpn/networking_sitnl.c | 24 ++--
1 file changed, 22 insertions(+), 2 deletions(-)
diff --git a/src/openvpn/networking_sitnl.c b/src/openvpn/networking_sitnl.c
_MAIN while selecting default route too.
v2: keep gateway address unchanged on lookup error
v3: reduce ammout of gateway address copying
Reported-by: Donald Sharp
Signed-off-by: Vladislav Grishenko
---
src/openvpn/networking_sitnl.c | 26 --
1 file changed, 24 insertions(
ample:
ip route add default \
nexthop via 192.168.1.1 dev eth1 weight 1 \
nexthop via 192.168.2.1 dev eth2 weight 1
v2: keep gateway address unchanged on lookup error
v3: reduce ammout of gateway address copying
Reported-by: Donald Sharp
Signed-off-by: Vladislav Grishenko
---
ipv4/default search, but the
> function remains "buggy" for the other cases.
Buggy here is searching default gateway for 0.0.0.0/0 itself. Other cases are
right from the scratch :)
--
Best Regards, Vladislav Grishenko
> -Original Message-
> From: Antonio Quartulli
>
no valid records were returned,
client will move on to the next connection entry.
v12:
add get_cached_srv_entry() for servinfo vs addrinfo cache split
add check for mixed --remote and --remote-srv
add doxygen dns srv functions comments
use query_servinfo() for both unix and windo
Thanks!
Need to say, implemented "run an openssl binary" internal method is a bit
faster than python-native crl parsing, according our tests and usage
experience.
--
Best Regards, Vladislav Grishenko
> -Original Message-
> From: Gert Doering
> Sent: Thursday, May 6
79 matches
Mail list logo
