Steffan Karger | 23 Oct 00:16 2014

[PATCH] Modernize sample keys and sample configs

I kept most of the certificate properties equal to the old
certs, since some people's test scripts might rely on them (and
it does not require any creativity from my part).

Changes:
 * Add script to generate fresh test/sample keys
   (but keep sample keys in git for simple testing)
 * Switch from 1024 to 4096 bits RSA CA
 * Switch from 1024 to 2048 bits client/server RSA keys
 * Switch from 1024 to 2048 bits Diffie-Hellman parameters
 * Generate EC client and server cert, but sign with RSA CA
   (lets us test EC <-> RSA interoperability)
 * Remove 3DES cipher from 'sample' config
 * Add 'remote-cert-tls server' to client config
 * Update config files to deprecate nsCertType in favour of the
   keyUsage and extendedKeyUsage extensions.
 * Make naming more consistent

Signed-off-by: Steffan Karger <steffan <at> karger.me>
---
 sample/sample-config-files/client.conf     |  17 ++--
 sample/sample-config-files/loopback-client |   2 +-
 sample/sample-config-files/loopback-server |   3 +-
 sample/sample-config-files/server.conf     |   6 +-
 sample/sample-config-files/tls-office.conf |   2 +-
 sample/sample-keys/.gitignore              |   1 +
 sample/sample-keys/README                  |  17 ++--
 sample/sample-keys/ca.crt                  |  48 ++++++----
 sample/sample-keys/ca.key                  |  67 ++++++++++----
 sample/sample-keys/client-ec.crt           |  85 ++++++++++++++++++
(Continue reading)

samuli | 22 Oct 09:07 2014
Picon

[PATCH 0/2] tap-windows6 interoperability patches

These patches fix serious interoperability issues with tap-windows6. Backported
versions of these patches were tested with OpenVPN 2.3.4 because openvpn-build
is currently unable to build from Git "master".

[PATCH 1/2] Modification to address bug where OpenVPN enters state
[PATCH 2/2] Revised fix for code=995 sped bug.

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
Selva Nair | 21 Oct 18:08 2014
Picon

Fwd: New OpenVPN Windows installers (I004 and I604) released

Hi,

On Tue, Oct 21, 2014 at 10:26 AM, Gert Doering <gert <at> greenie.muc.de> wrote:

> On Tue, Oct 21, 2014 at 09:55:09AM -0400, Selva Nair wrote:
>> Currently OpneVPN-MI-GUI does work without elevated privileges using
>> openvpn service and the management interface. I have a small user-base who
>> have been happily using it this way for more than a year now. In my view if
>> OpenVPN distribution could bundle the MI-GUI, it would be of great help.

>Well, that works, but runs OpenVPN as privileged user - so a bug in
>OpenVPN (or a config that runs scripts) could be used to attack the
>system...

Sure, the "log term" plan of having OpenVPN run as a normal user is great, but the 
current situation of every windows user needing admin privilege to run the UI is
hard to meet in many installations. 

The MI-GUI solves that problem right now as opposed to sometime in future. 

(Plus, traditionally using the service will not work with username+password
input, but if MI does that via management interface, it can be done)

That's exactly what MI-GUI it does -- both certificate password and username/password 
are passed through the management interface. Locally, I have patched it to pass the 
certificate key as well although we don't normally use that option.

Selva

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Samuli Seppänen | 20 Oct 15:07 2014
Picon

New OpenVPN Windows installers (I004 and I604) released


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

New Windows installers with OpenSSL 1.0.1j have been released:

<http://openvpn.net/index.php/download/community-downloads.html>

Two of the issues fixed in OpenSSL may impact OpenVPN. More details here:

<http://thread.gmane.org/gmane.network.openvpn.devel/9133>

Let me know if there are any issues with these installers.

Best regards,

- -- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlRFCSEACgkQwp2X7RmNIqPYCgCg4H2uIUnpO2pQzwwdS0H3VyLl
lSQAn1w8BWUgofRJr4SsXL47zPEhe1He
=5sXk
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
Samuli Seppänen | 20 Oct 11:06 2014
Picon

Topics for next Thursday's (23rd Oct 2014) community meeting


Hi,

We're having an IRC meeting on Thursday, starting at 18:00 UTC on
#openvpn-devel <at> irc.freenode.net. Current topic list is here:

<https://community.openvpn.net/openvpn/wiki/Topics-2014-10-23>

If you have any other things you'd like to bring up, respond to this
mail, send me mail privately or add them to the list yourself.

In case you can't attend the meeting, please feel free to make comments
on the topics by responding to this email or to the summary email sent
after the meeting. Whenever possible, we'll also respond to existing,
related email threads.

NOTE: It's required to use a registered Freenode IRC nickname to join
#openvpn-devel - look here for details:

<https://community.openvpn.net/openvpn/wiki/GettingHelp#DeveloperIRCchannel>

--

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock
Samuli Seppänen | 20 Oct 10:57 2014
Picon

Regarding OpenVPN 2.3.5 release and tap-windows6-related fixes


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

People have encountered a few rather serious issues with OpenVPN 2.3.x
for Windows. These issues only materialize when one is using OpenVPN
2.3.x with tap-windows6:

<https://community.openvpn.net/openvpn/ticket/430>
<https://community.openvpn.net/openvpn/ticket/432>

The underlying issue is that OpenVPN 2.3.x does not handle return code
995 from tap-windows6 at all. According to the driver author most s.c.
tap-windows6 issues stem from this single omission in OpenVPN 2.3.x itself.

There are now tentative fixes for the 995 issue here:

<https://github.com/TDivine/openvpn/commit/c391f10e79d88d01405eedbc6822bc92cf8a210d>
<https://github.com/TDivine/openvpn/commit/44b56c14c66201074805a4c5b97da2cfb1e1f248>

However, those fixes are for the Git "master" branch, which cannot
currently be built using "openvpn-build" (i.e. for Windows). A few weeks
ago I backported the above patches to OpenVPN 2.3.4 and released test
installers[1] which apparently fixed the primary issue[2]. Do we / can
we merge the patches to "master" without testing based on the fact that
they worked for OpenVPN 2.3.4?

We'd also need to backport these fixes to 2.3 and make a new release.
Looks like there's quite a lot of stuff in the pipe for 2.3.5, so it
probably makes sense to release all of it along with these
tap-windows6-related fixes in one go. Anything blocking 2.3.5 release atm?

- -- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[1]
<http://swupdate.openvpn.org/community/releases/openvpn-install-2.3.4-I603-i686.exe>
<http://swupdate.openvpn.org/community/releases/openvpn-install-2.3.4-I603-x86_64.exe>
[2] <https://community.openvpn.net/openvpn/ticket/430#comment:11>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlREzmUACgkQwp2X7RmNIqNguACeLDF/720Obl6IrNNs0OWYU88N
6GoAn3PQSgxKX+M2UxY6WJKujLXtOTOI
=Xb+t
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
Lisa Minogue | 17 Oct 13:16 2014
Picon

New OpenVPN bundles for Windows platform that incorporate OpenSSL 1.0.1j

Hi Samuli

I just wish to thank you in advance for preparing and compiling new OpenVPN bundles for Microsoft Windows OS
that incorporate OpenSSL 1.0.1j.

Best regards.

Lisa
-----------------------------------------------------
Mail.be, WebMail and Virtual Office
http://www.mail.be

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
David Sommerseth | 16 Oct 18:06 2014
Picon

Some systemd patches backported from master to release/2.3


This is just an short update on a few cherry-picks I've done to improve
the systemd implementation in OpenVPN 2.3.x.  All the commits have been
cherry picked from the master branch into the stable release/2.3 branch.

* Commit 027dd7f6368d7a7fc8a4ca5e0fadd8de2c7c88da
  systemd: Use systemd functions to consider systemd availability

  Merged backport of master commit 55480682b9bfa5894402954f4c740
  + master commit f33ee6bcb12fdc3869b17b7c528a2

* Commit a83103043c11d66099565bcf4b63f54db0629913
  Add systemd unit file for OpenVPN

  Master commit 8a4566ce4f01a434ac9ea841eae74330368398a0

* Commit f54cdc9f5316906c664a782abf8fdac028a80860
  Don't let openvpn_popen() keep zombies around

  Master commit d886d468849051af525bb8ff1b9080f6c934e3ab

* Commit ef21281b290c2984523c36be06f62b24ca253001
  Add configure check for the path to systemd-ask-password

  Master commit ba79c71d1255651bfcb8570519b4033c763d47d3

--

-- 
kind regards,

David Sommerseth

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Alexander Pyhalov | 13 Oct 11:47 2014
Picon

Default gateway can't be determined on illumos/solaris

Hello.
In openvpn 2.3.4 on illumos/Solaris clients gateway for client can't be 
determined, because default stub is used instead of 
get_default_gateway() function. This means that the following push route 
option in server config is not working:
push "route remote_host 255.255.255.255 net_gateway"

OpenVPN  client says that it doesn't know net_gateway.
The following patch mostly uses existing FreeBSD code to add 
get_default_gateway() implementation:

https://github.com/pyhalov/oi-userland/blob/openvpn/components/openvpn/patches/get_default_gateway.patch 
.

The difference is that on Solaris there's no sa_len field.
I'm not absolutely sure that patch is correct, but as I see in route.c 
only sockaddr_in structures are supposed to be passed to NEXTADDR and 
ADVANCE macroses. This patch works for me.
--

-- 
Best regards,
Alexander Pyhalov,
system administrator of Southern Federal University IT department

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://p.sf.net/sfu/Zoho
David Sommerseth | 13 Oct 11:37 2014
Picon

Re: [PATCH applied] Ensure that client-connect files are always deleted

From: David Sommerseth <davids <at> redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Your patch has been applied to the master branch.

commit 5c2a3b5d29d10db3dbd8143ac2b671ce2eed1707
Author: Samuel Thibault
Date:   Thu Oct 9 23:40:49 2014 +0200

     Ensure that client-connect files are always deleted

     Signed-off-by: David Sommerseth <davids <at> redhat.com>
     Acked-by: David Sommerseth <davids <at> redhat.com>
     Message-Id: 20141012195919.GU3738 <at> type
     URL: http://thread.gmane.org/gmane.network.openvpn.devel/9104/focus=9118

- --
kind regards,

David Sommerseth

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlQ7nU4ACgkQDC186MBRfrrtSwCfZPcUtiimf14tCeWirUPm7CPv
8/AAniDygdcUoGAXcPYvgiQE5WfMiOxG
=zi1V
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://p.sf.net/sfu/Zoho
Aysun Ahmet | 12 Oct 05:19 2014
Picon

user parola

e posta ve sifre gonder

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://p.sf.net/sfu/Zoho

Gmane