Samuli Seppänen | 24 Apr 21:46 2014
Picon

Summary of the IRC meeting (24th Apr 2014)

Hi,

Here's the summary of the previous IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-devel on irc.freenode.net
Date: Thursday 24th Apr 2014
Time: 18:00 UTC

Planned meeting topics for this meeting were on this page:

<https://community.openvpn.net/openvpn/wiki/Topics-2014-04-24>

Your local meeting time is easy to check from services such as

<http://www.timeanddate.com/worldclock>

or with

$ date -u

SUMMARY

cron2, jamesyonan, mattock, pekster, plaisthos, syzzer and timothe
participated in this meeting.

--
(Continue reading)

Samuli Seppänen | 24 Apr 11:42 2014
Picon

Topics for today's community meeting

Hi,

We're having an IRC meeting on Thursday, starting at 18:00 UTC on
#openvpn-devel <at> irc.freenode.net. Current topic list is here:

<https://community.openvpn.net/openvpn/wiki/Topics-2014-04-24>

If you have any other things you'd like to bring up, respond to this
mail, send me mail privately or add them to the list yourself.

In case you can't attend the meeting, please feel free to make comments
on the topics by responding to this email or to the summary email sent
after the meeting. Whenever possible, we'll also respond to existing,
related email threads.

NOTE: It's required to use a registered Freenode IRC nickname to join
#openvpn-devel - look here for details:

<https://community.openvpn.net/openvpn/wiki/GettingHelp#DeveloperIRCchannel>

--

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
(Continue reading)

Steffan Karger | 24 Apr 00:43 2014

[PATCH v2] ECDH support (both OpenSSL and PolarSSL now)

Hi,

As discussed earlier today, updated patches for ECDH support. See
http://article.gmane.org/gmane.network.openvpn.devel/8308 for the previous
version.

These patches comprise two changes:
1) Because the PolarSSL 1.3 patches have been merged, I updated the code and
   docs to reflect that PolarSSL builds have EC-crypto support too. PolarSSL
   does not support forcing an ECDH curve like OpenSSL does, it can merely
   restrict the available curves.

2) Add #ifdefs around the OpenSSL EC-crypto code, because some distros
   (notably, RHEL) ship with OpenSSL libraries without EC-crypto.

-Steffan

------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform
Timothe Litt | 23 Apr 04:58 2014
Picon

Progress on Version negotiation

It does not appear to be the negotiation, rather it's TLS1.2.

I debugged the client hello in OpenSSL - a bit tricky due to the 
timeouts, but I established that the server is picking TLS1.2.

I then switched the tls_ctx_{client,server}_new to use 
TLSv1_2_{client,server}_method in the call to SSL_CTX_new.

The connection failed.  So, we didn't negotiate, TLSv1.2 fails.

Next, I switched to TLSv1.1 (TLSv1_1_{client,server}method).  The tunnel 
comes up.

So, it appears that the issue has to do with TLSv1.2.  (Also, it is 100% 
reproducible here.)

Remember that the client log shows
Wed Apr 09 21:10:52 2014 us=748478 TLS_ERROR: BIO read 
tls_read_plaintext error: error:04066083:rsa 
routines:RSA_EAY_PRIVATE_ENCRYPT:invalid message length: 
error:14099006:SSL routines:SSL3_SEND_CLIENT_VERIFY:EVP lib
Wed Apr 09 21:10:52 2014 us=748478 TLS Error: TLS object -> incoming 
plaintext read error
Wed Apr 09 21:10:52 2014 us=748478 TLS Error: TLS handshake failed

I don't have development tools on my windows client, but perhaps someone 
can build me an instrumented version.  Here's what I think is happening:

The error is coming from ssl_openssl.c:key_state_read_plaintext, where 
bio_read is failing.
(Continue reading)

Timothe Litt | 22 Apr 14:17 2014
Picon

Re: tls-version-min in Openvpn-devel Digest, Vol 95, Issue 27

Message: 4 Date: Mon, 21 Apr 2014 13:49:46 +0200 From: Gert Doering <gert <at> greenie.muc.de> Subject: Re: [Openvpn-devel] [PATCH 4/4] When tls-version-min is unspecified, revert to original versioning approach. To: Arne Schwabe <arne <at> rfc2549.org> Cc: openvpn-devel <at> lists.sourceforge.net Message-ID: <20140421114946.GV16637 <at> greenie.muc.de> Content-Type: text/plain; charset="us-ascii" Hi, On Mon, Apr 21, 2014 at 01:11:05PM +0200, Arne Schwabe wrote:
> Yes. But with this patch it is always turned off, keeping OpenVPN in 99% > of installations in TLS 1.0. Is there any other known case where it > breaks aside from the Tomato OpenVPN client?
http://community.openvpn.net/openvpn/ticket/385 this is the only case I know - and I blaim the openssl library on the server side (ARM). So for me, "default-on with a way to turn it off" would be sufficient. But I assume James has much more visibility... gert
-- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert <at> greenie.muc.de fax: +49-89-35655025 gert <at> net.informatik.tu-muenchen.de
FYI, I reported this in Trac #385. 

On OpenVPN users today, there was a report of (superficially) the same symptom on linux x86_64; I pointed the reporter to the thread and asked for some more details.  If truly the same problem, it would rule out the 'ARM -only' theory.

I have built the ARM OpenSSL library for my distribution (Debian - as patched by them) from source, and when I get a chance will see if I can get any closer to root cause with GDB.  I'm not an OpenSSL internals expert, but it's just code.  We'll see.

Note that my work-around (in #385) is a lot less intrusive than the disabling patches that have been posted here recently; at least in my case all that's required is to change the SSL_CTX_new init method to TLSv1.

Also, the server is trying to send a plaintext error message, but the length is apparently wrong as seen by the client.  It would be helpful if we could get the server to log the actual error..

Here is my current work-around (same as posted on trac)

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 0b63e26..0785ce4 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c <at> <at> -98,10 +98,10 <at> <at> tls_ctx_server_new(struct tls_root_ctx *ctx) { ASSERT(NULL != ctx); - ctx->ctx = SSL_CTX_new (SSLv23_server_method ()); + ctx->ctx = SSL_CTX_new (TLSv1_server_method ()); if (ctx->ctx == NULL) - msg (M_SSLERR, "SSL_CTX_new SSLv23_server_method"); + msg (M_SSLERR, "SSL_CTX_new TLSv1_server_method"); } void <at> <at> -109,10 +109,10 <at> <at> tls_ctx_client_new(struct tls_root_ctx *ctx) { ASSERT(NULL != ctx); - ctx->ctx = SSL_CTX_new (SSLv23_client_method ()); + ctx->ctx = SSL_CTX_new (TLSv1_client_method ()); if (ctx->ctx == NULL) - msg (M_SSLERR, "SSL_CTX_new SSLv23_client_method"); + msg (M_SSLERR, "SSL_CTX_new TLSv1_client_method"); } void

Timothe Litt ACM Distinguished Engineer -------------------------- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. This communication may not represent my employer's views, if any, on the matters discussed.
Attachment (smime.p7s): application/pkcs7-signature, 6975 bytes
------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Steffan Karger | 21 Apr 13:37 2014

[PATCH] Fix build system to accept non-system crypto library locations for plugins.

Flags like {OPEN,POLAR}SSL_CFLAGS were used by the core build, but not by
the plugins. However, all plugins include openvpn-plugin.h, which need
crypto/ssl headers.

Signed-off-by: Steffan Karger <steffan <at> karger.me>
---
 src/plugins/auth-pam/Makefile.am  | 5 +++--
 src/plugins/down-root/Makefile.am | 3 ++-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/plugins/auth-pam/Makefile.am b/src/plugins/auth-pam/Makefile.am
index 701a749..2aef311 100644
--- a/src/plugins/auth-pam/Makefile.am
+++ b/src/plugins/auth-pam/Makefile.am
 <at>  <at>  -8,8 +8,9  <at>  <at>  MAINTAINERCLEANFILES = \
 	$(srcdir)/Makefile.in

 AM_CFLAGS = \
-	-I$(top_srcdir)/include
-	$(PLUGIN_AUTH_PAM_CFLAGS)
+	-I$(top_srcdir)/include \
+	$(PLUGIN_AUTH_PAM_CFLAGS) \
+	$(OPTIONAL_CRYPTO_CFLAGS)

 if ENABLE_PLUGIN_AUTH_PAM
 plugin_LTLIBRARIES = openvpn-plugin-auth-pam.la
diff --git a/src/plugins/down-root/Makefile.am b/src/plugins/down-root/Makefile.am
index 064aa30..7ca5a4e 100644
--- a/src/plugins/down-root/Makefile.am
+++ b/src/plugins/down-root/Makefile.am
 <at>  <at>  -8,7 +8,8  <at>  <at>  MAINTAINERCLEANFILES = \
 	$(srcdir)/Makefile.in

 AM_CFLAGS = \
-	-I$(top_srcdir)/include
+	-I$(top_srcdir)/include \
+	$(OPTIONAL_CRYPTO_CFLAGS)

 if ENABLE_PLUGIN_DOWN_ROOT
 plugin_LTLIBRARIES = openvpn-plugin-down-root.la
--

-- 
1.8.3.2

------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform
James Yonan | 21 Apr 09:10 2014
Picon

[PATCH 1/4] Added "remote-override" config directive.

remote-override <alt-remote> -- replace the hostname in all remote
directives with alt-remote.

Merged from OpenVPN 2.1

Signed-off-by: James Yonan <james <at> openvpn.net>
---
 src/openvpn/options.c | 7 ++++++-
 src/openvpn/options.h | 2 ++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 4af2974..1739460 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
 <at>  <at>  -4512,6 +4512,11  <at>  <at>  add_option (struct options *options,
 	goto err;
     }
 #endif
+  else if (streq (p[0], "remote-override") && p[1])
+    {
+      VERIFY_PERMISSION (OPT_P_GENERAL);
+      options->remote_override = p[1];
+    }
   else if (streq (p[0], "remote") && p[1])
     {
       struct remote_entry re;
 <at>  <at>  -4520,7 +4525,7  <at>  <at>  add_option (struct options *options,
       re.af=0;

       VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
-      re.remote = p[1];
+      re.remote = options->remote_override ? options->remote_override : p[1];
       if (p[2])
 	{
 	  re.remote_port = p[2];
diff --git a/src/openvpn/options.h b/src/openvpn/options.h
index ec1d091..1775c02 100644
--- a/src/openvpn/options.h
+++ b/src/openvpn/options.h
 <at>  <at>  -222,6 +222,8  <at>  <at>  struct options

   struct remote_host_store *rh_store;

+  const char *remote_override;
+
   bool remote_random;
   const char *ipchange;
   const char *dev;
--

-- 
1.8.5.5

------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform
Gert Doering | 20 Apr 20:41 2014
Picon

[PATCH] Minor t_client.sh cleanups

- remove built tests/t_client.sh script on "make clean"
- ignore Linux iproute2 "ssthresh <n>" output that sometimes shows up
  in "ip -6 route show" and breaks before/after comparison

Signed-off-by: Gert Doering <gert <at> greenie.muc.de>
---
 Makefile.am          | 2 +-
 tests/t_client.sh.in | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 1a30aa5..66d9f23 100644
--- a/Makefile.am
+++ b/Makefile.am
 <at>  <at>  -41,7 +41,7  <at>  <at>  MAINTAINERCLEANFILES = \
 	$(srcdir)/config.guess $(srcdir)/config.sub

 CLEANFILES = \
-	config-version.h
+	config-version.h tests/t_client.sh

 EXTRA_DIST = \
 	contrib \
diff --git a/tests/t_client.sh.in b/tests/t_client.sh.in
index 6c9de6c..52c5ed1 100755
--- a/tests/t_client.sh.in
+++ b/tests/t_client.sh.in
 <at>  <at>  -103,7 +103,7  <at>  <at>  get_ifconfig_route()
 	echo "-- linux iproute2 --"
 	 <at> IPROUTE <at>  addr show     | grep -v valid_lft
 	 <at> IPROUTE <at>  route show
-	 <at> IPROUTE <at>  -o -6 route show | grep -v ' cache' | sed -E -e 's/ expires [0-9]*sec//' -e 's/
(mtu|hoplimit|cwnd) [0-9]+//g' -e 's/ (rtt|rttvar) [0-9]+ms//g'
+	 <at> IPROUTE <at>  -o -6 route show | grep -v ' cache' | sed -E -e 's/ expires [0-9]*sec//' -e 's/
(mtu|hoplimit|cwnd|ssthresh) [0-9]+//g' -e 's/ (rtt|rttvar) [0-9]+ms//g'
 	return
     fi

--

-- 
1.8.3.2

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
Daniel Kubec | 20 Apr 09:57 2014
Picon

[PATCH] Keying Material Exporters [RFC 5705]

TLS Keying Material Exporters [RFC 5705 ] allow
additional keying material to be derived from existing TLS channel. This
exported keying material can then be used for a variety of purposes.

TLS allows client and server to establish keying material for use in the
upper layers between the TLS end-points. Channel Bindings is straitforward
and well-defined mechanism how to authenticate other layers.

Following two attributes were added primary for the possible plugins
extensions.

Attribute

tls_ekm: Exported Keying Material

Configuration

EKM is generated when *.ovpn contains following for each TLS negotiation.

example.ovpn:
{
# TLS Keying Material Exporter [RFC 5705]
#
# Note that exporter labels have the potential to collide with existing PRF
# labels.  In order to prevent this, labels SHOULD begin with "EXPORTER".
keying-material-exporter-label "EXPORTER_OPENVPN"

# Export len bytes of keying material (min. 20)
keying-material-exporter-length 20
}

Use Cases:

1) Authentication of upper layers (like Kerberos etc)

2) Authentication of VPN's TLS channel using QRCODE and device such as
   smartphones.

   (Instead of user/pass dialog TLS VPN client could show for example QRCODE
    based on keying material derivate)

3) Authentication of Binding Key in confidental side-channel can be also used
   and avoid/detect MITM (MITM provides his public key and that's reason why
   authentication of binding key will fail)
Attachment (openvpn-ekm.patch): application/octet-stream, 7801 bytes
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
James Yonan | 17 Apr 23:57 2014
Picon

x509-track for PolarSSL

Just wondering if anyone has looked at implementing x509-track for PolarSSL?

James

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
Lev Stipakov | 17 Apr 14:07 2014
Picon

ipv6 env vars to client scripts

Hello,

Are there any plans to support ipv6 env vars in
client-connect/disconnect scripts?

There are at least 2 tickes on that feature:

https://community.openvpn.net/openvpn/ticket/230
https://community.openvpn.net/openvpn/ticket/369

Is there anything that prevents merging any of suggested patches to
the master branch?

--

-- 
-Lev

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech

Gmane