David Woodhouse | 29 Oct 17:56 2014

TAP-Windows MTU issues

It looks like on Windows, OpenVPN ignores the MTU it's supposed to be
using and just queries the TAP driver for its MTU.

I suspect this was done in the past because there was no way to *set*
the MTU that Windows was expected to use.

That is no longer the case; recent versions of Windows let you do it by:
netsh interface ipv[46] set subinterface $DEVICE mtu=$MTU store=active

I do this in OpenConnect on Windows, and I suspect OpenVPN should too.

I'm left with the question of what to do on older versions of Windows
where we can't configure the MTU. One option which occurs to me is that
we could actually send Windows back an ICMP 'too big' message when it
receives a packet which is larger than the VPN MTU. This is horrid, but
hey, it's Windows. We *already* do horrider things in TAP-Windows to
fake ARP and ND.

What do you think?

--

-- 
dwmw2
Attachment (smime.p7s): application/x-pkcs7-signature, 7762 bytes
------------------------------------------------------------------------------
_______________________________________________
Openvpn-devel mailing list
(Continue reading)

Lev Stipakov | 29 Oct 17:28 2014
Picon

[PATCH] Peer-id patch v2

Added new packet format P_DATA_V2, which includes peer-id. If server
supports, client sends all data packets in the new format. When data
packet arrives, server identifies peer by peer-id. If peer's ip/port has
changed, server assumes that client has floated, verifies HMAC and
updates ip/port in internal structs.
---
 src/openvpn/crypto.c     |  66 ++++++++++++++++++++--------
 src/openvpn/crypto.h     |   3 ++
 src/openvpn/init.c       |  10 ++++-
 src/openvpn/mudp.c       | 111 +++++++++++++++++++++++++++++++++++++++++------
 src/openvpn/multi.c      |   6 +++
 src/openvpn/multi.h      |   2 +
 src/openvpn/options.c    |   9 +++-
 src/openvpn/options.h    |   8 +++-
 src/openvpn/push.c       |  16 ++++++-
 src/openvpn/ssl.c        |  66 +++++++++++++++++++++++++---
 src/openvpn/ssl.h        |   9 +++-
 src/openvpn/ssl_common.h |   4 ++
 12 files changed, 269 insertions(+), 41 deletions(-)

diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index ef2bde1..0f1a36f 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
 <at>  <at>  -223,6 +223,30  <at>  <at>  err:
   return;
 }

+int verify_hmac(struct buffer *buf, struct key_ctx *ctx, int offset)
+{
(Continue reading)

Samuli Seppänen | 28 Oct 19:43 2014
Picon

OpenVPN 2.3.5 released


The OpenVPN community project team is proud to release OpenVPN 2.3.5.
It can be downloaded from here:

<http://openvpn.net/index.php/open-source/downloads.html>

This release fixes a serious interoperability issue with OpenVPN and
the tap-windows6 driver. In addition a fair number of other bug fixes
and small enhancements are included.

A full list of changes is available here:

<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23>

The changelog is also attached to this email.

For generic help use these support channels:

Official documentation:
<http://openvpn.net/index.php/open-source/documentation/howto.html>
Wiki: <https://community.openvpn.net>
Forums: <https://forums.openvpn.net>
User mailing list: <http://sourceforge.net/mail/?group_id=48978>
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Bug tracker and Wiki: <https://community.openvpn.net>
Developer mailing list: <http://sourceforge.net/mail/?group_id=48978>
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires
(Continue reading)

Lev Stipakov | 28 Oct 16:17 2014
Picon

[PATCH] Peer-id patch

Added new packet format P_DATA_V2, which includes peer-id. If server
supports, client sends all data packets in the new format. When data
packet arrives, server identifies peer by peer-id. If peer's ip/port has
changed, server assumes that client has floated, verifies HMAC and
updates ip/port in internal structs.
---
 src/openvpn/crypto.c     |  66 ++++++++++++++++++++--------
 src/openvpn/crypto.h     |   3 ++
 src/openvpn/init.c       |  10 ++++-
 src/openvpn/mudp.c       | 111 +++++++++++++++++++++++++++++++++++++++++------
 src/openvpn/multi.c      |   6 +++
 src/openvpn/multi.h      |   2 +
 src/openvpn/options.c    |   9 +++-
 src/openvpn/options.h    |   8 +++-
 src/openvpn/push.c       |  16 ++++++-
 src/openvpn/ssl.c        |  58 ++++++++++++++++++++++---
 src/openvpn/ssl.h        |   9 +++-
 src/openvpn/ssl_common.h |   4 ++
 12 files changed, 260 insertions(+), 42 deletions(-)

diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index ef2bde1..0f1a36f 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
 <at>  <at>  -223,6 +223,30  <at>  <at>  err:
   return;
 }

+int verify_hmac(struct buffer *buf, struct key_ctx *ctx, int offset)
+{
(Continue reading)

Steffan Karger | 27 Oct 22:59 2014

[PATCH] Add --tls-version-max option

Hi,

Since I had to miss the most recent IRC meeting, I'll just put this on
the mailinglist.

OpenVPN has used TLSv1.0 exclusively for a long time. A few months ago,
TLS version negotiation was added for OpenSSL builds (PolarSSL builds
already had version negotiation), but that triggered quite some problems
at our users. For example, our cryptoapi implementation doesn't support
TLSv1.2 and some external PKCS#11 libraries and tokens refuse to create
TLSv1.2 signatures (which we can't fix ourselves).

To ease the transition, while we and external vendors fix the various
problems, I propose to add an option '--tls-version-max', similar to the
current '--tls-version-min'. That will enable users to e.g. use TLSv1.1
on the clients that won't work with 1.2. At least for one of the
problematic setups I encountered, this was a nice way out.

Attached are two patches that do just that for the 2.3 and master branches.

Of course this should not stop us from fixing problems with TLSv1.2 (at
least the problems we actually can fix...).

Regards,
-Steffan
------------------------------------------------------------------------------
(Continue reading)

Steffan Karger | 25 Oct 22:35 2014

[PATCH] Improve crypto/ssl logging

Hi,

This patch set improves the logging from the crypto/ssl components. It adds some debug/logging wrappers
to make it easy for developers to add proper logging, and makes the logging more verbose by reporting the
underlying crypto library errors too.

When errors occur during the TLS handshake, users are quite often puzzled. We won't be able to fully prevent
that, but let's at least be as verbose as possible about the underlying problems.

I prepared this set for the master branch, but on request I can backport it to 2.3 too, just let me know.

-Steffan

------------------------------------------------------------------------------
Steffan Karger | 25 Oct 11:54 2014

[PATCH] Remove unused variables from ssl_verify_openssl.c extract_x509_extension()

Signed-off-by: Steffan Karger <steffan <at> karger.me>
---
 src/openvpn/ssl_verify_openssl.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
index 56e1c11..33cd757 100644
--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
 <at>  <at>  -101,9 +101,7  <at>  <at>  static
 bool extract_x509_extension(X509 *cert, char *fieldname, char *out, int size)
 {
   bool retval = false;
-  X509_EXTENSION *pExt;
   char *buf = 0;
-  int length = 0;
   GENERAL_NAMES *extensions;
   int nid = OBJ_txt2nid(fieldname);

--

-- 
1.9.1

------------------------------------------------------------------------------
Steffan Karger | 25 Oct 11:47 2014

[PATCH] ssl_polarssl.c: fix includes and make casts explicit

The master branch already has a commit doing almost the same
(9048d50), but since the API for polarssl 1.2 is different, this
could not be cherry-picked back to the 2.3 branch.

This commit:
 * adds a number of missing #includes.
 * makes a number of implicit casts explicit, to silence gcc
   -Wall and clang warnings that hide real problems.
 * changes the type of sha256_hash[] to match what polarssl expects.

Signed-off-by: Steffan Karger <steffan <at> karger.me>
---
 src/openvpn/ssl_polarssl.c | 46 ++++++++++++++++++++++++++--------------------
 1 file changed, 26 insertions(+), 20 deletions(-)

diff --git a/src/openvpn/ssl_polarssl.c b/src/openvpn/ssl_polarssl.c
index aba405b..5718c8c 100644
--- a/src/openvpn/ssl_polarssl.c
+++ b/src/openvpn/ssl_polarssl.c
 <at>  <at>  -40,6 +40,7  <at>  <at> 

 #include "errlevel.h"
 #include "ssl_backend.h"
+#include "base64.h"
 #include "buffer.h"
 #include "misc.h"
 #include "manage.h"
 <at>  <at>  -49,7 +50,9  <at>  <at> 
 #include <polarssl/havege.h>

(Continue reading)

Gert Doering | 24 Oct 21:00 2014
Picon

[PATCH applied] Re: Fix regression with password protected private keys (polarssl)

ACK, verifying against the polarssl commit.

Your patch has been applied to the release/2.3 branch.

commit f056c8eadc4d5fcda5d1e861425802f503587f16
Author: Steffan Karger
Date:   Fri Sep 19 06:43:48 2014 +0200

     Fix regression with password protected private keys (polarssl)

     Signed-off-by: Steffan Karger <steffan.karger <at> fox-it.com>
     Acked-by: Gert Doering <gert <at> greenie.muc.de>
     Message-Id: <5432E951.6020405 <at> fox-it.com>
     Signed-off-by: Gert Doering <gert <at> greenie.muc.de>

--
kind regards,

Gert Doering

------------------------------------------------------------------------------
Gert Doering | 24 Oct 21:00 2014
Picon

[PATCH applied] Re: Fix regression with password protected private keys (polarssl)

ACK, verifying against the polarssl commit.

Your patch has been applied to the master branch.

commit 4b9eaa1ee40648f101deb4ebf07a04cd5b5400e9
Author: Steffan Karger
Date:   Fri Sep 19 06:19:13 2014 +0200

     Fix regression with password protected private keys (polarssl)

     Signed-off-by: Steffan Karger <steffan.karger <at> fox-it.com>
     Acked-by: Gert Doering <gert <at> greenie.muc.de>
     Message-Id: <5432E951.6020405 <at> fox-it.com>
     Signed-off-by: Gert Doering <gert <at> greenie.muc.de>

--
kind regards,

Gert Doering

------------------------------------------------------------------------------
Steffan Karger | 24 Oct 09:41 2014

FW: [PATCH] Fix regression with password protected private keys (polarssl)

Attempt 2, see below. It seems that somehow my previous mail has disappeared from the interwebs, I can't
find it in the archives.

-----Original Message-----
From: Steffan Karger [mailto:steffan.karger <at> fox-it.com] 
Sent: maandag 6 oktober 2014 21:11
To: openvpn-devel <at> lists.sourceforge.net
Subject: [PATCH] Fix regression with password protected private keys (polarssl)

Hi,

Between versions 1.2.7 and 1.2.8, polarssl changed the errors returned by the X509 parsing functions,
which broke the OpenVPN implementation for password protected private keys in polarssl builds. Later,
for polarssl 1.3, the return codes changed again.

The attached patches fix the regression by checking for the new errors in OpenVPN. Since the 2.3 and master
code is slightly different here, I made a patch for each branch.

The polarssl change for 1.2.8:
https://github.com/polarssl/polarssl/commit/b495d3a


An later for polarssl 1.3 (search for pk_parse_key()):
https://github.com/polarssl/polarssl/commit/1a7550a


-Steffan
------------------------------------------------------------------------------
(Continue reading)


Gmane