-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/06/10 23:56, Martin MOKREJŠ wrote:
> The patches in Gentoo I for example here:
> http://mirror.averse.net/gentoo-portage/net-misc/openvpn/files/
>
>>> On the client:
>>> I use net-misc/openvpn-2.1.0-r1, I see there are two patches applying to
>>> my systems (no IPv6 patch):
>>> epatch "${FILESDIR}/${PN}-2.1_rc13-peercred.patch"
>>> epatch "${FILESDIR}/${PN}-2.1_rc20-pkcs11.patch"
[...snip...]
>
> Look at the two patches, they should probably go into you tree anyways if
> they are not just fixing some compilation/layout issues.
>
Those patches are clean, and not related at all to this issue at all.
The peercred patch has been adopted and included into the
openvpn-testing.git tree.
- -------------------------------------------------------------------------
commit 48045ace0541ec39f9c5003c0c37a23e1651f39d
Author: David Sommerseth <d...@users.sourceforge.net>
List-Post: openvpn-devel@lists.sourceforge.net
Date: Wed Mar 10 11:45:04 2010 +0100
On TARGET_LINUX define _GNU_SOURCE if not defined
This is to include peercred support on hosts where _GNU_SOURCE is
not defined by default. This issue has been found on Gentoo with
glibc-2.8.
The solution was discussed on the IRC meeting March 4, 2010
in #openvpn-discussions.
<http://thread.gmane.org/gmane.network.openvpn.devel/3242>
Signed-off-by: David Sommerseth <d...@users.sourceforge.net>
Acked-by: James Yonan <ja...@openvpn.net>
- -------------------------------------------------------------------------
[...snip...]
> Please improve the openVPN docs. Further, isn't it possible to
> provide two openssl.cf files, one for client and the other for
> server, and fill-in more default values. I never know where to place
> FQDN, where to place "server", "client", and you saw in my proposed
> patch that I had to invent even more.
The documentation needs to be reviewed, to be sure it does provide
accurate information. Having that said, it doesn't seem to be that many
who struggles with this on the ##openvpn IRC channel. I admit I've not
paid too much attention to the discussions there the last few weeks, but
this (VERIFY KU ERROR) is not on the "top 10" trouble list, afaik.
But on the other hand, most easy-rsa users do also make use of the
./build-key-server and ./build-key{,-pass,-pkcs12} scripts. It might be
an issue related to ./sign-req.
I strongly do not recommend having more openssl.cnf files. It is
possible to use one file, which makes the maintenance easier in the long
run. The ./pkitool script should take care of providing the needed
"tweaks" to separate between client and server certificates.
For a similar script based version which might work better, take a look
at ssl-admin <http://www.secure-computing.net/wiki/index.php/Ssl-admin>.
I also noticed that Ubuntu was mentioned in the thread. It might not be
directly related, but if you have an Ubuntu OpenVPN 2.1_rc7 - rc11
installation in use, beware that these versions do have some patches
which makes it incompatible with other versions. And the failure in
this case is not obvious. So, if possible, upgrade to OpenVPN
2.1.0/2.1.1 on client and server.
kind regards,
David Sommerseth
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkwQFssACgkQDC186MBRfrr0/wCdEhjMNJgNkzNEQsZRKrxghlWv
f4MAn2yLisOUr+a+eN7uzJjID1D6L4Fz
=QH6W
-----END PGP SIGNATURE-----
