On 07/09/16 14:15, Samuli Seppänen wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 07/09/16 11:43, Gert Doering wrote: >>> Hi, >>> >>> On Wed, Sep 07, 2016 at 12:18:17PM +0300, Samuli Seppänen wrote: >>>> We have already dropped XP support from OpenVPN Git "master". I >>>> think now is the time to drop official XP support altogether, but >>>> to maintain Vista support util the next tap-windows6 release. >>> Oh, regarding Vista support: I noticed that major open source >>> projects (like chrome) have already dropped Vista support - so I >>> think dropping Vista for 2.4 should be OK. >> I agree. I believe the majority of most users upgraded to Win7 from >> Vista, as Vista was a slow giant beast compared to Win7. Those left >> on Vista are probably not the kind of users interested in setting up >> VPNs - and if they do, it would probably be one of the more commercial >> offerings than configuring your own client. >> >> Put Vista and XP in the same "support category", which basically means >> OpenVPN 2.3 and we'll see how long we are willing to officially >> support 2.3. > Maintaining Windows Vista support will be tricky without extra effort, > as it enforces strict driver signing requirements like Windows 7, but > lacks SHA2 support. This is not a showstopper for the user-space > components (openvpn, openssl, etc), which just give the "Unknown > publisher" warning. However, if we need to fix something in > tap-windows6, the new driver will only have a SHA2 signature, and Vista > will thus refuse to install and load it to the kernel. > > Windows XP is easier to support, as it allows loading of unsigned > kernel-mode code without putting the operating system to "test mode"; it > will just complain about "Unknown publisher". > > We could try to beg for a SHA1 code-signing certificate from Digicert > using their support system. However, I will try to get some download > figures for I00x and I60x installers before we go down that route. >
we could consider a quick&dirty method: XP/Vista -> NDIS5 only 7+ -> NDIS 6 only I can't see why M$ would not allow SHA1 signed NDIS5 drivers anymore... It would mean that the OpenVPN 2.3 code base needs to be remain compatible with NDIS5 and 6, as it is now. JJK ------------------------------------------------------------------------------ _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
