Re: [Openvpn-devel] Win 32 Install script bug openvpn.nsi

[James Yonan]

On Wed, 29 Sep 2004, Remco Boom wrote:

> Hello all
> 
> In the file openvpn.nsi.in version 1.2.2.9, This is the most recent file 
> in CVS
> http://cvs.sourceforge.net/viewcvs.py/openvpn/openvpn/install-win32/openvpn.nsi.in?rev=1.2.2.9=markup
> I found a bug,  When you reinstall the same version openvpn the old tap 
> driver isn't removed and you endup with 2 tap drivers installed and 
> openvpn doesn't work.
> To fix it, just change the following in the nsi file:
> 
> At line 348 it says:
> nsExec::ExecToLog '"$INSTDIR\bin\tapinstall.exe" remove TAP'
> But is must be
> nsExec::ExecToLog '"$INSTDIR\bin\tapinstall.exe" remove ${TAP}'
> 
> At line 351 it says:
> nsExec::ExecToLog '"$INSTDIR\bin\tapinstall.exe" remove TAPDEV'
> This must be
> nsExec::ExecToLog '"$INSTDIR\bin\tapinstall.exe" remove ${TAPDRV}'
>  
> at line 353 
> TAPDEV must also be replaced bij ${TAPDRV}

Are you sure?

The TAP and TAPDEV strings are the actual names of previous TAP-Win32 
hardware IDs which we want to delete before installing the new TAP-Win32 
driver.

For example in OpenVPN 1.x, the hwid is "TAP".  If we change the NSIS code
to ${TAP}, now it will expand to "tap0801" which is the hwid for 2.0.  So 
we won't be deleting the old instance any longer, which is what this code 
is supposed to be doing.

James

[Openvpn-devel] [PATCH] check crl issuer

[Bernhard Weisshuhn]

Hi,

I just submitted the following on sourceforge, but since I'm not sure if
it gets read frequently, here it is again:

The option crl-verify can bite you, if you use more than one CA to
issue certificates (like we do: Server-CA for gateways, User-CA for
workstations), since it only checks the serial of the presented certificate
against the serials in the crl, without taking the issuer into account,
which can make perfectly valid certificates look revoked.

The attached trivial patch spits out a warning and ignores the crl, if it
was from another issuer. Should be non-intrusive enough to be considered
for 2.0 imho.

The nicer thing to do would be to be able to use multiple CRLs and have
openvpn check against the correct one. But I guess that's a little late for
2.0...

Keep up the good work!
bkw



Patch against cvs branch BETA20:

Index: ssl.c
===
RCS file: /cvsroot/openvpn/openvpn/ssl.c,v
retrieving revision 1.38.2.21
diff -u -r1.38.2.21 ssl.c
--- ssl.c   19 Aug 2004 03:28:10 -  1.38.2.21
+++ ssl.c   29 Sep 2004 18:03:45 -
@@ -479,6 +479,12 @@
goto end;
   }

+  if (X509_NAME_cmp(X509_CRL_get_issuer(crl), 
X509_get_issuer_name(ctx->current_cert)) != 0) {
+   msg (M_WARN, "CRL: CRL %s is from a different issuer than the issuer of 
certificate %s", opt->crl_file, subject);
+   retval = 1;
+   goto end;
+  }
+
   n = sk_num(X509_CRL_get_REVOKED(crl));

   for (i = 0; i < n; i++) {

[Openvpn-devel] Win 32 Install script bug openvpn.nsi

[Remco Boom]

Hello all

In the file openvpn.nsi.in version 1.2.2.9, This is the most recent file 
in CVS

http://cvs.sourceforge.net/viewcvs.py/openvpn/openvpn/install-win32/openvpn.nsi.in?rev=1.2.2.9=markup
I found a bug,  When you reinstall the same version openvpn the old tap 
driver isn't removed and you endup with 2 tap drivers installed and 
openvpn doesn't work.

To fix it, just change the following in the nsi file:

At line 348 it says:
nsExec::ExecToLog '"$INSTDIR\bin\tapinstall.exe" remove TAP'
But is must be
nsExec::ExecToLog '"$INSTDIR\bin\tapinstall.exe" remove ${TAP}'

At line 351 it says:
nsExec::ExecToLog '"$INSTDIR\bin\tapinstall.exe" remove TAPDEV'
This must be
nsExec::ExecToLog '"$INSTDIR\bin\tapinstall.exe" remove ${TAPDRV}'

at line 353 
TAPDEV must also be replaced bij ${TAPDRV}


I'm not shore how or if i'm able to change this in CVS, can one of you 
do this?

Thnx

Grtz,Remco

[Openvpn-devel] PATCH WIN32: wrapper tcp patch

[Didier Conchaudron]

Hi list,

Few weeks ago I've announced on users list that I will publish a patch 
aiming at adding a tcp server in the wrapper. That's now done.


I'm not familiar with patch making with diff and my modifications only 
apply on the service-win32 directory in the openvpn source code.


What have been added precisely?

- a client apps (whitout any admin credentials) can talk with a tcp 
server launched in the actual openvpnserv.exe windows service.

- on localhost only
- without any auth. from the client.
- it's for now possible to start/stop a tunnel via a gui/console app.
- the actual functions of automatic launch of tunnels is still ok but 
you have to add the config filename of the tunnel that must be run at 
startup into a new file named service.cfg (placed into the openvpn 
config files dir). It's necessary because in the original service, all 
.ovpn files were ran at startup. So now you can start a tunnel1.ovpn at 
startup and allow a user to start another tunnel2.ovpn when he want 
using a GUI/console app.


What have change in the original code?

- rewrite of some functions in order to use them more accuratly in the 
tcp server

- the makefile have been change a little too.
- add of tcpser.c and tcpser.h

Where do I get it?

You can get 2 tarballs for now:

- one including the patched wrapper which just have to replace 
completely the actual code.
- one with the client code I use to test the tcp server. This code 
probably only helps GUI developpers


http://conchaudron.free.fr/contrib/openvpn/tcp_client_openvpn.tgz
http://conchaudron.free.fr/contrib/openvpn/tcp_server_openvpn.tgz

Mathias Sundman will work on the client code in order to add this 
feature on his GUI.


Thanks to the list for his ideas (in an old thread;-) on this kind of 
features.

Thanks to Mathias for his help in my first real contribution to opensource.

Didier