Re: [Openvpn-devel] Win 32 Install script bug openvpn.nsi
On Wed, 29 Sep 2004, Remco Boom wrote: > Hello all > > In the file openvpn.nsi.in version 1.2.2.9, This is the most recent file > in CVS > http://cvs.sourceforge.net/viewcvs.py/openvpn/openvpn/install-win32/openvpn.nsi.in?rev=1.2.2.9=markup > I found a bug, When you reinstall the same version openvpn the old tap > driver isn't removed and you endup with 2 tap drivers installed and > openvpn doesn't work. > To fix it, just change the following in the nsi file: > > At line 348 it says: > nsExec::ExecToLog '"$INSTDIR\bin\tapinstall.exe" remove TAP' > But is must be > nsExec::ExecToLog '"$INSTDIR\bin\tapinstall.exe" remove ${TAP}' > > At line 351 it says: > nsExec::ExecToLog '"$INSTDIR\bin\tapinstall.exe" remove TAPDEV' > This must be > nsExec::ExecToLog '"$INSTDIR\bin\tapinstall.exe" remove ${TAPDRV}' > > at line 353 > TAPDEV must also be replaced bij ${TAPDRV} Are you sure? The TAP and TAPDEV strings are the actual names of previous TAP-Win32 hardware IDs which we want to delete before installing the new TAP-Win32 driver. For example in OpenVPN 1.x, the hwid is "TAP". If we change the NSIS code to ${TAP}, now it will expand to "tap0801" which is the hwid for 2.0. So we won't be deleting the old instance any longer, which is what this code is supposed to be doing. James
[Openvpn-devel] [PATCH] check crl issuer
Hi, I just submitted the following on sourceforge, but since I'm not sure if it gets read frequently, here it is again: The option crl-verify can bite you, if you use more than one CA to issue certificates (like we do: Server-CA for gateways, User-CA for workstations), since it only checks the serial of the presented certificate against the serials in the crl, without taking the issuer into account, which can make perfectly valid certificates look revoked. The attached trivial patch spits out a warning and ignores the crl, if it was from another issuer. Should be non-intrusive enough to be considered for 2.0 imho. The nicer thing to do would be to be able to use multiple CRLs and have openvpn check against the correct one. But I guess that's a little late for 2.0... Keep up the good work! bkw Patch against cvs branch BETA20: Index: ssl.c === RCS file: /cvsroot/openvpn/openvpn/ssl.c,v retrieving revision 1.38.2.21 diff -u -r1.38.2.21 ssl.c --- ssl.c 19 Aug 2004 03:28:10 - 1.38.2.21 +++ ssl.c 29 Sep 2004 18:03:45 - @@ -479,6 +479,12 @@ goto end; } + if (X509_NAME_cmp(X509_CRL_get_issuer(crl), X509_get_issuer_name(ctx->current_cert)) != 0) { + msg (M_WARN, "CRL: CRL %s is from a different issuer than the issuer of certificate %s", opt->crl_file, subject); + retval = 1; + goto end; + } + n = sk_num(X509_CRL_get_REVOKED(crl)); for (i = 0; i < n; i++) {
[Openvpn-devel] Win 32 Install script bug openvpn.nsi
Hello all In the file openvpn.nsi.in version 1.2.2.9, This is the most recent file in CVS http://cvs.sourceforge.net/viewcvs.py/openvpn/openvpn/install-win32/openvpn.nsi.in?rev=1.2.2.9=markup I found a bug, When you reinstall the same version openvpn the old tap driver isn't removed and you endup with 2 tap drivers installed and openvpn doesn't work. To fix it, just change the following in the nsi file: At line 348 it says: nsExec::ExecToLog '"$INSTDIR\bin\tapinstall.exe" remove TAP' But is must be nsExec::ExecToLog '"$INSTDIR\bin\tapinstall.exe" remove ${TAP}' At line 351 it says: nsExec::ExecToLog '"$INSTDIR\bin\tapinstall.exe" remove TAPDEV' This must be nsExec::ExecToLog '"$INSTDIR\bin\tapinstall.exe" remove ${TAPDRV}' at line 353 TAPDEV must also be replaced bij ${TAPDRV} I'm not shore how or if i'm able to change this in CVS, can one of you do this? Thnx Grtz,Remco
[Openvpn-devel] PATCH WIN32: wrapper tcp patch
Hi list, Few weeks ago I've announced on users list that I will publish a patch aiming at adding a tcp server in the wrapper. That's now done. I'm not familiar with patch making with diff and my modifications only apply on the service-win32 directory in the openvpn source code. What have been added precisely? - a client apps (whitout any admin credentials) can talk with a tcp server launched in the actual openvpnserv.exe windows service. - on localhost only - without any auth. from the client. - it's for now possible to start/stop a tunnel via a gui/console app. - the actual functions of automatic launch of tunnels is still ok but you have to add the config filename of the tunnel that must be run at startup into a new file named service.cfg (placed into the openvpn config files dir). It's necessary because in the original service, all .ovpn files were ran at startup. So now you can start a tunnel1.ovpn at startup and allow a user to start another tunnel2.ovpn when he want using a GUI/console app. What have change in the original code? - rewrite of some functions in order to use them more accuratly in the tcp server - the makefile have been change a little too. - add of tcpser.c and tcpser.h Where do I get it? You can get 2 tarballs for now: - one including the patched wrapper which just have to replace completely the actual code. - one with the client code I use to test the tcp server. This code probably only helps GUI developpers http://conchaudron.free.fr/contrib/openvpn/tcp_client_openvpn.tgz http://conchaudron.free.fr/contrib/openvpn/tcp_server_openvpn.tgz Mathias Sundman will work on the client code in order to add this feature on his GUI. Thanks to the list for his ideas (in an old thread;-) on this kind of features. Thanks to Mathias for his help in my first real contribution to opensource. Didier