Re: [Openvpn-devel] Enhancements.

2010-09-24 Thread Jan Just Keijser 

Hi David,

David Sommerseth wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 24/09/10 09:15, Jan Just Keijser wrote:
  

Yo all,


[...snip...]
  

I was just browsing through the 2.1.3 source tree and found this in ssl.c:

3379 static bool
3380 push_peer_info(struct buffer *buf, struct tls_session *session)
3381 {
3382   struct gc_arena gc = gc_new ();
3383   bool ret = false;
3384
3385 #ifdef ENABLE_PUSH_PEER_INFO
3386   if (session->opt->push_peer_info) /* write peer info */
3387 {
3388   struct env_set *es = session->opt->es;
3389   struct env_item *e;
3390   struct buffer out = alloc_buf_gc (512*3, &gc);
3391
3392   /* push version */
3393   buf_printf (&out, "IV_VER=%s\n", PACKAGE_VERSION);
3394
3395   /* push platform */
3396 #if defined(TARGET_LINUX)
3397   buf_printf (&out, "IV_PLAT=linux\n");
3398 #elif defined(TARGET_SOLARIS)


this gets called if --push-peer-info is specified . This seems to be new
for 2.1.3 - has anyone tested it?



Good catch ... this is the commit which introduces it.  (SVN r5668)
You're right, this is in 2.1.2/2.1.3

commit aaf72974672e4f2af2053247b63ef6f06bdc80c0
Author: James Yonan 
Date:   Tue Jun 1 07:12:27 2010 +

Implemented a key/value auth channel from client to server.

Version 2.1.1i


git-svn-id:
http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5668
e7ae566f-a301-0410-adde-c780ea21d3b5



  And according to our normal procedure, this is of course not
  documented in the man page.


Thanks, JJK for catching this!  I don't think many have tested it -
except James.  So if you wouldn't mind testing it out and maybe shed
some knowledge about it, that would be great!
  
just toyed with it for about an hour or so and I can't get it to work - 
I even ran

 openvpn --cipher none --auth none
to see if I could see the IV_ and UV_ variables fly over the wire and I 
don't even see that.


Looks like this is still under development, but it is a nice starting 
point for implementing this enhancement (I'd go for a full negotiation 
step).


share and enjoy,

JJK

Re: [Openvpn-devel] proper "logout" support for the server?

2010-09-24 Thread Jason Haar 
 On 09/24/2010 07:05 PM, Jan Just Keijser wrote:
> it's already available:
>  --explicit-exit-notify
> this is needed only for UDP based connections, as the server will know
> when a TCP connection has ended.
>

Ha! So it is. Given the amount of time I've read the manpage, I'm
surprised I've missed it :-}


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Re: [Openvpn-devel] Enhancements.

2010-09-24 Thread David Sommerseth 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 24/09/10 09:15, Jan Just Keijser wrote:
> Yo all,
[...snip...]
> I was just browsing through the 2.1.3 source tree and found this in ssl.c:
> 
> 3379 static bool
> 3380 push_peer_info(struct buffer *buf, struct tls_session *session)
> 3381 {
> 3382   struct gc_arena gc = gc_new ();
> 3383   bool ret = false;
> 3384
> 3385 #ifdef ENABLE_PUSH_PEER_INFO
> 3386   if (session->opt->push_peer_info) /* write peer info */
> 3387 {
> 3388   struct env_set *es = session->opt->es;
> 3389   struct env_item *e;
> 3390   struct buffer out = alloc_buf_gc (512*3, &gc);
> 3391
> 3392   /* push version */
> 3393   buf_printf (&out, "IV_VER=%s\n", PACKAGE_VERSION);
> 3394
> 3395   /* push platform */
> 3396 #if defined(TARGET_LINUX)
> 3397   buf_printf (&out, "IV_PLAT=linux\n");
> 3398 #elif defined(TARGET_SOLARIS)
> 
> 
> this gets called if --push-peer-info is specified . This seems to be new
> for 2.1.3 - has anyone tested it?

Good catch ... this is the commit which introduces it.  (SVN r5668)
You're right, this is in 2.1.2/2.1.3

commit aaf72974672e4f2af2053247b63ef6f06bdc80c0
Author: James Yonan 
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Tue Jun 1 07:12:27 2010 +

Implemented a key/value auth channel from client to server.

Version 2.1.1i


git-svn-id:
http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5668
e7ae566f-a301-0410-adde-c780ea21d3b5



  And according to our normal procedure, this is of course not
  documented in the man page.


Thanks, JJK for catching this!  I don't think many have tested it -
except James.  So if you wouldn't mind testing it out and maybe shed
some knowledge about it, that would be great!


kind regards,

David Sommerseth
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkycWacACgkQDC186MBRfrrFyACfcv0yz0Y+PuiuN5yKtU7rFIOy
xcoAni3AdaQuYG2S7aWK1yni1JwKMahA
=tr7E
-END PGP SIGNATURE-

Re: [Openvpn-devel] Enhancements.

2010-09-24 Thread Jan Just Keijser 

Yo all,

David Sommerseth wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 14/09/10 13:37, Gert Doering wrote:
  

Hi,

On Tue, Sep 14, 2010 at 11:10:28AM +0200, Jan Just Keijser wrote:


 if (buf_string_match_head_str (&buf, "AUTH_FAILED"))
   receive_auth_failed (c, &buf);
 else if (buf_string_match_head_str (&buf, "PUSH_"))
   incoming_push_message (c, &buf);
 else if (buf_string_match_head_str (&buf, "RESTART"))
   server_pushed_restart (c, &buf);
 else
   msg (D_PUSH_ERRORS, "WARNING: Received unknown control 
   message: %s",

BSTR (&buf));

is the control message stage early enough? that means authentication has 
been completed, and the client_connect script has been run (or am I 
mistaken? 
  

I'm not absolutely sure at what time these messages can be sent.  But
most likely you're right, you want this before running client-connect.

Someone around who fully understands the session flow...?




Taken completely from memory, the PUSH_REQ phase comes in _after_ the
authentication process.  But, I also believe it comes after
OPENVPN_PLUGIN_CLIENT_CONNECT phase, as that plug-in hook can push
config settings to the client dynamically.  And of the
OPENVPN_PLUGIN_CLIENT_CONNECT hook sends a rejection, the connection is
dropped.

Unless somebody else chimes in before I've been able to double check it,
I'll do some more checks here.


  

I was just browsing through the 2.1.3 source tree and found this in ssl.c:

3379 static bool
3380 push_peer_info(struct buffer *buf, struct tls_session *session)
3381 {
3382   struct gc_arena gc = gc_new ();
3383   bool ret = false;
3384
3385 #ifdef ENABLE_PUSH_PEER_INFO
3386   if (session->opt->push_peer_info) /* write peer info */
3387 {
3388   struct env_set *es = session->opt->es;
3389   struct env_item *e;
3390   struct buffer out = alloc_buf_gc (512*3, &gc);
3391
3392   /* push version */
3393   buf_printf (&out, "IV_VER=%s\n", PACKAGE_VERSION);
3394
3395   /* push platform */
3396 #if defined(TARGET_LINUX)
3397   buf_printf (&out, "IV_PLAT=linux\n");
3398 #elif defined(TARGET_SOLARIS)


this gets called if --push-peer-info is specified . This seems to be new 
for 2.1.3 - has anyone tested it?


cheers,

JJK

Re: [Openvpn-devel] proper "logout" support for the server?

2010-09-24 Thread Jan Just Keijser 

Jason Haar wrote:

 Hi there

Minor feature request. When a user ends their openvpn client session,
shouldn't it be possible to send one last command to the server - a
"logout" command? That way the server can clean up the session much
faster than waiting for a keepalive timeout cycle...

(the problem I see is that we make extensive use of "--up"/etc scripts
and a user can sometimes do several "up->down->up" in a row - which
leads to "flapping" checks. If the server was told the client was
leaving, this would reduce these issues).

  

it's already available:
 --explicit-exit-notify
this is needed only for UDP based connections, as the server will know 
when a TCP connection has ended.


HTH,

JJK

[Openvpn-devel] Summary of the IRC meeting (23rd Sep 2010)

2010-09-24 Thread Samuli Seppänen 
Hi,

Here's the summary of the previous community meeting.

---

COMMUNITY MEETING

Place: #openvpn-devel on irc.freenode.net
List-Post: openvpn-devel@lists.sourceforge.net
Date: Thursday, 23rd Sep 2010
Time: 18:00 UTC

Planned meeting topics for this meeting were on this page:



Next meeting next week, same place, same time. Your local meeting time
is easy to check from services such as



or with

$ date -u


SUMMARY

Discussed next releases. Agreed that 4-6 weeks is a realistic estimate
for 2.2-beta4 and January for the final 2.2 release. So far there have
not been any major complaints about 2.2-beta3.

As there's plenty of time before 2.2-beta4 release, mattock will
postpone Windows building until after configuring buildbot and the
public OpenVPN test server.

--

Discussed Alon's build system patch:



Jamesyonan tested the patch on Windows and was able to build on both
MingGW-32 and MSVC. Provided that the patch does not break anything on
*NIX, it's got James' ACK.

--

Discussed buildbot email notifications and build triggers:




Agreed that having two separate mailinglists would be best:

1) openvpn-commits

A read-only, moderated list which gets all commit messages. Buildbot
will parse these messages to generate s.c. "Changes", which trigger
builds. Using an open list (e.g. #openvpn-devel) would allow malicious
people to initiate builds.

2) openvpn-builds

A read-only, moderated list which gets all Buildbot notifications about
build failures etc. Buildbot can spam a lot, especially if there are
generic build failures or a misconfiguration somewhere, so using
#openvpn-devel is not wise.

--

Discussed Buildbot IRC notifications briefly:



Did not reach a consensus whether using an IRC bot would be wise or not.
Decided do discuss this issue later on.

--

Discussed splitting various parts of OpenVPN into seperate git trees or
git submodules. Currently changing any part of OpenVPN distribution
(e.g. build scripts, easy-rsa, TAP-driver) requires increasing the
OpenVPN version number. For example, 2.1.1 - 2.1.3 are essentially the
same, with only (Windows) build system changes.

This issue had been discussed earlier in this email thread:



Agreed that splitting easy-rsa into a separate git tree makes sense.
Isolating the TAP driver (tap-win32) into a separate project is
problematic, as it's refered to in OpenVPN (e.g. tun.h). A few solutions
were proposed:

1) Use "configure --with-tap-win32" to locate the header off tree

The problem here is that normal machines wouldn't have that header
because it's not needed to run openpvn. Also, devel machines
(cross-devel especially) won't have it either, because the TAP driver
won't be installed. The header file would thus have to be downloaded
separately.

2) Place the TAP driver into a git submodule inside OpenVPN git tree

This would allow tracking TAP driver development separately from
OpenVPN. This would make sense if the development and release cycles of
these projects were different; especially if the TAP driver would see
more frequent releases than OpenVPN. This is, however, unlikely.

Agreed that the TAP driver separation issue requires more discussion.

As mentioned above, changes to the Windows build system(s) require
increasing OpenVPN version number. There are two of those currently:

1) autoconf/automake tools and mingw -based
2) python-based which uses MSVC, loc

The python-based build system is in the 'win' directory and is
responsible for building the TAP driver.

Unneeded version number incrementation could be fixed by adding a build
number to Windows releases.

---

Full chatlog as an attachment

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


(21:07:26) mattock: ok, shall we start?
(21:07:38) mattock: from the bottom this time?
(21:07:41) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2010-09-23
(21:07:43) vpnHelper: Title: Topics-2010-09-23 – OpenVPN Community (at 
community.openvpn.net)
(21:07:44) dazo: yeah
(21:08:06) mattock: I'd like to know what to focus on after buildbot is fully 
functional (=soon)
(21:08:25) mattock: when will we release next beta?
(21:08:47) dazo: windows build are then getting a high-prio from my side
(21:08:49) mattock: that determines how fast I got to learn windows (+TAP 
driver) building
(21:09:24) mattock: Windows building could be a piece of cake, or not...
(21:09:56) dazo: next beta ... I'd like to complete the plugin_v3 patches ... I 
have some new patches which just needs to be tested ... I'd like to see that in 
v2.2, to give a little bit features as w

[Openvpn-devel] proper "logout" support for the server?

2010-09-24 Thread Jason Haar 
 Hi there

Minor feature request. When a user ends their openvpn client session,
shouldn't it be possible to send one last command to the server - a
"logout" command? That way the server can clean up the session much
faster than waiting for a keepalive timeout cycle...

(the problem I see is that we make extensive use of "--up"/etc scripts
and a user can sometimes do several "up->down->up" in a row - which
leads to "flapping" checks. If the server was told the client was
leaving, this would reduce these issues).

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1