Re: [Openvpn-devel] Re: OpenVPN --resolv-retry and --chroot problem
Wed, 29-10-2003 at 23:38, James Yonan wrote: > I would rather see this fix accomplished by adding some kind of dummy call > early on in the initialization sequence to trigger the dynamic load of the DNS > library -- but which doesn't touch the functionality of the current DNS name > resolution code. Hi, I made a new patch. This time the name lookup is done in openvpn.c if options->remote is set, just before entering the chroot jail. http://iki.fi/teemuki/openvpn/cvs-resolvfix2.diff The patch is against the current CVS version. Teemu signature.asc Description: PGP signature
[Openvpn-devel] OpenVPN --resolv-retry and --chroot problem
Hi, OpenVPN 1.5beta12 and the CVS version have a problem when --resolv-retry and --chroot are used at the same time. In chroot environment, gethostbyname() can't resolve the remote IP address: Wed Oct 29 17:19:17 2003 13: RESOLVE: Cannot resolve host address: somehost.somedomain: [unknown h_errno value] This problem occurs with Debian Woody. I think it's related to the Glibc dynamic loader. If the name resolver libraries aren't loaded before OpenVPN enters the chroot jail, OpenVPN can't do any DNS queries. If gethostbyname() is run before entering chroot(), the resolver libraries are loaded and everything works as it should. I changed link_socket_init_phase1() in socket.c to resolve the remote host even if resolve_retry_seconds is set. That way, gethostbyname() is run before chroot(). I don't know if that's the right way to do it, but it fixes the problem for me. The patch for 1.5 beta12 and the CVS version is available at: http://iki.fi/teemuki/openvpn/openvpn-resolvfix.diff Teemu signature.asc Description: PGP signature
Re: [Openvpn-devel] a replacement for --tls-remote and verify-cn
Mon, 27-10-2003 at 22:49, James Yonan wrote: > One thing that would help me to merge it more easily, is if you could recode > against the current CVS which has advanced since beta12 and includes the Hi, I rewrote the patch against the EXP15 branch in CVS. I tested it briefly and it worked just fine. The patch is available at: http://iki.fi/teemuki/openvpn/cvs-tlsremote.diff Teemu signature.asc Description: PGP signature
[Openvpn-devel] a replacement for --tls-remote and verify-cn
Hi, I ran into problems in using --tls-verify to verify the remote host with --chroot enabled. --tls-verify runs the verify script with system() command, so it assumes that /bin/sh is available. Usually, in a chroot environment, that's not true. I implemented a new config option: --tls-remote x509name With --tls-remote the remote host is verified by looking at the X509 name. If the remote X509 name doesn't match the given x509name, the remote host is rejected. With --tls-remote, it's possible to verify remote host even with a completely empty chroot directory. --tls-remote also removes the need for an external --tls-verify script in most cases. Config example: tls-remote /O=exampleorg/CN=name I have tested the patch with a TLS tunnel on Debian Woody. A patch against OpenVPN 1.5 beta12 is available at: http://iki.fi/teemuki/openvpn/1.5_beta12-tlsremote.diff Feel free to use it. :) Teemu signature.asc Description: PGP signature
