Re: [Openvpn-devel] Documentation and alternative SSL backend patches
Hi, On Thu, Dec 02, 2010 at 11:50:47AM +0100, David Sommerseth wrote: > Wow, I mean WOW!! This is quite some work you've done! [..] What he said :-) I'm not so pessimistic regarding inclusion in 2.3, though - yes, 2.3 brings large changes, but not yet in the SSL arena. So why not break that as well while we're at it? "We have a framework for automated building and testing now..." gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpXiivlTaF2c.pgp Description: PGP signature
Re: [Openvpn-devel] Documentation and alternative SSL backend patches
On 12/02/2010 12:10 PM, Matthias Andree wrote: > Am 02.12.2010 10:46, schrieb Farkas Levente: >> On 12/02/2010 10:05 AM, Adriaan de Jong wrote: >>> Hi List, >>> >>> We've been working on OpenVPN in preparation for a security evaluation. >>> This entailed documenting OpenVPN at a relatively high level, removing the >>> dependencies on OpenSSL, and adding support for a simpler, easier to >>> evaluate library (PolarSSL). >>> >>> This was done in a series of patches: >>> - Patch 1: Adds documentation to OpenVPN through Doxygen. >>> - Patch 2: Splits out OpenSSL-specific code, defining a clean "backend" >>> interface for both the crypto and SSL modules. Splits the SSL module into >>> channel setup and verification sub-modules. >>> - Patch 3: Adds a backend for PolarSSL. >>> >>> We'd love to release these patches to the community. Unfortunately, the >>> patches are now based on 2.1.4, and need to be rebased to a newer version. >>> Before we spend time on updating the patches to the current revision of >>> OpenVPN, we'd like to know whether there is an interest in these patches >>> from the community. >> >> most distro switch from openssl to nss. is there any reason you switch >> to polarssl in stead of nss? >> > > What do you base the "most distro" assessment on? > > Are you aware of any website discussing the advantages of the "big" SSL > providers (OpenSSL, Mozilla NSS, GnuTLS, PolarSSL, CyaSSL, ...)? http://fedoraproject.org/wiki/FedoraCryptoConsolidation http://rcritten.fedorapeople.org/nss_compat_ossl.html http://www.mail-archive.com/help-gnutls@gnu.org/msg00676.html http://fedoraproject.org/wiki/Nss_compat_ossl http://lists.alioth.debian.org/pipermail/nut-upsdev/2010-December/005090.html -- Levente "Si vis pacem para bellum!"
Re: [Openvpn-devel] Documentation and alternative SSL backend patches
Great to hear positive reactions. I'll wait with the rebase to 2.2 until I get a signal from you. To answer your question: patch 3 only adds a backend for PolarSSL, adding a configure option to select the SSL library to use. I'm still working on a few extra features, such as PolarSSL PKCS #11 support, and the patches need a little more polish, so I'll hold off posting until I'm done with that (should take about two weeks or so). Adriaan > -Original Message- > From: David Sommerseth [mailto:openvpn.l...@topphemmelig.net] > Sent: donderdag 2 december 2010 11:51 > To: Adriaan de Jong > Cc: openvpn-devel@lists.sourceforge.net > Subject: Re: [Openvpn-devel] Documentation and alternative SSL backend > patches > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 02/12/10 10:05, Adriaan de Jong wrote: > > Hi List, > > > > We've been working on OpenVPN in preparation for a security > evaluation. This entailed documenting OpenVPN at a relatively high > level, removing the dependencies on OpenSSL, and adding support for a > simpler, easier to evaluate library (PolarSSL). > > > > This was done in a series of patches: > > - Patch 1: Adds documentation to OpenVPN through Doxygen. > > - Patch 2: Splits out OpenSSL-specific code, defining a clean > "backend" interface for both the crypto and SSL modules. Splits the SSL > module into channel setup and verification sub-modules. > > - Patch 3: Adds a backend for PolarSSL. > > > > We'd love to release these patches to the community. Unfortunately, > the patches are now based on 2.1.4, and need to be rebased to a newer > version. Before we spend time on updating the patches to the current > revision of OpenVPN, we'd like to know whether there is an interest in > these patches from the community. > > Wow, I mean WOW!! This is quite some work you've done! > > The first patch is definitely interesting, how I see it. That is > something I've been thinking we should do something about for a long > time. > > The second patch also sounds very good and is really a step towards the > needed modularisation which we want. > > With your third patch, I presume both OpenSSL and PolarSSL are > available. If so, the second and third patch is indeed interesting. > > We are going towards the last rounds of preparing for OpenVPN 2.2. If > all goes as we hope and plan for, we will have a RC candidate available > before Christmas with a full release of OpenVPN 2.2 very early in 2011. > > The OpenVPN-2.3 beta cycle will hopefully start late February/early > March, but as that release will implement complete IPv6 support and > hopefully also a new OpenVPN GUI, I feel we shouldn't add too much more > stuff to the 2.3 release. > > So, that means your patches is could be slated for inclusion in the 2.4 > release. I hope that can work out for you as well. This would also > give some time to stabilise the code base as well. > > To base your patches on 2.1.4 isn't so bad. But you'll probably find > it > better to base them on the beta2.2 git branch. That branch is now in a > development freeze state, which means only bugfixes from the coming > 2.2-beta5 release will be added. So that should be a pretty stable > branch to work on for now. > > I do however plan to clean up the git tree dramatically, and plan to > release the updated tree with the 2.2 release. So if you're not in a > hurry, please "hold your horses" a little bit. But there's no harm in > starting with the beta2.2 branch. Your patches should fit well on top > of the new tree anyway. > > Anyhow, thank you for your work! Please send your patches to this > mailing list, and we'll get them reviewed. If you have many smaller > commits, please ship them separately - as that is easier to review than > one gigantic patch. > > > kind regards, > > David Sommerseth > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkz3egUACgkQDC186MBRfrovvgCfXsKPKy+tu3H6oiPZIKDNcDea > 6HUAnR3k8WHCo50bt5GzYRo6tRZoCgEl > =82/k > -END PGP SIGNATURE-
Re: [Openvpn-devel] Documentation and alternative SSL backend patches
On Thu, 02 Dec 2010 12:10:29 +0100 Matthias Andree wrote: > > most distro switch from openssl to nss. is there any reason you switch > > to polarssl in stead of nss? > > > > What do you base the "most distro" assessment on? > > Are you aware of any website discussing the advantages of the "big" SSL > providers (OpenSSL, Mozilla NSS, GnuTLS, PolarSSL, CyaSSL, ...)? These pages seem to provide a good comparison: http://www.gnu.org/software/gnutls/comparison.html http://en.wikipedia.org/wiki/Comparison_of_TLS_Implementations Unfortunately, PolarSSL is not included in those tables, I think because it's targeted more to embedded systems rather than normal systems. FWIW, I too think modularization is good; once the SSL-dependent code is abstracted and separated in its own module, modules can be written for any SSL library. -- D.
Re: [Openvpn-devel] Documentation and alternative SSL backend patches
Am 02.12.2010 10:46, schrieb Farkas Levente: > On 12/02/2010 10:05 AM, Adriaan de Jong wrote: >> Hi List, >> >> We've been working on OpenVPN in preparation for a security evaluation. This >> entailed documenting OpenVPN at a relatively high level, removing the >> dependencies on OpenSSL, and adding support for a simpler, easier to >> evaluate library (PolarSSL). >> >> This was done in a series of patches: >> - Patch 1: Adds documentation to OpenVPN through Doxygen. >> - Patch 2: Splits out OpenSSL-specific code, defining a clean "backend" >> interface for both the crypto and SSL modules. Splits the SSL module into >> channel setup and verification sub-modules. >> - Patch 3: Adds a backend for PolarSSL. >> >> We'd love to release these patches to the community. Unfortunately, the >> patches are now based on 2.1.4, and need to be rebased to a newer version. >> Before we spend time on updating the patches to the current revision of >> OpenVPN, we'd like to know whether there is an interest in these patches >> from the community. > > most distro switch from openssl to nss. is there any reason you switch > to polarssl in stead of nss? > What do you base the "most distro" assessment on? Are you aware of any website discussing the advantages of the "big" SSL providers (OpenSSL, Mozilla NSS, GnuTLS, PolarSSL, CyaSSL, ...)? -- Matthias Andree
Re: [Openvpn-devel] Documentation and alternative SSL backend patches
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/12/10 10:05, Adriaan de Jong wrote: > Hi List, > > We've been working on OpenVPN in preparation for a security evaluation. This > entailed documenting OpenVPN at a relatively high level, removing the > dependencies on OpenSSL, and adding support for a simpler, easier to evaluate > library (PolarSSL). > > This was done in a series of patches: > - Patch 1: Adds documentation to OpenVPN through Doxygen. > - Patch 2: Splits out OpenSSL-specific code, defining a clean "backend" > interface for both the crypto and SSL modules. Splits the SSL module into > channel setup and verification sub-modules. > - Patch 3: Adds a backend for PolarSSL. > > We'd love to release these patches to the community. Unfortunately, the > patches are now based on 2.1.4, and need to be rebased to a newer version. > Before we spend time on updating the patches to the current revision of > OpenVPN, we'd like to know whether there is an interest in these patches from > the community. Wow, I mean WOW!! This is quite some work you've done! The first patch is definitely interesting, how I see it. That is something I've been thinking we should do something about for a long time. The second patch also sounds very good and is really a step towards the needed modularisation which we want. With your third patch, I presume both OpenSSL and PolarSSL are available. If so, the second and third patch is indeed interesting. We are going towards the last rounds of preparing for OpenVPN 2.2. If all goes as we hope and plan for, we will have a RC candidate available before Christmas with a full release of OpenVPN 2.2 very early in 2011. The OpenVPN-2.3 beta cycle will hopefully start late February/early March, but as that release will implement complete IPv6 support and hopefully also a new OpenVPN GUI, I feel we shouldn't add too much more stuff to the 2.3 release. So, that means your patches is could be slated for inclusion in the 2.4 release. I hope that can work out for you as well. This would also give some time to stabilise the code base as well. To base your patches on 2.1.4 isn't so bad. But you'll probably find it better to base them on the beta2.2 git branch. That branch is now in a development freeze state, which means only bugfixes from the coming 2.2-beta5 release will be added. So that should be a pretty stable branch to work on for now. I do however plan to clean up the git tree dramatically, and plan to release the updated tree with the 2.2 release. So if you're not in a hurry, please "hold your horses" a little bit. But there's no harm in starting with the beta2.2 branch. Your patches should fit well on top of the new tree anyway. Anyhow, thank you for your work! Please send your patches to this mailing list, and we'll get them reviewed. If you have many smaller commits, please ship them separately - as that is easier to review than one gigantic patch. kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz3egUACgkQDC186MBRfrovvgCfXsKPKy+tu3H6oiPZIKDNcDea 6HUAnR3k8WHCo50bt5GzYRo6tRZoCgEl =82/k -END PGP SIGNATURE-
Re: [Openvpn-devel] Documentation and alternative SSL backend patches
We’re hoping that it is a big step towards modularization for both the data channel crypto and control channel negotiation. As the control channel verification code has been separated, it should also be a first step towards modularization of that code. Adriaan From: chantra [mailto:chan...@debuntu.org] Sent: donderdag 2 december 2010 11:20 To: Adriaan de Jong Cc: Farkas Levente; openvpn-devel@lists.sourceforge.net Subject: Re: [Openvpn-devel] Documentation and alternative SSL backend patches PolarSSL was a personal choice for us, mostly due to its simplicity and multi-platform support. The patch is written in such a way that generic operations from most libraries should work, as long as a new backend is written for them. Adriaan Hi, This seems to be a step forward to https://community.openvpn.net/openvpn/wiki/RoadMap#OpenVPN3.0:Designandimplementation and in my opinion is an interesting addition to openvpn code. Chantra > -Original Message- > From: Farkas Levente [mailto:lfar...@lfarkas.org] > Sent: donderdag 2 december 2010 10:47 > To: Adriaan de Jong > Cc: > openvpn-devel@lists.sourceforge.net<mailto:openvpn-devel@lists.sourceforge.net> > Subject: Re: [Openvpn-devel] Documentation and alternative SSL backend > patches > > On 12/02/2010 10:05 AM, Adriaan de Jong wrote: > > Hi List, > > > > We've been working on OpenVPN in preparation for a security > evaluation. This entailed documenting OpenVPN at a relatively high > level, removing the dependencies on OpenSSL, and adding support for a > simpler, easier to evaluate library (PolarSSL). > > > > This was done in a series of patches: > > - Patch 1: Adds documentation to OpenVPN through Doxygen. > > - Patch 2: Splits out OpenSSL-specific code, defining a clean > "backend" interface for both the crypto and SSL modules. Splits the SSL > module into channel setup and verification sub-modules. > > - Patch 3: Adds a backend for PolarSSL. > > > > We'd love to release these patches to the community. Unfortunately, > the patches are now based on 2.1.4, and need to be rebased to a newer > version. Before we spend time on updating the patches to the current > revision of OpenVPN, we'd like to know whether there is an interest in > these patches from the community. > > most distro switch from openssl to nss. is there any reason you switch > to polarssl in stead of nss? > > -- > Levente "Si vis pacem para bellum!"
Re: [Openvpn-devel] Documentation and alternative SSL backend patches
> PolarSSL was a personal choice for us, mostly due to its simplicity and > multi-platform support. The patch is written in such a way that generic > operations from most libraries should work, as long as a new backend is > written for them. > > Adriaan Hi, This seems to be a step forward to https://community.openvpn.net/openvpn/wiki/RoadMap#OpenVPN3.0:Designandimplementation and in my opinion is an interesting addition to openvpn code. Chantra > > > -Original Message- > > From: Farkas Levente [mailto:lfar...@lfarkas.org] > > Sent: donderdag 2 december 2010 10:47 > > To: Adriaan de Jong > > Cc: openvpn-devel@lists.sourceforge.net > > Subject: Re: [Openvpn-devel] Documentation and alternative SSL backend > > patches > > > > On 12/02/2010 10:05 AM, Adriaan de Jong wrote: > > > Hi List, > > > > > > We've been working on OpenVPN in preparation for a security > > evaluation. This entailed documenting OpenVPN at a relatively high > > level, removing the dependencies on OpenSSL, and adding support for a > > simpler, easier to evaluate library (PolarSSL). > > > > > > This was done in a series of patches: > > > - Patch 1: Adds documentation to OpenVPN through Doxygen. > > > - Patch 2: Splits out OpenSSL-specific code, defining a clean > > "backend" interface for both the crypto and SSL modules. Splits the SSL > > module into channel setup and verification sub-modules. > > > - Patch 3: Adds a backend for PolarSSL. > > > > > > We'd love to release these patches to the community. Unfortunately, > > the patches are now based on 2.1.4, and need to be rebased to a newer > > version. Before we spend time on updating the patches to the current > > revision of OpenVPN, we'd like to know whether there is an interest in > > these patches from the community. > > > > most distro switch from openssl to nss. is there any reason you switch > > to polarssl in stead of nss? > > > > -- > > Levente "Si vis pacem para bellum!" > > -- > Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! > Tap into the largest installed PC base & get more eyes on your game by > optimizing for Intel(R) Graphics Technology. Get started today with the > Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. > http://p.sf.net/sfu/intelisp-dev2dev > ___ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel > -- http://www.debuntu.org
Re: [Openvpn-devel] Documentation and alternative SSL backend patches
PolarSSL was a personal choice for us, mostly due to its simplicity and multi-platform support. The patch is written in such a way that generic operations from most libraries should work, as long as a new backend is written for them. Adriaan > -Original Message- > From: Farkas Levente [mailto:lfar...@lfarkas.org] > Sent: donderdag 2 december 2010 10:47 > To: Adriaan de Jong > Cc: openvpn-devel@lists.sourceforge.net > Subject: Re: [Openvpn-devel] Documentation and alternative SSL backend > patches > > On 12/02/2010 10:05 AM, Adriaan de Jong wrote: > > Hi List, > > > > We've been working on OpenVPN in preparation for a security > evaluation. This entailed documenting OpenVPN at a relatively high > level, removing the dependencies on OpenSSL, and adding support for a > simpler, easier to evaluate library (PolarSSL). > > > > This was done in a series of patches: > > - Patch 1: Adds documentation to OpenVPN through Doxygen. > > - Patch 2: Splits out OpenSSL-specific code, defining a clean > "backend" interface for both the crypto and SSL modules. Splits the SSL > module into channel setup and verification sub-modules. > > - Patch 3: Adds a backend for PolarSSL. > > > > We'd love to release these patches to the community. Unfortunately, > the patches are now based on 2.1.4, and need to be rebased to a newer > version. Before we spend time on updating the patches to the current > revision of OpenVPN, we'd like to know whether there is an interest in > these patches from the community. > > most distro switch from openssl to nss. is there any reason you switch > to polarssl in stead of nss? > > -- > Levente "Si vis pacem para bellum!"
Re: [Openvpn-devel] Documentation and alternative SSL backend patches
On 12/02/2010 10:05 AM, Adriaan de Jong wrote: > Hi List, > > We've been working on OpenVPN in preparation for a security evaluation. This > entailed documenting OpenVPN at a relatively high level, removing the > dependencies on OpenSSL, and adding support for a simpler, easier to evaluate > library (PolarSSL). > > This was done in a series of patches: > - Patch 1: Adds documentation to OpenVPN through Doxygen. > - Patch 2: Splits out OpenSSL-specific code, defining a clean "backend" > interface for both the crypto and SSL modules. Splits the SSL module into > channel setup and verification sub-modules. > - Patch 3: Adds a backend for PolarSSL. > > We'd love to release these patches to the community. Unfortunately, the > patches are now based on 2.1.4, and need to be rebased to a newer version. > Before we spend time on updating the patches to the current revision of > OpenVPN, we'd like to know whether there is an interest in these patches from > the community. most distro switch from openssl to nss. is there any reason you switch to polarssl in stead of nss? -- Levente "Si vis pacem para bellum!"
[Openvpn-devel] Documentation and alternative SSL backend patches
Hi List, We've been working on OpenVPN in preparation for a security evaluation. This entailed documenting OpenVPN at a relatively high level, removing the dependencies on OpenSSL, and adding support for a simpler, easier to evaluate library (PolarSSL). This was done in a series of patches: - Patch 1: Adds documentation to OpenVPN through Doxygen. - Patch 2: Splits out OpenSSL-specific code, defining a clean "backend" interface for both the crypto and SSL modules. Splits the SSL module into channel setup and verification sub-modules. - Patch 3: Adds a backend for PolarSSL. We'd love to release these patches to the community. Unfortunately, the patches are now based on 2.1.4, and need to be rebased to a newer version. Before we spend time on updating the patches to the current revision of OpenVPN, we'd like to know whether there is an interest in these patches from the community. Kind regards, Adriaan de Jong --- Fox-IT...for a more secure society