Re: [Openvpn-devel] [PATCH] Undo cipher push in client options state if cipher is rejected

2017-06-26 Thread Arne Schwabe
Am 26.06.17 um 23:15 schrieb Steffan Karger: > Because of the way we re-use the options parser for both config files and > pushed options, we always update the local options state when we accept an > option. This resulted in a pushed cipher being rejected the first time it > was pushed, but being

[Openvpn-devel] [PATCH] Undo cipher push in client options state if cipher is rejected

2017-06-26 Thread Steffan Karger
Because of the way we re-use the options parser for both config files and pushed options, we always update the local options state when we accept an option. This resulted in a pushed cipher being rejected the first time it was pushed, but being accepted the second time. This patch is a minimal wa

Re: [Openvpn-devel] [PATCH] Set tls-cipher restriction before loading certificates

2017-06-26 Thread Steffan Karger
Hi, On 26-06-17 13:44, Christian Hesse wrote: > Arne Schwabe on Mon, 2017/06/26 13:13: >> OpenSSL 1.1 does not allow MD5 signed certificates by default anymore. This >> can be enabled again by settings tls-cipher "DEFAULT:@SECLEVEL=0" but only >> if the cipher list is set before loading the certi

Re: [Openvpn-devel] [PATCH] Set tls-cipher restriction before loading certificates

2017-06-26 Thread David Sommerseth
On 26/06/17 16:00, Arne Schwabe wrote: [...snip...] >> >> Currently there is an agreement of the following profiles: >> >> - legacy: SHA1 and newer, RSA 2048-bit+, any elliptic curve. >> - preferred: SHA2 and newer, RSA 2048-bit+, any elliptic curve. >>(default in v2.5) >> - s

Re: [Openvpn-devel] [PATCH v3] Add --tls-cert-profile option for mbedtls builds

2017-06-26 Thread Arne Schwabe
Am 14.04.17 um 17:40 schrieb Steffan Karger: > This allows the user to specify what certificate crypto algorithms to > support. The supported profiles are 'preferred' (default), 'legacy' and > 'suiteb', as discussed in <84590a17-1c48-9df2-c48e-4160750b2...@fox-it.com> > (https://www.mail-archive.c

Re: [Openvpn-devel] [PATCH] Set tls-cipher restriction before loading certificates

2017-06-26 Thread Arne Schwabe
>>> >>> See this also a bugfix. Since tls-cipher options affect certificate >>> loading, it is good to set it before certificate loading. E.g. you might >>> want to use @SECLEVEL=5 to only allow loading of SHA256 based certificates. > Oh, btw ... We need to align this with another patch-set from S

Re: [Openvpn-devel] [OpenVPN/openvpn-gui] better handling of interactive service failure (#168)

2017-06-26 Thread Илья Шипицин
2017-05-31 22:54 GMT+05:00 Selva Nair : > Hi, > > Copying openvpn-devel: > As this is related to openvpn best to have this discussion in the devel > list, I suppose. > (see also: https://github.com/OpenVPN/openvpn-gui/issues/ > 168#issuecomment-305250704) > > On Wed, May 31, 2017 at 12:58 PM, Gert

Re: [Openvpn-devel] [PATCH] Set tls-cipher restriction before loading certificates

2017-06-26 Thread David Sommerseth
On 26/06/17 15:21, David Sommerseth wrote: > On 26/06/17 14:12, Arne Schwabe wrote: >> Am 26.06.17 um 13:51 schrieb David Sommerseth: >>> On 26/06/17 13:13, Arne Schwabe wrote: OpenSSL 1.1 does not allow MD5 signed certificates by default anymore. This can be enabled again by settings tl

Re: [Openvpn-devel] [PATCH] Set tls-cipher restriction before loading certificates

2017-06-26 Thread David Sommerseth
On 26/06/17 14:12, Arne Schwabe wrote: > Am 26.06.17 um 13:51 schrieb David Sommerseth: >> On 26/06/17 13:13, Arne Schwabe wrote: >>> OpenSSL 1.1 does not allow MD5 signed certificates by default anymore. This >>> can be enabled again by settings tls-cipher "DEFAULT:@SECLEVEL=0" but only >>> if t

Re: [Openvpn-devel] [PATCH] Set tls-cipher restriction before loading certificates

2017-06-26 Thread Arne Schwabe
Am 26.06.17 um 13:51 schrieb David Sommerseth: > On 26/06/17 13:13, Arne Schwabe wrote: >> OpenSSL 1.1 does not allow MD5 signed certificates by default anymore. This >> can be enabled again by settings tls-cipher "DEFAULT:@SECLEVEL=0" but only >> if the cipher list is set before loading the cert

Re: [Openvpn-devel] [PATCH] Set tls-cipher restriction before loading certificates

2017-06-26 Thread Christian Hesse
Arne Schwabe on Mon, 2017/06/26 13:13: > OpenSSL 1.1 does not allow MD5 signed certificates by default anymore. This > can be enabled again by settings tls-cipher "DEFAULT:@SECLEVEL=0" but only > if the cipher list is set before loading the certificates. This patch > changes the order of loading.

Re: [Openvpn-devel] [PATCH] Set tls-cipher restriction before loading certificates

2017-06-26 Thread David Sommerseth
On 26/06/17 13:13, Arne Schwabe wrote: > OpenSSL 1.1 does not allow MD5 signed certificates by default anymore. This > can be enabled again by settings tls-cipher "DEFAULT:@SECLEVEL=0" but only if > the cipher list is set before loading the certificates. This patch changes > the order of loading

[Openvpn-devel] [PATCH] Set tls-cipher restriction before loading certificates

2017-06-26 Thread Arne Schwabe
OpenSSL 1.1 does not allow MD5 signed certificates by default anymore. This can be enabled again by settings tls-cipher "DEFAULT:@SECLEVEL=0" but only if the cipher list is set before loading the certificates. This patch changes the order of loading. --- src/openvpn/ssl.c | 8 +--- 1 file c

[Openvpn-devel] New maintainer(s) wanted for Debian's OpenVPN packages

2017-06-26 Thread Samuli Seppänen
Hi all, Alberto Gonzales Iniesta ("agi") is, after 15 years of excellent work, letting others take over maintainance of Debian's OpenVPN packages[1]: If you're interested in maintaining (or co-maintaining) OpenVPN packages on Debian, ple