From: Selva Nair
Currently this raises a warning only. A fatal error is triggered
later with a confusing message that script failed to execute.
This helps the Windows GUI to show a relevant error message when
script-security is over-ridden as a security measure.
Signed-off-by: Selva Nair
Hi
On Thu, Jan 31, 2019 at 11:40 AM Gert Doering wrote:
> Hi,
>
> I have changed the Subject: and started a new thread, so that this
> isn't lost in the discussion specific to commit ce1c1beef1eb.
>
> On Thu, Jan 31, 2019 at 11:28:52AM -0500, Selva Nair wrote:
> > So n
gt;
> commit ce1c1beef1eb9ea776e00861117f72c4a1a6f1f8
> Author: Selva Nair
> Date: Wed Jan 30 10:53:20 2019 -0500
>
> Handle PSS padding in cryptoapicert
>
> Signed-off-by: Selva Nair
> Acked-by: Arne Schwabe
> Message-Id: <1548863600-491-1-git-send-email
From: Selva Nair
For PSS padding, CNG requires the digest to be signed
and the digest algorithm in use, which are not accessible
via the rsa_sign and rsa_priv_enc callbacks of OpenSSL.
This patch uses the EVP_KEY interface to hook to
evp_pkey_sign callback if OpenSSL version is > 1.1.0.
To t
On Wed, Jan 30, 2019 at 8:09 AM Arne Schwabe wrote:
> Am 23.01.19 um 18:48 schrieb selva.n...@gmail.com:
> > From: Selva Nair
> >
> > For PSS padding, CNG requires the digest to be signed
> > and the digest algorithm in use, which are not accessible
> >
4/mingw.
>
> commit 0cab3475a83e9bad35b0eeb39b9ca886e6afaf1e
> Author: Selva Nair
> Date: Fri Dec 7 14:17:37 2018 -0500
>
> Move OpenSSL vs CNG signature digest type mapping to a function
>
> Signed-off-by: Selva Nair
> Acked-by: Arne Schwabe
&g
From: Selva Nair
For PSS padding, CNG requires the digest to be signed
and the digest algorithm in use, which are not accessible
via the rsa_sign and rsa_priv_enc callbacks of OpenSSL.
This patch uses the EVP_KEY interface to hook to
evp_pkey_sign callback if OpenSSL version is > 1.1.0.
To t
Hi
On Wed, Jan 23, 2019 at 7:55 AM Arne Schwabe wrote:
>
>
> Overall the code looks good. The overriding of the global RSA method is
> a bit of a hack but I also do not have any better solution for this. It
> might break using OpenSSL engines but that is a corner case that I would
> not worry
From: Selva Nair
This allows the Windows GUI to use these options on the command
line without triggering user authorization errors.
Useful for
(i) ignoring certain pushed options such as "route-method" which
could otherwise bypass the interactive service
(ii) enforcing a safer scrip
Hi,
On Wed, Dec 19, 2018 at 5:00 PM Gert Doering wrote:
>
> Hi,
>
> On Wed, Dec 19, 2018 at 04:48:49PM -0500, Selva Nair wrote:
> > It seems I'm behind times and cant figure out where these patches apply. Are
> > these for openvpn, openvpn-build or something else?
>
Hi,
On Wed, Dec 19, 2018 at 3:27 PM Simon Rozman wrote:
>
> Making DriverCertification public (containing only upper-case letters)
> allows the property set by FindSystemInfo custom action to be passed
> from InstallUISequence sequence to InstallExecuteSequence. This
> eliminates the need to
From: Selva Nair
Also add a function to map OpenSSL padding identifier to
corresponding CNG constant.
This is to help add support for additional padding
types: only refactoring, no functional changes.
Signed-off-by: Selva Nair
---
src/openvpn/cryptoapi.c | 120
On Thu, Nov 15, 2018 at 2:22 AM Arne Schwabe wrote:
>
> >> Unless I overlooked something, I don't see any situation in which we ask
> >> for an unsupported signature.
> >
> > Consider this:
> > (i) config has --management-external-key nopadding but client announces
> version
> > 2. We will not
Somehow this didn't get copied to the list
-- Forwarded message -
From: Selva Nair
Date: Wed, Nov 14, 2018 at 11:06 AM
Subject: Re: [Openvpn-devel] [PATCH v5 2/2] Add support for OpenSSL TLS 1.3
when using management-external-key
To: Arne Schwabe
Hi,
On Wed, Nov 14, 2018
Hi,
My comments below has grown too long so first a summary for those
who TLDR;
My suggestion:
- Leave management-external-key as is (there is not much gained by
adding a parameter to it)
- Append a fairly flexible signature algorithm specifier to PK_SIGN
request to management
(nopadding or
>
Not so fast, likely its my stupidity to push for this.
>
> On 05-10-18 17:30, Selva Nair wrote:
> > On Fri, Oct 5, 2018 at 5:44 AM Steffan Karger > <mailto:stef...@karger.me>> wrote:
> >
> > Hi,
> >
> > On 13-07-18 16:16, selva.n...@gma
From: Selva Nair
commit bf97c00f7dba441b504881f38e40afcbb610a39f moved
the generic openvpn_execve() to run_command.c and made it static.
But the Windows version is still in win32.c and is called from
run_command.c
Fix by declaring the function in win32.h
Signed-off-by: Selva Nair
Hi,
On Wed, Oct 24, 2018 at 9:00 AM David Sommerseth
wrote:
>
> On 24/10/18 14:39, Selva Nair wrote:
> > On Wed, Oct 24, 2018 at 6:23 AM Antonio Quartulli wrote:
> >>
> >> Hi,
> >>
> >
> >
> > Also there is a misplac
On Wed, Oct 24, 2018 at 6:23 AM Antonio Quartulli wrote:
>
> Hi,
>
> On 23/10/18 22:51, Lev Stipakov wrote:
> > From: Lev Stipakov
> >
> > Commit 43a5a4f3b4e411419639c195fee8a76495fdc88e added
> > vswprintf() call which turned to me missing in OpenBSD 4.9.
> >
> > Since that call is inside
On Tue, Oct 23, 2018 at 6:37 PM Rostyslav Maryliak
wrote:
>
> Dear John and Selva,
>
> I've tried almost all advises I was able to find in Internet but still no
> luck.
> Also, I've tried to test this hacky tap-adapter from jkunkee. I was able to
> build the tapinstall itself, but failed to add
On Mon, Oct 22, 2018 at 2:38 PM Gert Doering wrote:
>
> Your patch has been applied to the master branch.
>
> I'm not sure I totally like the change to buffer.c/tun.c - for the
> single instance where this is called inside openvpn/tun.c, on WIN32,
> we now carry around a new function in buffer.c
tr, size_t size, LPCTSTR
> format, va_list arglist
>
> BOOL openvpn_sntprintf(LPTSTR str, size_t size, LPCTSTR format, ...);
>
> +BOOL openvpn_swprintf(wchar_t *const str, const size_t size, const wchar_t
> *const format, ...);
> +
> DWORD GetOpenvpnSettings(settings_t
Hi,
On Sun, Oct 21, 2018 at 6:24 AM Lev Stipakov wrote:
>
> From: Lev Stipakov
>
> Every call to swprintf is followed by line which adds nul terminator. This
> patch
> introduces openvpn_swprintf() which guarantees nul termination for size > 0.
>
> Same approach as for snprintf /
Hi,
On Thu, Oct 4, 2018 at 7:39 AM Lev Stipakov wrote:
>
> From: Lev Stipakov
>
> Every call to swprintf is followed by line which adds nul terminator. This
> patch
> introduces openvpn_swprintf() which guarantees nul termination for size > 0.
>
> Same approach as for snprintf /
Hi,
On Wed, Oct 17, 2018 at 6:00 AM Arne Schwabe wrote:
>
> Am 17.10.18 um 05:15 schrieb Selva Nair:
> > Hi,
> >
> > Not a review, but some thoughts:
> >
> > On Sun, Oct 7, 2018 at 5:59 PM Arne Schwabe wrote:
> >>
> >> For TLS 1
Hi,
On Wed, Oct 17, 2018 at 8:07 AM Gert Doering wrote:
> Hi,
>
> On Tue, Oct 16, 2018 at 05:48:29PM -0400, Selva Nair wrote:
> > Going through patchworks noticed this.
> >
> > Thankfully this never got committed so here goes a retraction.
> >
> > On
Hi,
Not a review, but some thoughts:
On Sun, Oct 7, 2018 at 5:59 PM Arne Schwabe wrote:
>
> For TLS 1.0 to 1.2 OpenSSL calls us and requires a PKCS1 padded
> response, for TLS 1.3 it requires to an unpadded response. Since we
> can PCKS1 pad an unpadded response, we prefer to always query for
>
Hi,
Going through patchworks noticed this.
Thankfully this never got committed so here goes a retraction.
On Sun, Jan 21, 2018 at 1:45 PM Selva Nair wrote:
> Hi,
>
> I'm on a reviewing spree (doing my penance), so here goes..
>
> Thanks for the patch
>
> On Tue, Jan 9,
Replying to self :)
On Fri, Oct 12, 2018 at 12:24 PM Selva Nair wrote:
> Hi,
>
> My testing shows that OpenSSL 1.1.1 likes to use PSS even for TLS 1.2, so,
> even in the short-term, this can't be worked around by just disabling TLS
> 1.3.
>
> Now, for cryptoapicert, it
Hi,
My testing shows that OpenSSL 1.1.1 likes to use PSS even for TLS 1.2, so,
even in the short-term, this can't be worked around by just disabling TLS
1.3.
Now, for cryptoapicert, it would have been easy to support PSS using
Windows CNG API provided OpenSSL passes the hash and ask to sign with
Hi,
On Sun, Oct 7, 2018 at 3:38 AM Gert Doering wrote:
> Hi,
>
> On Sun, Mar 04, 2018 at 12:44:02PM -0500, selva.n...@gmail.com wrote:
> > From: Selva Nair
> >
> > Openssl docs do not explicitly state these to be macros although they
> > are currently de
Hi,
Sorry I missed this patch cleaning up my mistake..
Gert has already reviewed and asked for this v2 so this may be redundant,
but fwiw:
On Mon, Oct 8, 2018 at 2:15 PM Lev Stipakov wrote:
> From: Lev Stipakov
>
> In function netsh_dns_cmd() it is possible to jump on a label and
> call
HI,
>
> I have almost finished integrating tapctl.exe and openvpnmsica.dll
> utilities
> for MSI packaging into the OpenVPN/openvpn repo. However, I am totally new
> with MinGW and would need some help.
>
> How do you tell the OpenVPN's build process to create a DLL file, not an
> EXE?
>
As with
Hi
On Tue, Oct 9, 2018 at 5:14 PM Selva Nair wrote:
>
>
> In fact the issue here is not the unary minus, but the unsigned to signed
> conversion. So when there is no scope for overflow all is good. If there is
> overflow, unsigned->signed conversion is ill-defined -
Hi,
More noise: a typo alert below:
On Tue, Oct 9, 2018 at 5:14 PM Selva Nair wrote:
> Hi
>
> On Tue, Oct 9, 2018 at 4:39 PM Steffan Karger wrote:
>
>> Hi,
>>
>> On 08-10-18 18:09, Lev Stipakov wrote:
>> > From: Lev Stipakov
>> >
>> >
Hi
On Tue, Oct 9, 2018 at 4:39 PM Steffan Karger wrote:
> Hi,
>
> On 08-10-18 18:09, Lev Stipakov wrote:
> > From: Lev Stipakov
> >
> > In Visual Studio when unary minus is applied to unsigned,
> > result is still unsigned. This means that when we use result
> > as function formal parameter,
Hi,
On Mon, Oct 8, 2018 at 5:50 PM Arne Schwabe wrote:
> For TLS 1.0 to 1.2 OpenSSL calls us and requires a PKCS1 padded
> response, for TLS 1.3 it requires to an unpadded response. Since we
> can PCKS1 pad an unpadded response, we prefer to always query for
> an unpadded response from the
On Mon, Oct 8, 2018 at 6:42 AM Lev Stipakov wrote:
> Hi,
>
> Makes sense. Tested on VS2017.
>
> Acked-by: Lev Stipakov
>
> Since in MinGW/VS we only build openvpnserv with unicode I wonder if we
> should get rid of #if(n)def UNICODE ?
>
In fact the non-unicode build is its unlikely to work
Hi
On Fri, Oct 5, 2018 at 8:41 PM Jon Kunkee wrote:
> > I don't know what causes this (the TAP driver?) but hopefully others may
> chime in with some clue.
>
> I wonder if this will be addressed by adding the missing buffer-remaining
> query OIDs. Unfortunately I don’t know enough to say for
From: Selva Nair
In case of TLS 1.2 signatures, the callback rsa_priv_enc() gets
the hash with the DigestInfo prepended. Signing this using
NCryptSignHash() with hash algorithm id set to NULL works in most cases.
But when using some hardware tokens, the data gets interpreted as the pre
TLS 1.2
Hi
On Fri, Oct 5, 2018 at 6:51 AM Gert Doering wrote:
> Your patch has been applied to the master branch. Steffan says "it is
> a bugfix so it should go to 2.4", but the underlying infrastructure
> does not seem to be there yet (git cherry-pick tries to bring in lots
> of extra stuff). So we
Hi,
On Fri, Oct 5, 2018 at 5:44 AM Steffan Karger wrote:
> Hi,
>
> On 13-07-18 16:16, selva.n...@gmail.com wrote:
> > From: Selva Nair
> >
> > The error is treated as a warning only if its triggered due
> > to script_security < SSEC_SCRIPTS.
> >
>
Hi,
On Fri, Oct 5, 2018 at 4:02 AM Rostyslav Maryliak <
rostyslav.maryl...@idealscorp.com> wrote:
> Dear Selva,
>
> I've got a similar results. Except the outbound network speed for win2016
> server.
> The bandwidth in clear is about 700 Mbits/sec in both directions and
> different measures
Hi,
> As a side note (rambling about comments today), this hunk makes the
> comment above it slightly misleading:
>
> /* The hash OID is already in 'from'. So set the hash algorithm
> * in the padding info struct to NULL.
> */
> -BCRYPT_PKCS1_PADDING_INFO padinfo = {NULL};
Hi
On Thu, Oct 4, 2018 at 10:42 AM Rostyslav Maryliak <
rostyslav.maryl...@idealscorp.com> wrote:
> Dear Ilya,
>
> As far as I understood you are talking about Windows Server Feature. If
> yes than it is NOT installed.
>
> "are you using intel drivers instead of windows drivers ?"
> I've
Hi,
On Wed, Oct 3, 2018 at 1:24 PM Lev Stipakov wrote:
> From: Lev Stipakov
>
> Functions openvpn_vsntprintf and openvpn_sntprintf return
> values of type int, but in reality it is always 0 or 1 (and -1 for
> snrptinf), which can be represented as boolean.
>
> To make code clearer, change
Hi,
On Wed, Oct 3, 2018 at 12:56 PM Lev Stipakov wrote:
> Hi,
>
> Wishlist: openvpn_swprintf() with nul termination guarantee. I try to avoid
>> the TCHAR variety be explicit about wide and narrow characters.
>>
>
> Makes sense, at the moment we have 8 swprintf calls all followed by
> something
On Wed, Oct 3, 2018 at 12:05 PM David Sommerseth <
open...@sf.lists.topphemmelig.net> wrote:
> On 03/10/18 17:08, Selva Nair wrote:
> >
> >
> > To make code more clear, change return type to bool. Also
> > use stdbool.h header instead of bool definition m
Hi,
On Wed, Oct 3, 2018 at 10:20 AM Lev Stipakov wrote:
> From: Lev Stipakov
>
> Functions openvpn_vsntprintf and openvpn_sntprintf return
> values of type int, but in reality it is always 0 or 1, which is
> essentially bool.
>
openvpn_sntprintf could return -1 if size = 0, but this looks
From: Selva Nair
Move writing the message buffer to the interactive service pipe and
reading acknowledgement to a function.
A minor bug in open_tun where the ack data could be read even after
a communication error is fixed.
Signed-off-by: Selva Nair
---
src/openvpn/route.c | 6 +-
src
From: Selva Nair
Currently, if dhcp on the TAP interface is disabled, OpenVPN
on Windows tries to enable it using netsh but that succeeds only when
run with admin privileges.
When interactive service is available, delegate this task to the
service.
Trac #
Tested on Windows 7
Signed-off
From: Selva Nair
Currently, if dhcp on the TAP interface is disabled, OpenVPN
on Windows tries to enable it using netsh but that succeeds only when
run with admin privileges.
When interactive service is available, delegate this task to the
service.
Trac #
Tested on Windows 7
Signed-off
Hi,
Thanks for the v2.
On Wed, Aug 8, 2018 at 7:35 AM, Jonathan K. Bullard via Openvpn-devel
wrote:
> Clarify and expand the documentation for the management interface:
>
> * Add examples of static and dynamic challenge/response sequences in
> the "COMMAND -- password and username" section.
>
>
Hi
On Tue, Aug 7, 2018 at 5:01 PM, Gert Doering wrote:
>
>> > in the LinOTP URL - so, it didn't decode it, because the second ':'
>> > was missing (if I put a blank in there, I get pass=mypin%20).
>> >
>> > Is this intentional? Should it be that way?
>>
>> If you are constructing the SCRV1:
From: Selva Nair
In the auth-pam plugin correctly parse the static challenge string
even when password or challenge response is empty.
Whether an empty user input is an error is determined by the PAM
conversation function depending on whether the PAM module queries
for it or not.
Signed-off
From: Selva Nair
This was missed in commit 6690769f78bbfb889fef2a54088d979896c87d51
that exported base64_encode and base64_decode() functions.
Also check the version is >= 5 in auth-pam plugin to ensure
that the base64_decode function pointer can be referenced.
Signed-off-by: Selva N
Hi,
Correcting myself...
>> Found an interesting caveat which should be addressed, I think.
>>
>> Our system (LinOTP) knows "PIN+OTP" or "PIN" as valid input, the
>> latter leading to "send me a token by SMS/e-mail/...".
>>
>> If I press return at the challenge prompt, it seems the SCRV1: string
Hi,
On Tue, Aug 7, 2018 at 3:07 PM, Gert Doering wrote:
> Hi,
>
> On Tue, Aug 07, 2018 at 08:59:37PM +0200, Gert Doering wrote:
>> > v2: Depends on the base64 export patch
>> > v3: match password string with "SCRV1:" instead of "SCRV1"
>> > (pointed out by Joe Bell )
>>
>> Nicely works and does
Hi,
On Tue, Aug 7, 2018 at 2:59 PM, Gert Doering wrote:
...some good comments snipped...
>
> There's another catch which we might want to at least document: if you
> build this plugin and run it from a slightly older openvpn binary which
> doesn't export the base64 functions, it will core dump
Hi,
Thanks for updating and adding more clarity to these docs.
On Tue, Jul 31, 2018 at 9:04 AM, Jonathan K. Bullard via Openvpn-devel
wrote:
>
> Clarify and expand the documentation for the management interface:
>
> * Add examples of static and dynamic challenge/response sequences in
> the
Hi,
Now that the minor "fix" for plugin header seems settled, back to the
base64 export patch from David.
On Fri, May 5, 2017 at 5:46 PM, David Sommerseth wrote:
> This patch builds on the "Export secure_memzero() to plug-ins" patch and
> adds export of openvpn_base64_encode() and
HI
On Tue, Jul 31, 2018 at 3:07 AM, David Sommerseth
wrote:
> On 30/07/18 16:58, Selva Nair wrote:
>> Hi,
>>
>> On Mon, Jul 30, 2018 at 10:31 AM, Antonio Quartulli wrote:
>>> Hi,
>>>
>>> On 30/07/18 04:16, Selva Nair wrote:
&g
Hi,
On Mon, Jul 30, 2018 at 10:31 AM, Antonio Quartulli wrote:
> Hi,
>
> On 30/07/18 04:16, Selva Nair wrote:
>> Yes that's the base64 patch. What is stopping it is not the
>> disagreement on that patch but an "error" [*] in the plugin header
>> that
Hi,
On Sun, Jul 29, 2018 at 3:34 PM, Gert Doering wrote:
> Hi,
>
> On Tue, Jul 24, 2018 at 10:34:53PM -0400, selva.n...@gmail.com wrote:
>> From: Selva Nair
>>
>> If static challenge is in use, the password passed to the plugin by openvpn
>> is of the form &
Hi
>
> Thanks for the hint Selva. Indeed it looks like something DNS related.
> The primary wired network interface has 1 IPv4-listening DNS server
> (192.168.1.1, which uses 2 upstream IPv4-listening DNS server from the
> ISP). The tun device has 2 IPv4 listening DNS servers (google) and 2
>
Hi
On Sat, Jul 28, 2018 at 9:46 PM, s7r wrote:
> Gert Doering wrote:
>> HI,
>>
>> On Fri, Jul 27, 2018 at 05:57:14PM +0300, s7r wrote:
>>> I have run into a problem which raised my attention. I am not sure if I
>>> can call this a bug, but I think it's best to discuss here and decide if
>>> it
Hi,
On Wed, Jul 25, 2018 at 1:45 PM, Gert Doering wrote:
> Hi,
>
> On Wed, Jul 25, 2018 at 01:34:44PM -0400, Selva Nair wrote:
>> Do we have an experimental branch where we could add this so that we do
>> not lose track of it?
>
> If you tell me you want that and how
Hi,
On Wed, Jul 25, 2018 at 1:01 PM, Kevin Kane via Openvpn-devel
wrote:
> Ok, I’ve gotten clearance to contribute the dialer feature from Microsoft’s
> OpenVPN fork back upstream. As previously discussed, this feature isn’t
> production-ready because the integration I did was quick and dirty –
Hi,
On Wed, Jul 25, 2018 at 1:01 PM, Kevin Kane via Openvpn-devel
wrote:
> From ed96e2d91a0eb9ecdaab8d7104f397f7d77e5ced Mon Sep 17 00:00:00 2001
>
> From: Kevin Kane
>
> Date: Fri, 13 Jul 2018 09:50:00 -0700
>
> Subject: Update system tray to populate Windows VPN flyout
>
>
>
> Add a DLL to be
From: Selva Nair
If static challenge is in use, the password passed to the plugin by openvpn
is of the form "SCRV1:base64-pass:base64-response". Parse this string to
separate it into password and response and use them to respond to queries
in the pam conversation function.
On
Hi,
On Mon, Jul 23, 2018 at 10:58 PM, Jonathan K. Bullard
wrote:
> I was testing Tunnelblick with Selva's C/R server and config (thanks
> again for that) and there was a problem. Maybe I'm (still)
> misunderstanding something, but a SIGUSR1 restart asks for the normal
> username/password instead
Hi,
On Sat, Jul 21, 2018 at 1:21 PM, Jonathan K. Bullard
wrote:
> Some, perhaps including Selva's $payingCustomer, may not want to use
> Tunnelblick betas or use OpenVPN 2.5 until it is released.
I missed this last time... Its Gert who has $$payingCustomer(s) :)
Selva
Hi,
On Sat, Jul 21, 2018 at 1:21 PM, Jonathan K. Bullard
wrote:
> Hi,
>
> On Thu, Jul 19, 2018 at 2:38 PM, Selva Nair wrote:
>> Jon: I have a server for testing static and dynamic challenge. If
>> interested I can send you a config. Or use access server with a free
Hi,
On Thu, Jul 19, 2018 at 1:52 PM, Gert Doering wrote:
> Hi,
>
> On Thu, Jul 19, 2018 at 11:43:17AM -0400, Jonathan K. Bullard wrote:
>> Thank you, Selva! (Now all I need to do is get it working!)
>
> Looking very much forward to see this happen :-)
>
> ($payingCustomer )
Send some €€/$$ from
Hi,
On Thu, Jul 19, 2018 at 10:48 AM, Jonathan K. Bullard
wrote:
> Thank you very much, Selva.
>
> On Wed, Jul 18, 2018 at 10:48 PM, Selva Nair wrote:
>
>> There are two messages involved:
>>
>> 1. First comes the fake auth failure message which contains the
&
Hi,
On Wed, Jul 18, 2018 at 7:46 PM, Jonathan K. Bullard
wrote:
> I'm trying to implement dynamic challenge/response in Tunnelblick and
> have some questions. I've been using the management-interface
> documentation [1] as my guide.
>
> 1. Is what the management interface sends something like
From: Selva Nair
The error is treated as a warning only if its triggered due
to script_security < SSEC_SCRIPTS.
This helps user interfaces enforce a safer script-security setting
without causing a FATAL error.
Signed-off-by: Selva Nair
---
v3 changes:
- script_security --> script_se
Hi,
Copying the devel list as a reminder that "we" have been asking for this
change for a long time :)
On Fri, Jul 6, 2018 at 2:48 PM, Gert Doering
wrote:
> Hi,
>
> On Fri, Jul 06, 2018 at 08:25:02AM -0700, Selva Nair wrote:
> > Can we do something about this in open
Hi,
Thanks for the follow up.
On Fri, Jul 6, 2018 at 12:03 PM, Kevin Kane via Openvpn-devel
wrote:
> [Combining threads.]
>
>
>
> The work on the OpenSSL fork, and figuring out just what the right interface
> is to bring PQ crypto to current crypto libraries, is going to be on-going.
> PQ
From: Selva Nair
Treat the error as not FATAL only if its triggered due
to script_security < SSEC_SCRIPTS.
This helps user interfaces enforce a safer script-security setting
without causing a FATAL error.
Signed-off-by: Selva Nair
---
v2 changes:
- Have script errors continue to trig
Hi,
On Tue, Jul 3, 2018 at 3:09 AM, Gert Doering wrote:
> Hi,
>
> On Mon, Jul 02, 2018 at 11:13:01PM -0400, Jonathan K. Bullard wrote:
> > My initial reaction is that I'd rather a problem in the up/down
> > scripts generates a fatal error, so if there's a problem in the
> > Tunnelblick scripts
Hi Jon,
On Mon, Jul 2, 2018 at 11:13 PM, Jonathan K. Bullard
wrote:
> Hi.
>
> On Mon, Jul 2, 2018 at 9:24 PM, wrote:
>>
>> From: Selva Nair
>>
>> Instead log only a warning.
>>
>> This helps user interfaces enforce a safer script-security setting
&g
From: Selva Nair
Instead log only a warning.
This helps user interfaces enforce a safer script-security setting
without causing a FATAL error.
Signed-off-by: Selva Nair
---
Note: All other scripts are called with flag = 0 and will only
trigger a warning message if openvpn_execve fails.
src
Hi Russel,
Long time !
On Wed, Jun 27, 2018 at 8:54 PM, Morris, Russell
wrote:
> Hi,
>
>
> This may be by design – if so just say that and I’ll go away … . But
> that said – it seems I have to run the OpenVPN GUI (manually) as an
> administrator, for routes to be set / added as directed by
Hi,
This is good enough, but (there is always a but :)
On Sat, Jun 23, 2018 at 2:15 PM, Gert Doering wrote:
> Some basic integer tests to verify signed, unsigned and
> long unsigned (2^33) printing.
>
That 2^33 still lurking in the commit message could go..
>
> Signed-off-by: Gert Doering
Hi,
On Sat, Jun 23, 2018 at 1:31 PM, Gert Doering wrote:
> Hi,
>
> On Sat, Jun 23, 2018 at 02:15:03PM +0200, Gert Doering wrote:
> > Some basic integer tests to verify signed, unsigned and
> > long unsigned (2^33) printing.
>
> Ditch that patch... this only works on 64bit systems.
>
Most 64
Hi,
On Fri, Jun 22, 2018 at 10:07 PM, Antonio Quartulli wrote:
> Hi,
>
> On 23/06/18 02:27, Gert Doering wrote:
>> Hi,
>>
>> On Fri, Jun 22, 2018 at 02:12:24PM -0400, Selva Nair wrote:
>>> My tap adapter has a link local address (169.254.98.86) on it possibl
On Fri, Jun 22, 2018 at 2:27 PM, Gert Doering wrote:
> Hi,
>
> On Fri, Jun 22, 2018 at 02:12:24PM -0400, Selva Nair wrote:
>> My tap adapter has a link local address (169.254.98.86) on it possibly due
>> to a previous dhcp failure. May be I need to get rid of that (how?) to
Hi,
On Fri, Jun 22, 2018 at 5:49 AM, Antonio Quartulli wrote:
> Hi,
>
> On 22/06/18 17:46, Gert Doering wrote:
> > Hi,
> >
> > On Fri, Jun 22, 2018 at 03:27:02PM +0800, Antonio Quartulli wrote:
> >> Fri Jun 22 13:43:51 2018 us=116232 PUSH: Received control message:
>
Hi,
On Fri, Jun 22, 2018 at 10:48 AM, Antonio Quartulli wrote:
> Hi,
>
> On 22/06/18 22:45, Selva Nair wrote:
> [cut]
> >> --- a/src/openvpn/route.c
> >> +++ b/src/openvpn/route.c
> >> @@ -1616,7 +1616,7 @@ add_route(struct route_ipv4 *r, const stru
Hi,
On Fri, Jun 22, 2018 at 6:21 AM, Antonio Quartulli wrote:
> %lu is not supported by our tiny argv_printf implementation and will
> trigger an ASSERT() when parsing it. Even though this particular
> ASSERT() is not critical as it happens during shutdown, we still have to
> fix it.
>
> Since
Hi,
> Thanks for clarifying that it is NOT an --up script in this case ..
>
The comment about --up script was quoted from "Gert's email referred
to there" and the advantage of running GUI up script was added later (
a few months ago).
> The document you are looking for can also be found here:
>
Hi,
On Mon, Jun 18, 2018 at 1:10 PM, tincanteksup
wrote:
> Hi Selva,
>
> just a note that:
>
>
> - ``--up`` scripts are run by openvpn.exe itself, which is running as user
> *joe*, all privileges are nicely in place.
>
> - Scripts run by the GUI will run as user *joe*, so that automated tasks
On Tue, Jun 12, 2018 at 12:39 PM, Selva Nair wrote:
> Hi,
>
>
>>> However, Trac supports RST natively:
>>>
>>> {{{#!rst
>>> RST-formatted contents go in here
>>> }}}
>>>
>>
>>> For details see
>>&g
Hi,
On Mon, Jun 11, 2018 at 11:32 AM, Selva Nair wrote:
> Hi
>
> On Mon, Jun 11, 2018 at 2:49 AM, Samuli Seppänen
> wrote:
>
>> Hi,
>>
>> Trac has its own Wiki syntax which is somewhat similar to Mediawiki, but
>> not at all the same.
>>
>>
Hi
On Mon, Jun 11, 2018 at 2:49 AM, Samuli Seppänen wrote:
> Hi,
>
> Trac has its own Wiki syntax which is somewhat similar to Mediawiki, but
> not at all the same.
>
> However, Trac supports RST natively:
>
> {{{#!rst
> RST-formatted contents go in here
> }}}
>
> For details see
>
>
Hi,
I thought of updating the docs
https://community.openvpn.net/openvpn/wiki/OpenVPNInteractiveService
with Simon's vastly expanded version in doc/interactive-service-notes.rst
See commit 62b1cc161c53d900b6fe56f6924ef2ec1c1b8a00 (master)
Tried this using rst converted to mediawiki format
Hi,
On Thu, Apr 19, 2018 at 7:23 AM, Simon Rozman wrote:
> The OpenVPN Interactive Service documentation from
> https://community.openvpn.net/openvpn/wiki/OpenVPNInteractiveService was
> upgraded with a description of the client-service communication flow,
> service registry configuration, and
Hi,
On Fri, Jun 8, 2018 at 10:01 AM Gert Doering wrote:
>
> Hi,
>
> On Tue, Jun 05, 2018 at 04:06:10PM -0400, selva.n...@gmail.com wrote:
> > From: Selva Nair
> >
> > M_DEBUG only indicates the type of the message and will print even
> > at verb 0. Use D_LOW
Hi,
> > [*] Topology subnet uses ip, nework and netmask, while net30 passes in
> the
> > second IP of the /30 in network as "netmask". The two ioctls interprets
> > their parameters differently such that in the end only valid ARP packets
> > get a response from the driver !
>
> Is ARP still to
601 - 700 of 1359 matches
Mail list logo