th ephemeral DH key exchange are enabled.
But there are lot of other ciphersuites which do not require DH
parameters at all (or require some other parameters such as EECDH
ciphersuites).
Can somebody enlighten me - why these decisions were made?
Regards, Victor Wagner.
Hi, all
I've tried to build Solaris OpenVPN packages for various versions of
solaris and encountered some problems, probably related more with TUN
driver, than with openvpn itself
I'm using openvpn 2.1rc15 and tun driver 1.1 as recommended on
openvpn.net site.
1. Openvpn is unable to close tun i
On 2009.04.24 at 07:47:54 -0700, Jonathan Petersson wrote:
> Hi Victor,
>
> I haven't tried this myself and this guide is mainly for OpenSolaris, but:
> http://blogs.reucon.com/srt/2008/12/17/installing_openvpn_on_opensolaris_2008_11.html
There is nothing particulary interesting here, except th
On 2009.04.25 at 16:31:14 +0900, Kazuyoshi Aizawa wrote:
> Hi Victor,
>
> Could you please post the script once you have built drivers for your package?
> So that I can update my script as well.
> I've wanted to make script to be capable to build drivers on various
> platforms. But I don't have e
On 2009.04.26 at 18:39:46 +0400, Victor Wagner wrote:
> Of course. See attached patch (configure.patch).
Unfortunately, I've send untested patch. I've checked configure
invocation, but was too haste to check whether produced Makefile would
work.
Now there is tested patch.
Only thi
On 2009.05.27 at 10:48:30 -0700, Frank Yellin wrote:
>I posted the following onto the OpenVPN forum, but it was suggested
>that I would be better off mailing directly to this list.
>=
>I seem to have found a bug in 2.1_rc16 that is also apparent in earlier
>
On 2009.05.27 at 23:17:39 -0700, Frank Yellin wrote:
>[Just to you, not the list.]
>I figured that someone had to have noticed this problem before. But
>when I googled "OpenVPN BF-OFB" or "OpenVPN BF-CFB", I couldn't find
>anything.
Of course you haven't find anything about Blo
On 2009.05.30 at 04:38:41 -0600, James Yonan wrote:
>
> The OFB and CFB cipher modes in OpenVPN have not been well-tested and
> should be considered experimental at this point.
> They are not compiled by default mostly to prevent someone from
> accidentally using them.
Okay, you see there is
On 2009.06.01 at 07:45:13 -0500, dave wrote:
> I would suspect that the exclusion is due to:
>
> A) in CFB/OFB/CNT, the encrypted stream is byte-bounded, as opposed to
> block-bounded. There may be some assumptions in the code that assume
> the cipher text is a multiple of block lengths. As su
I've found out that string_mod family of function do very bad job
with certificates with cyrillic characters in the subject.
As of OpenVPN 2.1_rc19 class CC_PRINT is determined by function
isprint from ctype.h, which does wrong job if there was no setlocale
call (and there is no setlocale call in
On 2009.10.24 at 13:39:56 -0600, James Yonan wrote:
> Victor Wagner wrote:
> > I've found out that string_mod family of function do very bad job
> > with certificates with cyrillic characters in the subject.
> >
> > As of OpenVPN 2.1_rc19 class CC_PRINT is determi
On 2009.10.24 at 13:39:56 -0600, James Yonan wrote:
>
> Can you submit a patch (as an email attachment) with this fix?
Attached
This patch also contains X509_NAME_oneline replacement, which handles
MSB characters.
I've not checked if this patch applies cleanly to unmodified source.
I've just d
Now openvpn in tls-server mode requires specification of Diffie-Hellman
parameters for ephemeral key. This is probably good thing for SSLv3 when
only RSA and DSA ciphersuites are supported.
DSA ciphersuites always require DH parameters, and RSA ciphersuites
without DHE key exchange do not provide
On 2009.11.08 at 00:17:38 +0100, David Sommerseth wrote:
>
> Well said! Thank you for emphasising this. In my earlier posts, I
> never intended to suggest that this was a work around, just to be clear
> about that. But --tls-auth is now, how I see it, the only way currently
> available "immedi
On 2009.11.08 at 12:59:47 +0100, David Sommerseth wrote:
>
> This flaw makes it, how I have understood it, possible to "duplicate" an
> on-going SSL connection (or transaction, which it often is referred to),
> making the SSL based server believe those two connections are the same
> client.
> Th
On 2009.11.11 at 09:40:59 +0100, David Sommerseth wrote:
> On 10/11/09 17:16, Till Maas wrote:
> > I would like to get a notification in case a client certificate is used
> > for a connection to an OpenVPN server, that is about to expire soon. Is
> > there currently a way to do this? I looked into
On 2009.11.11 at 13:00:05 +0100, David Sommerseth wrote:
>
> Good point! I was not aware of the Apache/mod_ssl way of doing it. My
> only concern about that is if it would be possible to exhaust the memory
> pool for environment variables? Imagine a a buffer overflow bug if an
> attacker sends
On 2009.11.11 at 16:04:12 +0100, David Sommerseth wrote:
> I completely agree, that under normal circumstances, it should be enough
> by letting OpenSSL take care of the certificate chain. But as OpenVPN
> now do list more certificates already, I was just trying to keep that
> possibility still op
On 2009.11.12 at 10:01:55 -0700, James Yonan wrote:
> Victor Wagner wrote:
> > On 2009.10.24 at 13:39:56 -0600, James Yonan wrote:
> >
> >> Can you submit a patch (as an email attachment) with this fix?
> > Attached
> >
> > This patch also contains X5
On 2009.11.12 at 19:25:16 +0100, David Sommerseth wrote:
> > no-name-remapping has side effects, i.e. disables system method of
> > script execution.
>
> I'd have to disagree here. OpenVPN should not change the default
> behaviour at all, as that can break a lot of already implemented
> instal
20 matches
Mail list logo
