openvpn.git/doc, branch beta/2.3 Copy of the official OpenVPN git repo doc/management-notes.txt: fix typo 2012-11-29T20:47:56+00:00 Joachim Schipper joachim.schipper@fox-it.com 2012-11-26T14:31:45+00:00 376e1432b3ce0c5fc715cfc0f9a9ea7b733b4cc0 Signed-off-by: Joachim Schipper <joachim.schipper@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: 1CED409804E2164C8104F9E623B08B901323D0B184@FOXDFT02.FOX.local URL: http://article.gmane.org/gmane.network.openvpn.devel/7141 Signed-off-by: David Sommerseth <davids@redhat.com> (cherry picked from commit 5dfdb7c010c5a32a0ec51d9266748c641cd24dba) 
Signed-off-by: Joachim Schipper <joachim.schipper@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1CED409804E2164C8104F9E623B08B901323D0B184@FOXDFT02.FOX.local
URL: http://article.gmane.org/gmane.network.openvpn.devel/7141
Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit 5dfdb7c010c5a32a0ec51d9266748c641cd24dba)
Remove the support for using system() when executing external programs or scripts 2012-10-31T12:59:04+00:00 David Sommerseth davids@redhat.com 2012-10-25T12:22:30+00:00 3cb9f1a62b4a84dbf4acd1957c900a5b06fd6ac2 This patch removes the support for the system() call, and enforces the usage of execve() on the *nix platform and CreateProcessW() on Windows. This is to enhance the overall security when calling external scripts. Using system() is prone to shell expansions, which may lead to security breaches. Which is also why the execve() approach has been the default since commit a82813527551f0e79c6d6ed5a9c1162e3c171bcf which re-introduced the system() in Nov. 2008. After having asked on the mailing list and checked around on the IRC channels, the genereal consensus is that very few uses system() these days. The only annoyance I've been made aware of is that this will now require adding a full path to the script interpreter together with the script, and not just put in the script name alone. But to just use the script name in Windows, you had to configure --script-security with the 'system' flag earlier too. So my conclusion is that it's better to add a full path to the script interpreter in Windows and raise the overal security with OpenVPN, than to continue to have a possible potentially risky OpenVPN configuration just to make life "easier" for Windows script users. Removal of the system() call, also solves a nasty bug related to the usage of putenv() on the *nix platforms. For more information please see: http://thread.gmane.org/gmane.network.openvpn.devel/7090 https://community.openvpn.net/openvpn/ticket/228 Trac-ticket: 228 Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1351539352-17371-1-git-send-email-dazo@users.sourceforge.net> URL: http://article.gmane.org/gmane.network.openvpn.devel/7114 (cherry picked from commit 0563473601abfbf2142bfa0ca5b863c5aa7953a2) 
This patch removes the support for the system() call, and enforces the
usage of execve() on the *nix platform and CreateProcessW() on Windows.
This is to enhance the overall security when calling external scripts.
Using system() is prone to shell expansions, which may lead to security
breaches.  Which is also why the execve() approach has been the default
since commit a82813527551f0e79c6d6ed5a9c1162e3c171bcf which
re-introduced the system() in Nov. 2008.

After having asked on the mailing list and checked around on the IRC
channels, the genereal consensus is that very few uses system() these
days.

The only annoyance I've been made aware of is that this will now
require adding a full path to the script interpreter together with the
script, and not just put in the script name alone.  But to just use the
script name in Windows, you had to configure --script-security with the
'system' flag earlier too.  So my conclusion is that it's better to add
a full path to the script interpreter in Windows and raise the overal
security with OpenVPN, than to continue to have a possible potentially
risky OpenVPN configuration just to make life "easier" for Windows
script users.

Removal of the system() call, also solves a nasty bug related to the
usage of putenv() on the *nix platforms.

For more information please see:
http://thread.gmane.org/gmane.network.openvpn.devel/7090
https://community.openvpn.net/openvpn/ticket/228

Trac-ticket: 228
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1351539352-17371-1-git-send-email-dazo@users.sourceforge.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7114
(cherry picked from commit 0563473601abfbf2142bfa0ca5b863c5aa7953a2)
Document man agent-external-key 2012-10-15T16:55:27+00:00 Arne Schwabe arne@rfc2549.org 2012-10-01T09:05:18+00:00 7ab52ad0011f7ff3502d30abc718a9257d5f3916 Adapt commit message from cf69617bbea45a15423c4188daa9386debcbe1ec for man page and management documentation. Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: David Sommerseth <davids@redhat.com> Message-Id: 1349082318-985-1-git-send-email-arne@rfc2549.org URL: http://article.gmane.org/gmane.network.openvpn.devel/7081 Signed-off-by: David Sommerseth <davids@redhat.com> (cherry picked from commit 75b6f4bd84302d225a301f4ed87e2bb27908b972) 
Adapt commit message from cf69617bbea45a15423c4188daa9386debcbe1ec for man
page and management documentation.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1349082318-985-1-git-send-email-arne@rfc2549.org
URL: http://article.gmane.org/gmane.network.openvpn.devel/7081
Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit 75b6f4bd84302d225a301f4ed87e2bb27908b972)
Add --compat-names option 2012-09-12T13:08:10+00:00 Heiko Hund heiko.hund@sophos.com 2012-09-11T15:34:24+00:00 e7412ca3eee2f2a2fb0af5acbe968137cfd7e995 With this option, users can basically undo the changes of the UTF-8 support commit 5e86fd93779482b90a191f929edebe414cd78a4f. It's here for short term compatibility and should be removed again as soon as possible. When OpenSSL is used, the subject strings will be in the proprietary format again. Generally username, X.509 CN, and X.509 subject will again be subject to '_' replacemant, unless the "no-remapping" flag is also specified. That flag ensures compatibility with setups using the --no-name-remapping option, that has been removed in 2.3. [v2: More comments related to compat_flags() added by DS plus using COMPAT_FLAG_QUERY expclit] [v3: Improved the man page entry for --compat-names, after suggestions from Bernhard R. Link] Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@redhat.com> Message-Id: 1347377664-15462-1-git-send-email-dazo@users.sourceforge.net URL: http://article.gmane.org/gmane.network.openvpn.devel/7053 
With this option, users can basically undo the changes of the UTF-8
support commit 5e86fd93779482b90a191f929edebe414cd78a4f. It's here for
short term compatibility and should be removed again as soon as possible.

When OpenSSL is used, the subject strings will be in the proprietary
format again. Generally username, X.509 CN, and X.509 subject will again
be subject to '_' replacemant, unless the "no-remapping" flag is
also specified. That flag ensures compatibility with setups using the
--no-name-remapping option, that has been removed in 2.3.

[v2: More comments related to compat_flags() added by DS plus using
     COMPAT_FLAG_QUERY expclit]
[v3: Improved the man page entry for --compat-names, after suggestions
     from Bernhard R. Link]

Signed-off-by: Heiko Hund <heiko.hund@sophos.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1347377664-15462-1-git-send-email-dazo@users.sourceforge.net
URL: http://article.gmane.org/gmane.network.openvpn.devel/7053
Document that keep alive will double the second value in server mode and give a short explanation why the value is chosen. 2012-09-11T16:51:01+00:00 Arne Schwabe arne@rfc2549.org 2012-09-03T12:16:04+00:00 341e6bb67f072731d75769ce875633e544544062 Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: 1346674564-17260-1-git-send-email-arne@rfc2549.org URL: http://article.gmane.org/gmane.network.openvpn.devel/7041 Signed-off-by: David Sommerseth <davids@redhat.com> 
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1346674564-17260-1-git-send-email-arne@rfc2549.org
URL: http://article.gmane.org/gmane.network.openvpn.devel/7041

Signed-off-by: David Sommerseth <davids@redhat.com>
Document --management-client and --management-signal a bit better 2012-09-02T19:50:06+00:00 Arne Schwabe arne@rfc2549.org 2012-08-08T17:31:42+00:00 c447b4265cd3fae308dd5798081d42f87ae89d91 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: 1344447102-22271-1-git-send-email-arne@rfc2549.org URL: http://article.gmane.org/gmane.network.openvpn.devel/6962 Signed-off-by: David Sommerseth <davids@redhat.com> 
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1344447102-22271-1-git-send-email-arne@rfc2549.org
URL: http://article.gmane.org/gmane.network.openvpn.devel/6962
Signed-off-by: David Sommerseth <davids@redhat.com>
Document the inlining of files in openvpn and document key-direction 2012-09-02T18:18:26+00:00 Arne Schwabe arne@rfc2549.org 2012-08-23T21:21:00+00:00 0979ec7e9109da95ad56e9365a89701fee11c72c This patch documents the usage of inline files in OpenVPN. Hackish ways of inline files are deliberately left out. For tls-auth and secret the key-direction option is right way of specifying the direction and not by using two tls-auth/secret lines where the first sets the direction and has a dummy file name and the second sets the inline file data but does not reset the direction parameter. Also pkcs12 [[INLINE]] base64encoded_data works but is a quirk of how the config parser works Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: 1345756860-2044-1-git-send-email-arne@rfc2549.org URL: http://article.gmane.org/gmane.network.openvpn.devel/7006 Signed-off-by: David Sommerseth <davids@redhat.com> 
This patch documents the usage of inline files in OpenVPN. Hackish ways of
inline files are deliberately left out. For tls-auth and
secret the key-direction option is right way of specifying the direction
and not by using two tls-auth/secret lines where the first sets the
direction and has a dummy file name and the second sets the inline file
data but does not reset the direction parameter.

Also pkcs12 [[INLINE]] base64encoded_data works but is a quirk of how the
config parser works

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1345756860-2044-1-git-send-email-arne@rfc2549.org
URL: http://article.gmane.org/gmane.network.openvpn.devel/7006
Signed-off-by: David Sommerseth <davids@redhat.com>
add option --management-query-proxy 2012-07-19T19:37:54+00:00 Heiko Hund heiko.hund@sophos.com 2012-07-11T12:16:50+00:00 af1bf85aee836f2b729c38990028c035b6c69152 Make openvpn query for proxy information through the management interface. This allows GUIs to provide (automatically detected) proxy information on a per connection basis. This new option supersedes the undocumented --http-proxy-fallback option and puts the responsibilty for HTTP proxy fallback handling to the GUI caring for such. Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Reviewed-by: James Yonan <james@openvpn.net> Message-Id: 1342009010-9735-1-git-send-email-heiko.hund@sophos.com URL: http://article.gmane.org/gmane.network.openvpn.devel/6841 Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> 
Make openvpn query for proxy information through the
management interface. This allows GUIs to provide (automatically
detected) proxy information on a per connection basis.

This new option supersedes the undocumented --http-proxy-fallback
option and puts the responsibilty for HTTP proxy fallback handling
to the GUI caring for such.

Signed-off-by: Heiko Hund <heiko.hund@sophos.com>
Reviewed-by: James Yonan <james@openvpn.net>
Message-Id: 1342009010-9735-1-git-send-email-heiko.hund@sophos.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/6841
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
build: integrate plugins build into core build 2012-06-26T09:29:02+00:00 Alon Bar-Lev alon.barlev@gmail.com 2012-05-14T22:42:03+00:00 ce8271f5d435be963c79945f8d7eb6ea2e4369fa As disucssed[1], keep plugins in repository. 1, Proper automake/libtool build. 2. Move example plugins to samples/sample-plugins. 3. Plugins are installed at LIBDIR/openvpn/plugins. [1] http://comments.gmane.org/gmane.network.openvpn.devel/6436 Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: David Sommerseth <davids@redhat.com> Message-Id: 1337035323-27465-1-git-send-email-alon.barlev@gmail.com URL: http://article.gmane.org/gmane.network.openvpn.devel/6591 Signed-off-by: David Sommerseth <davids@redhat.com> 
As disucssed[1], keep plugins in repository.

1, Proper automake/libtool build.

2. Move example plugins to samples/sample-plugins.

3. Plugins are installed at LIBDIR/openvpn/plugins.

[1] http://comments.gmane.org/gmane.network.openvpn.devel/6436

Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1337035323-27465-1-git-send-email-alon.barlev@gmail.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/6591
Signed-off-by: David Sommerseth <davids@redhat.com>
remove the --auto-proxy option from openvpn 2012-06-13T08:44:33+00:00 Heiko Hund heiko.hund@sophos.com 2012-02-05T12:47:09+00:00 8e1975b046dcf821eaf03098677dc5e34cd3a1a5 During discussion on FOSDEM 2012 it was decided that proxy auto detection is best done in the GUI as it's highly platform specific and shouldn't be handled in openvpn itself for every supported platform in openvpn itself. This removes --auto-proxy from openvpn. Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: David Sommerseth <davids@redhat.com> Message-Id: 1328446029-30523-1-git-send-email-heiko.hund@sophos.com URL: http://article.gmane.org/gmane.network.openvpn.devel/5333 Signed-off-by: David Sommerseth <davids@redhat.com> 
During discussion on FOSDEM 2012 it was decided that proxy auto detection
is best done in the GUI as it's highly platform specific and shouldn't be
handled in openvpn itself for every supported platform in openvpn itself.

This removes --auto-proxy from openvpn.

Signed-off-by: Heiko Hund <heiko.hund@sophos.com>
Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1328446029-30523-1-git-send-email-heiko.hund@sophos.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/5333
Signed-off-by: David Sommerseth <davids@redhat.com>