| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
| |
Use shorter variable name to signal the same thing (see f3a2cd255a3bc73)
to save space in the buffer used by the collective IV_ info sent to server.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1389296891-1487-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8183
(cherry picked from commit 7efaca734b8d633441ec3d7def2a2768864dedcf)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Documentation examples, description and code were disagreeing on what
this option actually does. Now they will all agree that it will
*prepend* a random-byte string to the hostname name before resolving
to work around DNS caching (needs a "*" wildcard record in the zone).
Fix trac #143
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1384698620-27946-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7999
(cherry picked from commit 7de8f3f322c1a1c13022a0243267624930dac5c9)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The function incoming_push_message(...) in push.c uses a local variable
option_types_found, that gets passed to do_up(...).
If the server push got split into several parts, only the last part
(PUSH_MSG_REPLY) option_types_found is used for do_up (initilized as 0
locally), the previous ones (PUSH_MSG_CONTINUATION) are ignored.
So e.g. a ping config, pushed by the server in the first push, followed
by a lot of "push route" configs, causing a second push message, will
have the do_up() called, but without e.g. the OPT_P_TIMER flag, so those
options will be silently ignored.
The patch resolves that, by introducing "push_option_types_found" in
"c->options" and using that as storage.
Fix trac bug #349.
Acked-by: Gert Doering <gert@greenie.muc.de>
URL: https://community.openvpn.net/openvpn/ticket/349
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 1aac9a0b7a4046822a0134cd8693a828f2e16576)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This allows to check the available TLS ciphers for a specific configuration
by supplying both --tls-cipher and --show-tls options.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1388607026-12297-4-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8150
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit cb03dca83e37fd65666bf776f39da902fb10acbc)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 4b67f98 changed call to TLSv1_{client,server}_method() to
SSLv23_{client,server}_method(), this commit updates the corresponding
error messages to match the changes in the code.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1388607026-12297-3-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8147
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 441be9f4f91a16218d40b401384ead51b5aac0cc)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 4b67f98 changed calls to TLSv1_{sever,client}_method() to
SSLv23_{client,server}_method() to enable TLS version negotiation. This
commit does the same for two calls of TLSv1_method() from support code.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1388607026-12297-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8148
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit dd3e319c1d66c7da51b8555d745a1139e0b322f2)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch moves from using the deprecated RSA_generate_key() to the 'new'
RSA_generate_key_ex() to generate ephemeral RSA keys. This patch does
not change OpenVPN's behaviour.
One note on the implementation though; the code generates one ephemeral
RSA key that is used during the entire lifetime of an OpenVPN process.
If OpenSSL requests a new (ephemeral) key, it will keep on returning the
same (usually rather small) key. Not the best solution.
To actually run this code, I had to force usage by selecting the
TLS-RSA-EXPORT-WITH-DES40-CBC-SHA tls-cipher. That generated a 512-bit
ephemeral RSA key, and uses the outdated DES encryption protocol.
Using this mode could lead to a false sense of security. Then again, one
should be using (Ephemeral) Diffie-Hellman anyway, and OpenVPN requires
a tls-server to supply dh parameters. A user would need to deliberately
choose a weak tls-cipher like TLS-RSA-EXPORT-WITH-DES40-CBC-SHA, which
would be aligning a gun with his foot anyway. If one would decide this
implementation is not good enough anymore, I'd suggest to just strip out
support for this completely.
Code has been tested using the TLS-RSA-EXPORT-WITH-DES40-CBC-SHA tls-cipher
which uses this to create ephemeral RSA keys.
This should resolve trac#197.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <52ADF633.8040003@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8110
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In 2.3 some options that were allowed only in global config before have
been moved to connection blocks. This changes the behaviour if the
variables were defined after connection block. This patch adds a warning
to catch these mistakes.
Also let warnings errors show [CONNECTION-OPTIONS] instead of [CMD-LINE]
for connection blocks
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1387275767-10303-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8117
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit cd6555e0159987ef264789f4976053ce2aa5fc20)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 0f2bc0dd92f43c9 started to introduce some file sanity
checking before OpenVPN started to avoid harder to explain issues
due to missing files or directories later on. But that commit
did not consider --chroot at all. Which would basically cause
OpenVPN to complain on non-missing files, because it would not
consider that the files where inside a chroot.
This patch is based on the thoughts in a patch by Josh Cepek [1],
but trying to simplify it at bit.
[1] <http://thread.gmane.org/gmane.network.openvpn.devel/7873>,
(Message-ID: l142b7$15v$1@ger.gmane.org)
[v2 - Simplify the changes in check_cmd_access(), let the chroot
tackling happen only in check_file_access_chroot() only]
Trac-ticket: 330
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1385382778-4723-1-git-send-email-dazo@users.sourceforge.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8060
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit b77bffe8186647c6fd1f2f76aac41fd45719edb8)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Enables DSA, ECDSA key usages with newer pkcs11-helper.
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
Tested-By: Sanaullah <sanaullah82@gmail.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1384209366-26170-1-git-send-email-alon.barlev@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7960
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 6575ad483702dd53c0f683093b5f26a87518c6a8)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Get the temporary path from the system as UCS-2 and convert it to
UTF-8 and return that for internal use.
Fix trac#278.
Signed-off-by: Heiko Hund <heiko.hund@sophos.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1384882574-28242-1-git-send-email-heiko.hund@sophos.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8002
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
|
| |
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1385064495-25877-4-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8019
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 282788a835f6c9dfb85e8f9a3bd45f5841271b06)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
"ip -6 route show" prints stuff like "rtt 38ms rttvar 38ms cwnd 10", which
sometimes changes while an OpenVPN test is running, resulting in spurious
failures in the "ifconfig/route must be restored identically after
OpenVPN ends" test in t_client.sh. Not all fields are there all the time,
so use "sed" to get rid of whatever is printed this time.
Only relevant for "make check" on linux builds with "--enable-iproute2".
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1385309584-23209-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8047
(cherry picked from commit 8c19087034cb1076874075b9e2896ea3f7be59cf)
|
| |
|
|
|
|
|
|
|
|
| |
Acked-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1385210434-28364-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8039
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 20fe5561dfe7a6f1da3aac07b38d0773c2758e5e)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
For TLSv1.2, we need to support various hashes. (GPL) code taken from
PolarSSL pkcs11_sign().
Signed-off-by: Joachim Schipper <joachim.schipper@fox-it.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1379587649-25506-4-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7887
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 32f07c8e5b0f6ec66cfa8566cb8e97b4a6238037)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add --management-external-key support, compatible with the OpenSSL
implementation. Needs the flexibility of ssl_set_own_cert_alt(), which
is new in PolarSSL-1.2.
Signed-off-by: Joachim Schipper <joachim.schipper@fox-it.com>
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1379587649-25506-3-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7886
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 38ace48c6820c611e689bc69b0cf5380bf7a8891)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenSSL's tls_ctx_load_cert_file() had a parameter in which a copy of the
context's certificate chain was stored on return, used by
tls_ctx_use_external_private_key() only and free()d immediately thereafter.
PolarSSL also supported this output parameter, but returned a pointer to
the
context's certificate chain (rather than to a copy of the certificate, as
OpenSSL does) - which meant that we would have to #ifdef the free().
PolarSSL cannot make a copy of a certificate chain, and OpenSSL cannot
store a
pointer to (instead of a copy of) the cert.
So remove the output parameter from tls_ctx_load_cert_file() and
incorporate
the needed functionality directly into tls_ctx_use_external_private_key()
(which is straightforward for both OpenSSL and PolarSSL, as long as you
don't
try to support both at once.)
Signed-off-by: Joachim Schipper <joachim.schipper@fox-it.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1379587649-25506-2-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7888
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit c3b2d487bc5089c8c0cf65df8e6cc2232d84b05b)
|
| |
|
|
|
|
|
|
|
|
| |
Patch from trac#304 - the translation table OpenSSL<->IANA contained
duplicates for four IANA names, causing translation backwards to fail.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-By: Steffan Karger <steffan.karger@fox-it.com>
URL: https://community.openvpn.net/openvpn/ticket/304
(cherry picked from commit e85d87523af43c5fe5188f7ee1e2fdd2861dcffc)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit bee92b479414d12035b0422f81ac5fcfe14fa645 and parts
of commit dc7be6d078ba106f9b0de12f3e879c3561c3c537, as these introduced a
subtle memory drain on client renegotiations (es->gc got initialized,
which led to "unused" gc_entry records accumulating while a client is
connected).
Setting es->gc=NULL causes env_set_add_nolock() / remove_env_item() to
free() allocated and no longer used strings in the es, while an active
gc would leave them for cleanup with gc_free() at client disconnect time.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Conflicts:
src/openvpn/buffer.c
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Message-Id: <20131023162618.GP161@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7939
(cherry picked from commit 4368147972d61b598bbcd5d2904d891130d5e517)
|
| |
|
|
|
|
|
|
|
|
|
| |
IPv6 documentation prefix is 2001:db*8*:: (not :dba:), and the second
test stanza variables need to end in _2, of course...
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Josh Cepek <josh.cepek@usa.net>
Message-Id: <1384624401-27943-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7992
(cherry picked from commit bbc3a6473c84ba7cdb87b359f016cd13773e42ec)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
It looks like it's possible to specify an optional authfile as third
argument of the "socks-proxy" directive. This patch updates the man page to
document that.
Signed-off-by: Davide Brini <dave_br@gmx.com>
Acked-by: Heiko Hund <heiko.hund@sophos.com>
Message-Id: <0MTjMy-1VU1I42Lo0-00QV4k@mail.gmx.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7875
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e0a7471f250e25a384a23dfb9efd2ffef83be913)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a CA certificate file includes intermediate certificates, and any
of them fail to verify, the current code will file with "Cannot load
CA certificate file". Instead, generate a more specific error message
identifying the specific sub-certificate(s) which did not validate.
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <CAK6ywbLVtSgRZEt4N+02fz+vQ0GNp==5KdsbqWtZ+fgUzrZq+g@mail.gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7837
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 9927cdbd929bebbba0d15bb9a6b03453891a485b)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a GUIs sets IV_OPENVPN_GUI_VERSION the version will be pushed to the
server.
Usage convention for IV_OPENVPN_GUI_VERSION is "<gui_id><space><version>",
for example "de.blinkt.openvpn 0.5.47" for the ICS Android version.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Acked-by: James Yonan <james@openvpn.net>
Message-Id: <1370005175-14871-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7646
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit f3a2cd255a3bc73a546a5e2d09fa30a16cce0d7d)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Upstream policy on PolarSSL API compatibility does not guarantee
stability between point-releases. For OpenVPN, we must verify a 1.2.x
version with the current codebase.
This fixes bug#343.
Signed-off-by: Josh Cepek <josh.cepek@usa.net>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <5284F32D.3000206@usa.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7968
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 7fc9245f5d97c7d76c635f8a3e38ab55ab27b27b)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
PolarSSL 1.2.9 fixes a possible timing attack in PolarSSL's RSA-CRT
implementation. See CVE-2013-5915 for details. This commit bumps the
minimum polarssl version required by configure.ac to 1.2.10, because 1.2.9
also introduced a memory leak, which is fixed in 1.2.10.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1382445917-2974-1-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7925
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 92d21e3fed33aad966b7b0ca6568e0cda8c7a8b5)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently the TAP adapter name is fetched as an OEM string, which
is problematic if it contains non-ASCII characters and is to used
with netsh. The logfile also contains these non UTF-8 characters.
This patch fetches the name from the registry as UCS-2 and converts
it right into UTF-8 before it's used.
Signed-off-by: Heiko Hund <heiko.hund@sophos.com>
Acked-by: Josh Cepek <josh.cepek@usa.net>
Message-Id: <1381829022-15244-1-git-send-email-heiko.hund@sophos.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7913
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit f2e40082349098d3c22981bf1e6d305826f1173f)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add "-lcrypto" to configure OpenSSL "-lssl" test (if no pkg-config
found), otherwise linking with static OpenSSL libraries will fail.
Trac ticket #305
Message-Id: <521668C9.5070003@openvpn.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7835
URL: https://community.openvpn.net/openvpn/ticket/305
Acked-By: Heiko Hund <heiko.hund@sophos.com>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 30e358e5de352c8de04a955dc89f33e1710e9b97)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Starting with the 2.3-series, the TAP-Windows driver/utilities and
OpenVPN are separately installed components. The error message given to
users without available TAP devices uses the pre-2.3 path that does not
exist. The path should be listed under the TAP-Windows program group
that the tap-windows project installer uses.
Resolves bug #320
Signed-off-by: Josh Cepek <josh.cepek@usa.net>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Message-Id: <kv4ece$s8s$1@ger.gmane.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7825
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 2d34628af995676c8ecddb953897c334b96a6a6b)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Load intermediate certificates from a PKCS#12 file and place them in the
extra certs chain, when trusted CA certs are loaded from an external PEM
file with the --ca option, and the CA certs in PKCS#12 are not to be trusted.
Required when client PKCS#12 file is provided by a different CA
than the server CA, the PKCS#12 file contains intermediate certificates
required for client auth, but the server CA is not in the PKCS#12 file.
When --ca is set, the PKCS#12 provided CA certs are not trusted. Without
this patch, they were ignored completely - with this patch, they're loaded
in the extra certs chain which makes them available for chain verification
but still does not make them trusted if --ca is set. Unless when, of
course, a trusted root is found from the --ca file.
Acked-by: James Yonan <james@openvpn.net>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <alpine.DEB.2.02.1306201400320.10116@jazz.he.fi>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7721
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 6481f879eb62cafa6ad652801b2b5c45e546ef44)
|
| |
|
|
|
|
|
|
|
| |
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1376640680-26468-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7798
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 39dad37d5b13c4dc0614ab7b19fdae88c23de0a2)
|
| |
|
|
|
|
|
|
|
| |
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1376640664-26379-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7799
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit b685a1e6b012682ce7d6fb31960273b8f5213714)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
directive that follows is recognized, it will be processed
as if the "setenv opt" prefix was absent. If present and if
the directive that follows is not recognized, the directive
will be ignored rather than cause a fatal error.
For example, suppose you are distributing a client
configuration file and want to set the minimum TLS version
that the client requires from the server to 1.2.
By using the following directive,
setenv opt tls-version-min 1.2 or-highest
only newer clients that understand the tls-version-min directive
would process it, while older clients would ignore it.
(cherry picked from commit 27713761e4110bb92f1c6dfe85db291e8c6e0f56)
Signed-off-by: James Yonan <james@openvpn.net>
URL: http://thread.gmane.org/gmane.network.openvpn.devel/7771
URL: http://thread.gmane.org/gmane.network.openvpn.devel/7744
URL: https://github.com/jamesyonan/openvpn/commit/27713761e4110bb92f1c6dfe85db291e8c6e0f56
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit 2a92fba756d4c1e73300a12ff9e80028a6ab7c09)
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Updated the TLS negotiation logic to adaptively try to connect using
the highest TLS version supported by both client and server.
Previously, OpenVPN (when linked with OpenSSL) would always connect
using TLS 1.0.
Also added tls-version-min directive to force a higher TLS version
than 1.0:
tls-version-min <version> ['or-highest'] -- sets the minimum
TLS version we will accept from the peer. Examples for version
include "1.0" (default), "1.1", or "1.2". If 'or-highest' is
specified and version is not recognized, we will only accept
the highest TLS version supported by the local SSL implementation.
Examples:
tls-version-min 1.1 -- fail the connection unless peer can
connect at TLS 1.1 or higher.
tls-version-min 1.2 or-highest -- require that the peer
connect at TLS 1.2 or higher, however if the local SSL
implementation doesn't support TLS 1.2 (as it wouldn't
if linked with an older version of OpenSSL), reduce the
minimum required version to the highest version supported
by the local SSL implementation (such as TLS 1.0). This
is intended to allow client configurations to target higher
TLS versions that are supported on the server, even if some
older clients don't support these versions yet.
[
This is a merged patch from on the following commits
on git://github.com/jamesyonan/openvpn.git
03a5599202bdc3ba07983dc4efdae387fb8fb436
d23005413b0e0f28a3c48a6342f494763d5c9b40
]
Signed-off-by: James Yonan <james@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
URL: http://thread.gmane.org/gmane.network.openvpn.devel/7743
URL: http://thread.gmane.org/gmane.network.openvpn.devel/7744
Message-Id: 51C77F12.1090802@openvpn.net
Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit 4b67f9849ab3efe89268e01afddc7795f38d0f64)
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Conflicts:
src/openvpn/ssl_common.h
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In config.h, it would state:
/* Enable systemd support */
#define ENABLE_PLUGIN 1
instead of
/* Enable plug-in support */
#define ENABLE_PLUGIN 1
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1370600130-6075-1-git-send-email-dazo@users.sourceforge.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7658
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 8065cd1c65273ef05ba2ac66f15224e170a57290)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenVPN would segfault unexpectedly if it would be compiled against
PolarSSL
and the plug-in would expect OpenSSL, or vice-versa. This segfault would
not appear before the plug-in would try to access functions which would
be available if the plug-in and OpenVPN uses the same SSL implementation.
This patch adds a member to the plug-in initialisation function, which
identifies the SSL implementation.
The log_v3 plug-in is updated accordingly + a simple fix to make it
buildable again using the ./build script.
A minor documentation error in the openvpn-plugin.h was also
corrected, where it mentioned OPENVPN_PLUGIN_VERSION instead of
OPENVPN_PLUGINv3_STRUCTVER.
v2 - add const ovpnSSLAPI ssl_api at the end of
struct openvpn_plugin_args_open_in and not in the "middle"
v3 - fix bug in plug-in init, as the SSLAPI was located wrong in the
args struct sent to the openvpn_plugin_open_v3() function.
v4 - Ensure SSLAPI got a sane/known value if SSL is disabled or unknown
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1372879030-10576-1-git-send-email-dazo@users.sourceforge.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7754
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 587df08abda3c8f1f85ccdba4d8b82a736c11e2d)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This "feature" has been enabled since OpenVPN 2.2 without any reports that
this has been causing issues. All it does is to add an extra environment
variable 'tls_digest_{n}' with the certificate SHA1 fingerprint/digest
hash.
Lets just simplify things by removing the possibility to disable this
environment variable.
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1370600123-6029-1-git-send-email-dazo@users.sourceforge.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7660
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e3d388652f59fd2ddd9c7f470f7ef62ee6b35595)
|
| |
|
|
|
|
|
|
|
| |
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1370600111-5983-1-git-send-email-dazo@users.sourceforge.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7659
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit ace54e9b3c26c4d13fd278fac2d2dc37138270e4)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Mac OS X 10.7+ natively supports tun devices (called utun). The "standard"
utun.ko driver is sometimes problematic (e.g. VmWare Fusion 5 and tun.ko
do not work together).
When OpenVPN is compiled with utun support it will if no dev-node is given
first try to use utun and if that is not available will try the
traditional tun devices
v2: Fixed tap support, get device name via ioctl, add manage
v3.1: Fix compiling without if/utun.h, fix manage errors
v4/v5: Don't try open to dynamically open utun0 -255 when early utun
initialization fails, fix fallback to tun, give fatal error message when
utun fails but no tun fallback should be done
v6: add commit message change log, replace strstr with strncmp, move
v7: Throw error if a user does the strange combination of --dev tun
--dev-type tap and --dev-node utun
A lot good input on earlier patches by Jonathan K. Bullard
<jkbullard@gmail.com>
Parts of the patches are inspired from Peter Sagerson's
<psagers@ignorare.net> utun patch
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Tested-by: Jonathan K. Bullard <jkbullard@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1371811708-8528-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7739
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit fbc04bedbcce02fc625357b7475ddbc7164cabbf)
|
| |
|
|
|
|
|
|
|
| |
Signed-off-by: Tamas TEVESZ <ice@extreme.hu>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: alpine.GSO.2.03.1306080732510.23277@extreme.hu
URL: http://article.gmane.org/gmane.network.openvpn.devel/7667
Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit a781d6714758489a808b55cdefc1d1623194e318)
|
| |
|
|
|
|
|
|
|
| |
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 51B1DBEF.1090705@fox-it.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/7664
Signed-off-by: David Sommerseth <davids@redhat.com>
(cherry picked from commit b97e2c3c90afdbb1a24bc1357ec6b94d626defcd)
|
| |
|
|
| |
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
At the moment script are only checked if P2MP_SERVER is defined. For
CLIENT_ONLY openvpn script were never checked.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1369947737-26081-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7635
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e55681a9d802bf1639115d325c1685e5962865d0)
|
| |
|
|
|
|
|
|
|
|
|
| |
This also fixes commit 567bfc06d051b60e9cdca1f5bb468631b899682a if not all
script options are available by setting options->user_script_used
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1369945603-17169-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7634
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 9b6a5028111cd915b0342fbd2ecd0b9dfd4aa94a)
|
| |
|
|
|
|
|
|
|
|
|
| |
Very simple fix.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <0LzcMG-1ULZ4T0Fuc-014gq9@mail.gmx.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7628
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 3600996534c30978a7b0e9ddbe5e9743e6423d1a)
|
| |
|
|
|
|
|
|
|
|
|
| |
script-security system.
Acked-by: Jan Just Keijser <janjust@nikhef.nl>
Message-Id: <1369920428-11350-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7625
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 8476edbb1748e11de0e4fda8989c9e470285926b)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In link_socket_write_udp_posix_sendmsg(), pktinfo structures for ipv4 and
ipv6 are going out of scope before actually calling sendmsg(), so depending
on compiler optimization, garbage is passed to sendmsg() - fix by using
"union openvpn_pktinfo" and having that in scope all the time.
Problem reported and patch provided by "danta" in trac#297
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
URL: https://community.openvpn.net/openvpn/ticket/297
Message-ID: <20130530184427.GP20843@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7629
(cherry picked from commit 8c431f960357d776cfd0961192214ad1b0942bfb)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On the client, allow certain peer info fields to be pushed even if
push-peer-info isn't specified in the config.
This is needed to allow the compression handshake to work correctly
(i.e. where the client indicates its support for LZO and/or Snappy).
Fields that have privacy implications such as Mac Address and UV_*
environment variables will not be pushed to the server as before unless
push-peer-info is specified by client config.
v1: equivalent to OpenVPN SVN r8225 (2.1.21c)
v2: distinguish 3 levels of peer-info detail
--push-peer-info specified --> send all we have
--pull specified --> send basic set, as per r8225
default --> send nothing (do not leak from server)
v3: undo extra whitespace changes in v1 and v2
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1369044801-7594-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7604
(cherry picked from commit 598e03f0e7bce434e501a9895819f2af0714d5f6)
Conflicts:
src/openvpn/ssl.c
|
| |
|
|
|
|
|
|
|
| |
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <519F5ED0.4070109@nikhef.nl>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7605
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 49f714942d5afd5f274aea52c790c896babc8c05)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Console applications under Windows, such as batch scripts, require the
CREATE_NO_WINDOW process flag when run without an actual console window
present. This change allows such scripts to execute and impact the hook
status by way of their return code.
Fixes bug #240.
Signed-off-by: Josh Cepek <josh.cepek@usa.net>
Acked-by: Heiko Hund <heiko.hund@sophos.com>
Message-Id: <kn2pao$5sv$1@ger.gmane.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7594
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a19e35a95bf4a0177ae115535a3755d3acd894e9)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add ASSERT() check to route_list_add_vpn_gateway() to ensure that *rl
is valid (and if not, crash with a somewhat more meaningful message than
"segmentation violation"). For the actual bugfix, change init code to
always allocate a "struct route_list" for IPv4, even if no --route options
have been seen in the config.
Fix trac#281 and trac#258.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Josh Cepek <josh.cepek@usa.net>
Message-Id: <1367608404-2257-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7581
(cherry picked from commit eb95f367348f4c2aae301cfa7c3adc8e0f2e711e)
|
