| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I kept most of the certificate properties equal to the old
certs, since some people's test scripts might rely on them (and
it does not require any creativity from my part).
Changes:
* Add script to generate fresh test/sample keys
(but keep sample keys in git for simple testing)
* Switch from 1024 to 4096 bits RSA CA
* Switch from 1024 to 2048 bits client/server RSA keys
* Switch from 1024 to 2048 bits Diffie-Hellman parameters
* Generate EC client and server cert, but sign with RSA CA
(lets us test EC <-> RSA interoperability)
* Remove 3DES cipher from 'sample' config
* Add 'remote-cert-tls server' to client config
* Update config files to deprecate nsCertType in favour of the
keyUsage and extendedKeyUsage extensions.
* Make naming more consistent
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Samuli Seppänen <samuli@openvpn.net>
Message-Id: <CAA1AbxKZr_E6Wk9GBbB3xpLyJzyBxSa1k21UDXnC90d8refUzw@mail.gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9226
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Because using TLS 1.2 breaks certain setups, a user might want to enforce
a maximum TLS version to use. This patch adds that option.
This patch removes a number of #ifdefs from ssl_polarssl.c, because the
polarssl versions we currently support (polar 1.2 for openvpn 2.3, and
polar 1.3 for openvpn-master) have all versions unconditionally enabled.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <544EC052.3080809@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9210
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some commits ago, the cipher mode checks were cleaned up to
remove code duplication (and fix the issue in #471), but broke
'--cipher none' (reported in #473). This commit fixes that.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <545DED2C.5070002@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9217
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
| |
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1414230851-5350-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9195
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 6e469f46e94b2bd0fc1509f2bfbda4d6b5374b14)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Between versions 1.2 and 1.3, polarssl changed the errors
returned by the X509 parsing functions, which broke the OpenVPN
implementation for password protected private keys in polarssl
builds. This patch fixes that by checking for the new errors in
OpenVPN.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <5432E951.6020405@fox-it.com>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Modification to address bug where OpenVPN enters state where it is
unresponsive and cannot be terminated. Log output is continuous spew
of "code=995" errors.
Revised fix for code=995 sped bug.
Adding new tap adapters while connected:
https://community.openvpn.net/openvpn/ticket/430
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1413961660-19251-2-git-send-email-samuli@openvpn.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9165
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1413961660-19251-3-git-send-email-samuli@openvpn.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9167
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On a long-running, busy server using either a plug-in which hooks into
OPENVPN_PLUGIN_CLIENT_CONNECT or a configuration using --client-connect
a lot of unused files will be lingering and potentially filling up
the file system with temporary files if the plug-in or --client-connect
script fails.
This patch ensures that these files are always removed in the end,
regardless if the plug-in or script succeeds or fails.
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 20141012195919.GU3738@type
URL: http://thread.gmane.org/gmane.network.openvpn.devel/9104/focus=9118
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For each recognized extension in a certificate, extract_x509_extension()
would issue an "ASN1 ERROR: can not handle field type" debug message at
verb 2. Reduce that to verb 9 (D_TLS_ERRORS -> D_TLS_DEBUG) and alter the
message text accordingly.
Signed-off-by: Andris Kalnozols <andris@hpl.hp.com>
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <53E6A61C.7010106@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8981
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
Currently, when compiling with --enable-iproute2 , OpenVPN does not
create a correct route when the user is connected to the Internet
without a gateway (e.g. via ppp). This patch implements the
corresponding FIXME.
Signed-off-by: Philipp Hagemeister <phihag@phihag.de>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <54259015.2030005@phihag.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9056
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
| |
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1412712650-5173-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9090
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is another systemd implementation clean-up. It was found that
SELinux will block OpenVPN from checking /sys/fs/cgroups. As OpenVPN
only checked /sys/fs/cgroups and /sys/fs/cgroups/systemd to see if
systemd was available or not, it was considered better to query
systemd directly to see whether or not to query for usernames and
passwords via systemd.
This patch has been compile tested on Fedora 19 and Fedora 21 alpha and
function tested on Fedora 19.
v2 - Use PKG_CHECK_MODULES() + check for libsystemd before
libystemd-daemon. systemd >= 209 use a unified library
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1412356567-27125-1-git-send-email-openvpn.list@topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9072
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
in case the reposnses are too old, ocsp tool can return text like this:
Response verify OK
ca/cert.pem: WARNING: Status times invalid.
139990703290240:error:2707307D:OCSP routines:OCSP_check_validity:status
expired:ocsp_cl.c:358:
good
This Update: Sep 21 12:12:48 2014 GMT
Next Update: Sep 22 12:12:48 2014 GMT
light change in buffering can cause "verify OK" and "ca/cert.pem: good"
to be placed in a way that matching will be valid
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1411727041-11884-2-git-send-email-hkario@redhat.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9055
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
when openssl returns result of parsing and verification of the
OCSP response, the signature verification is separate from the certificate
status, as such it's necessary to check both of them.
Otherwise results like:
Response Verify Failure
140170966779776:error:27069076:OCSP routines:OCSP_basic_verify:signer
certificate not found:ocsp_vfy.c:85:
ca/cert.pem: good
This Update: Sep 23 12:12:28 2014 GMT
will be accepted as being trustworthy.
Note that "Response verify OK" is printed on stderr, so it can't
be discarded.
Signed-off-by: Hubert Kario <hkario@redhat.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1411727041-11884-1-git-send-email-hkario@redhat.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9054
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is to encourage all Linux distributions to use a unified systemd
unit file.
This unit file also tries to reduce the capabilities of the running
openvpn process.
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1411030936-16309-1-git-send-email-openvpn.list@topphemmelig.net
URL: http://article.gmane.org/gmane.network.openvpn.devel/9043
|
|
|
|
|
|
|
|
|
|
| |
No functional changes, just add missing includes and make casts explicit.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1408396155-9017-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8991
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
fixed warning: expression which evaluates to zero treated as a
null pointer constant of type 'struct addrinfo *'
Seems to be innocent, but clang is correct that this is strange.
init_tun() expects two pointers, but options_string() tried to
feed it two uint32_t values.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Message-Id: <1408568426-19601-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9004
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
| |
Does not actually change behaviour, but fixes compiler warnings
and properly initializing is good habit anyway.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Message-Id: <1408568426-19601-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9003
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Every four input characters, openvpn_base64_decode called token_decode,
which in turn called strlen() on the remaining input. This means that
base64 decoding in openvpn had quadratic complexity.
All we really need to know is whether the token is complete, so replace
the check to check just that, and make the complexity linear wrt the
input length.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <5408494D.7050407@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9016
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Do the proper closing of the pipe ends which is not being used,
also in error situations. Moved the closing of the parent side
before the waitpid(), to be consistent with the child side (as
early as possible).
Also improved the error messages with more details.
[v2 - Don't call close() if execve() fails]
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 20140909202408.GK1118@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/9036
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the SYSTEMD_ASK_PASSWORD_PATH executable cannot be found, we
don't consider systemd as running.
[v2 - Don't clean up white-space]
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 20140909202044.GJ1118@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/9035
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 9449e6a9eba30c9ed054f57d630a88c9f087080f introduced the
openvpn_popen() function to support retrieving passwords via systemd.
It was discovered that the child processes openvpn fork()ed would
be lingering around until openvpn stopped. This was due to the lack
of a wait() call.
This patch also cleans up a few minor white-space issues in the same
code segment.
[v2 proper initialisation of status variable]
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1409930731-15263-2-git-send-email-davids@redhat.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/9021
|
|
|
|
|
|
|
|
|
|
|
| |
Gentoo Linux installs this in /usr/bin by default. Also, the user may
have installed it in /usr/local/bin if building from source.
Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1404419045-14728-1-git-send-email-floppym@gentoo.org
URL: http://article.gmane.org/gmane.network.openvpn.devel/8825
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
|
|
|
|
|
|
| |
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1406667866-14226-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8953
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
| |
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1406237866-9086-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8938
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
| |
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1404735142-31420-2-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8840
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
On modern systems, topology subnet should always be set, but it's
missing in the configuration file.
Add it with a short explanation.
Signed-off-by: Philipp Hagemeister <phihag@phihag.de>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <53BF9998.5020906@phihag.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8878
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The IPv4 routing code needs an IPv4 address to point a route to, and
in --topology subnet mode, the *server* did not have one set by default.
So we now just default --route-gateway to the next address right after
the server address - the specific address doesn't matter, as the correct
next-hop will not be resolved by the host OS but by the OpenVPN daemon.
All that is needed is "it's in the subnet routed to the tun interface".
Using the server address itself would work on unix, but doesn't work with
the Windows TAP driver (as it does not spoof ARP responses for itself).
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1405254527-23833-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8904
|
|
|
|
|
|
|
|
|
|
|
| |
This restores support for pre-0.9.8f OpenSSL versions, which do not include
stateless session resumption, and the accompanying SSL_OP_NO_TICKET flag.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <53C251E2.7050605@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8902
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As requested in trac ticket #83, the daemon should not exit if opening the
CRL file during a connection attempt fails; OpenVPN should merely deny the
connection.
CRL files need to be periodically updated. When users update their CRL in
place and a connection attempt takes place simultaneously, the CRL file
might temporarily not be available, or not be in a consistent state.
Previously, that would result in the daemon exiting. With this patch, that
results in one (or possibly a few) failed connection attempts, but service
will restore automatically as soon as the CRL is again available in a valid
state.
Note that on startup OpenVPN still checks the existence and accessibility
of the CRL file, and will refuse to start on error.
While I was touching the code, I improved error reporting for the PolarSSL
code a bit. The polar code opens and parses the CRL in a single call, so
on error retrieve details from polarssl and report those to the user.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <53BED57C.7070300@fox-it.com>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I revisited options.c to refine its brute-force upcasing behavior. Now, the
upcasing is done only if the option argument is all lowercase. Mixed-case
arguments and those with the "ext:" prefix are left unchanged. This
preserves the original intent of the "helpful" upcasing feature for
backwards compatibility while limiting its scope in a straightforward way.
Signed-off-by: Andris Kalnozols <andris@hpl.hp.com>
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <53B1BDD8.8020705@karger.me>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
| |
it is unconditionally enabled and OpenVPN does not compile if disabled
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1404735142-31420-4-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8841
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The provided OpenVPN init scripts scan /etc/openvpn for *.conf and run
an OpenVPN process for each, and if a .sh script with the same base name
exists, this is run before openvpn. Change from running "$name.sh" to
"./$name.sh" - depending on the shell used, the script won't be found
otherwise, and ensuring that the script isn't searched in $PATH is the
right thing anyway.
Reported in trac #423
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Message-Id: <1404804054-32424-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8858
|
|
|
|
|
|
|
|
|
|
|
| |
commit e97aa06dc058 introduced "full openvpn cipher testing", but fails
on OpenSSL 0.9.8 with DES-CFB1 (skip), on NetBSD for RC5-* (needs extra
library, libcrypto_rc5.a) and on Solaris for POSIXly "tail" (rewrite).
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1404830758-7927-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8861
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
All cipher suite names supplied through --tls-cipher are translated by
OpenVPN to IANA names, to get OpenSSL and PolarSSL configuration files
compatible. OpenSSL however supports cipher suite group names, like
'DEFAULT', 'HIGH', or 'ECDH'. To make OpenVPN not complain about these,
entries translating these to themselves were added to the translation
table. However, to make OpenVPN not still complain, the deprecated-name
check has to be reversed from 'if this is a deprecated name then complain'
to 'if this is not a iana name, then complain'. Which this commit does.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1404424065-24787-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8824
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
| |
... instead of just BF-CBC. Should catch more mistakes.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1402244175-31462-5-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8777
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Also remove the bulky warning from init_key_type() and add the information
to the --show-ciphers output.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <53BAEF65.2070509@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8852
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenSSL has added AEAD-CBC mode ciphers like AES-128-CBC-HMAC-SHA1, which
have mode EVP_CIPH_CBC_MODE, but require a different API (the AEAD API).
So, add extra checks to filter out those AEAD-mode ciphers.
Adding these made the crypto library agnostic function cfb_ofb_mode()
superfuous, so removed that on the go.
Also update all cipher mode checks to use the new cipher_kt_mode_*()
functions for consistency.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1402244175-31462-3-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8779
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Makes OFB/CFB compile time configurable, and fixes output of --show-ciphers
to also show OFB/CFB ciphers along the way (becasue crypto.h was not
included from crypto_openssl.c).
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1402244175-31462-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8781
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
| |
Teach it how to run ifconfig/route on AIX to have meaningful results.
Signed-off-by: Gert Doering <gd@medat.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1402409073-54067216-5-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8786
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
AIX only has TAP interfaces, so always use gateway address as next hop,
not interface name.
AIX route works much more reliable if passed netbits than netmask - do so
(introducing a new helper function netmask_to_netbits2())
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1402409073-54067216-4-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8785
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
AIX is special... ifconfig only works if it can add the data to
the ODM right away, so setup a local enviromnment set that has
"ODMDIR=/etc/objrepos" in it (hard-coded, nobody changes that).
Only --dev tap or --dev tapNN are supported right now. AIX has no
tun driver (so tun mode would need to dynamically add/remove ethernet
headers to/from AIX).
Signed-off-by: Gert Doering <gd@medat.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1402409073-54067216-3-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8788
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
force "have_tap_header=yes", as configure won't like AIX headers otherwise
(no tun related headers, just <net/if_tap.h>).
force ROUTE to be "/usr/sbin/route" - not executable by non-root users, so
configure testing for executables will not find it
force "ac_cv_header_net_if_h=no", because AIX' <net/if.h> pulls in AIX'
<net/route.h>, which #defines ROUTE_H, disabling our "route.h"... (and
we don't need <net/if.h> on AIX anyway)
Signed-off-by: Gert Doering <gd@medat.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1402409073-54067216-2-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8787
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
| |
Has been inside the #if 0 since 'git tree epoch' (sept-2005) and was not
referenced, from either code, nor dead code nor comment.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1404336688-15036-1-git-send-email-steffan@karger.me>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Hi All,
OpenVPN 2.3.4 will currently throw a warning of "NOTE: setsockopt
TCP_NODELAY=1 failed (No kernel support) when attempting to use the
TCP_NODELAY socket option on Mac OS X/Darwin. Kernel support is there,
however the required header file where TCP_NODELAY is defined is not being
included. This patch simply alters syshead.h to include <netinet/tcp.h> on
Darwin platforms.
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <A1005665-126D-45D5-A6F2-75ED0EAE30FE@sparklabs.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8809
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
| |
Signed-off-by: Andris Kalnozols <andris@hpl.hp.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <53AF0D20.7020204@karger.me>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
PolarSSL support has been extended and adjusted, but README.polarssl was
not accordingly adjusted. This updates README.polarssl to the current state
of affairs for the master branch.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1403640206-7024-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8803
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The return value of x509_get_numeric_string() was interpreted incorrectly
by ssl_verify_polarssl.c's x509_verify_cert_eku(). This patch enables the
usage of oid represenation in --remote-cert-eku options.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Message-Id: <1398415277-6880-1-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8627
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Only check for SSL_OP_NO_TICKET if building with --enable-ssl and using
openssl. This fixes cross-compiling polarssl builds for Windows (where
pkg-config would find the system openssl library, but the cross compiler
would not have openssl for the target platform).
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1403461119-21440-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8795
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
--ccd-exclusive
OpenVPN will do some simple sanity checking at startup to ensure
the expected files and directories is in place. However, with
--client-config-dir and --ccd-exclusive, things are slightly different.
In both cases it is perfectly fine that files does not exists, and we
cannot know any file names beforehand due to these filenames being based
upon the certificate's CN field.
The problem arises when OpenVPN cannot open files inside a directory
because the directory permissions are too restrictive, have wrong
ownership (triggered by the usage of --user/--group) or other security
mechanisms the OS uses.
When a client connects, the test_file() function is used to check if a
client config file has been prepared. And if not, it continues without
trying to read it. So, if the privileges of the running OpenVPN process
is not allowed to open and read an existing file, OpenVPN will treat this
as a non-existing file without saying anything. This is clearly wrong.
So this patch adds an warning message in the OpenVPN log if it could
not open the file due to lack of permissions.
This will work fine on all *nix based OSes. Windows however reports
'no such file or directory' (errno=2/-ENOENT) even on privilege access
errors when the directory this file resides is too restrictive. But there
is no easy way to work around that. However, I believe that the initial
sanity checking at startup will catch that one, as it will check if the
directories it needs exists.
This patch has only gone through simple basic testing, with both too few
privileges and with proper privileges to the CCD directory. With wrong
privileges, the following error can be found if CN=Test client
Fri May 2 00:00:10 2014 us=281993 127.0.0.1:41017 Could not access file
'/etc/clients/Test client': Permission denied (errno=13)
[v2 - use openvpn_errno() instead of errno, for better platform support]
Trac: #277
Trac-URL: https://community.openvpn.net/openvpn/ticket/277
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1398990504-4239-1-git-send-email-dazo@users.sourceforge.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8688
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
IPv6 has the concept of "link local" addresses, fe80::<host id>, which
normally are present on every link, and are used for stuff like DHCPv6,
neighbor discovery, etc.
OpenVPN point-to-multipoint mode currently does neither configure them on
tun interfaces, nor are they handled in a meaningful way if a client OS
always has them (like Windows or Solaris) - so the log fills with many
lines of "MULTI: bad source address from client [fe80::...]", serving
no useful purpose.
This patch just recognizes IPv6 LL packets and silently drops them.
Further patches can build on this and add full link-local support, which
would require address learning (as the addresse are based on host IDs, not
assigned by the server).
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1402080235-24409-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8773
|