summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Fix typo in sample build script to use LDFLAGSkangsterizer2014-04-131-1/+1
| | | | | | | Came in as github pull request #15 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-By: Arne Schwabe <arne@rfc2549.org>
* Work around Solaris getaddrinfo() returing ai_protocol=0Arne Schwabe2014-04-101-5/+2
| | | | | | | | | | | | | | | | Create_socket() and sub-functions assume that the ai_protocol value returned by getaddrinfo() is IPPROTO_UDP or IPPROTO_TCP. On Solaris, it is "0", because Solaris's socket() call will then "select the right protocol" - but it breaks our code. So remove ASSERT()s on ai_protocol, and also accept properly set ai_socktype (SOCK_DGRAM/SOCK_STREAM) values if ai_protocol is not set. Signed-off-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <20140407201711.GN16637@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8428
* fix route struct nameHeiko Hund2014-04-011-1/+1
| | | | | | | | | | This slipped in with commit d0085293. Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1396346803-31772-1-git-send-email-heiko.hund@sophos.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/8421 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* configure.ac: use CPPFLAGS for SSL_OP_NO_TICKET checkSteffan Karger2014-04-011-0/+3
| | | | | | | | | | | AC_EGREP_CPP uses CPPFLAGS, not CFLAGS. Make sure the macro can find OpenSSL by temporarily adding OPENSSL_CRYPTO_FLAGS to CPPFLAGS. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Heiko Hund <heiko.hund@sophos.com> Message-Id: <5339EFFC.6090908@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8419 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix crash when using --inetd.Gert Doering2014-03-302-6/+7
| | | | | | | | | | | | | | | | | | Change "local" argument to socket_do_listen() to avoid calling "local->ai_addr" in the caller for the "do_listen == FALSE" case, in which case it could be NULL. Also, ensure "ai" is always initialized in socket_listen_accept() for the "!remote_dynamic" case - otherwise it will sometimes(!) crash in addrlist_match() later on. Get rid of spurious operator precedence warning concerning GETADDR_CACHE_MASK. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1396181376-32022-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8412
* Fix assert when using port-shareArne Schwabe2014-03-261-1/+1
| | | | | | | | Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395407925-25518-12-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8369 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Clean up of socket code.Arne Schwabe2014-03-263-103/+95
| | | | | | | | | | | Let socket_create take struct addrinfo as argument and use the entries of addrinfo to create the socket. Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395407925-25518-11-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8370 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* configure.ac: check for SSL_OP_NO_TICKET flag in OpenSSLSteffan Karger2014-03-231-0/+15
| | | | | | | | | | | | SSL_OP_NO_TICKET tells OpenSSL to disable "stateless session resumption". This is something we do not want nor need, but could potentially be used for a future attack. OpenVPN 2.4 requires the flag to be set and will fail configure if the flag is not present. Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <CAA1AbxJh17KYmVU1BVa5kp4iJsUJT+xnXp0rVU_3g3c5hPnqDQ@mail.gmail.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/8389 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Disable unsupported TLS cipher modes by default, cleans --show-tls output.Steffan Karger2014-03-231-2/+2
| | | | | | | | | | | | This explicitly disables a number of tls ciphers that OpenVPN has currently no support for. OpenSSL will automatically detect this during negotiation, but --show-tls would erroneously show a number of unsupported ciphers. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1393684575-28112-3-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8318 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Add openssl-specific common cipher list names to ssl.c.Steffan Karger2014-03-231-0/+13
| | | | | | | | | | | This adds a number of commonly used cipher list names to ssl.c, which makes OpenVPN not give a "translation not found" warning when using these. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1393684575-28112-2-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8316 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Bump minimum OpenSSL version to 0.9.8Steffan Karger2014-03-237-54/+2
| | | | | | | | | | | | | OpenSSL 0.9.7 and older are considered obsolete (see http://www.openssl.org/news/news.html). This patch updates configure.ac to require OpenSSL 0.9.8 or newer, and removes a number of #ifdefs that are now no longer needed. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1395582781-27966-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8392 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Add gateway and device to android control messagesArne Schwabe2014-03-231-3/+6
| | | | | | | | Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395407925-25518-9-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8368 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Don't show the connection profile store in options->ce if there is a ↵Arne Schwabe2014-03-231-2/+5
| | | | | | | | | | | | | connection_list defined. Entries in options->ce are never used and overwritten by the first usable connection profile on initialisation. Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395407925-25518-8-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8377 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix for server selecting address familyArne Schwabe2014-03-231-12/+12
| | | | | | | | Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395407925-25518-7-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8371 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Introduce an option to resolve dns names in advance for --remote, --local ↵Arne Schwabe2014-03-2310-139/+415
| | | | | | | | | | | | | | | and --http-proxy Also introduce x_gc_addspeical function that allows to add objects with a custom free function to the gc. Some additional addrinfo cleanup Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395576786-17507-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8386 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Adjusted autotools files to build more cleanly on newer autoconf/automake ↵David Sommerseth2014-03-232-5/+5
| | | | | | | | | | versions Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <1389803764-5879-1-git-send-email-davids@redhat.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/8239 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Implement an easy parsable log output that allows access to flags of the log ↵Arne Schwabe2014-03-225-1/+44
| | | | | | | | | | message Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395407925-25518-5-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8374 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Workaround broken Android 4.4 VpnService API for persist-tun modeArne Schwabe2014-03-224-13/+68
| | | | | | | | | | | | | | | | In Android 4.4 it is not possible to open a new tun device and then close the old tun device without breaking the whole VPNService stack until the device is rebooted. Add new management method to ask the UI what method should be taken to ensure the optimal solution for the situation. Then do open-before-close or close-before-open inside open_tun() as requested. Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395407925-25518-4-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8373 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Move the initialization of the environment to the top so c2.es is initializedArne Schwabe2014-03-211-4/+4
| | | | | | | | Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395407925-25518-3-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8372 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix connecting to localhost on AndroidArne Schwabe2014-03-212-3/+35
| | | | | | | | | | Do not protect the link socket when connecting to localhost. Also only call the protect function on valid socket Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395407925-25518-2-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8375 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Set SSL_OP_NO_TICKET flag in SSL context for OpenSSL builds, to disable TLS ↵James Yonan2014-03-171-1/+1
| | | | | | | | | | | | | | | | | | | | | stateless session resumption. OpenVPN doesn't want or need SSL session renegotiation or resumption, as it handles renegotiation on its own. For this reason, OpenVPN always disables the SSL session cache: SSL_CTX_set_session_cache_mode (ctx, SSL_SESS_CACHE_OFF) However, even with the above code, stateless session resumption is still possible unless explicitly disabled with the SSL_OP_NO_TICKET flag. This patch does this. Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <1395017376-24554-1-git-send-email-james@openvpn.net> URL: http://article.gmane.org/gmane.network.openvpn.devel/8346 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix warning for max-routes: do not quit when parsing an old configuration. ↵Arne Schwabe2014-03-171-2/+4
| | | | | | | | | | Format the message to be more like the other deprecated options Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395060345-30870-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8354 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Introduce safety check for http proxy optionsArne Schwabe2014-03-171-0/+2
| | | | | | | | Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1395061013-1802-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8353 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* grow route lists dynamicallyHeiko Hund2014-02-236-184/+130
| | | | | | | | | | | | | This removes the need for the --max-routes option. Instead of allocating a fixed size array for the route(-option)s they are managed in linked lists instead. Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1392746395-19246-1-git-send-email-heiko.hund@sophos.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/8295 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix "." in description of utun.Thomas Veerman2014-01-231-2/+2
| | | | Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Add "test-driver" and "compile" to .gitignoreGert Doering2014-01-201-0/+2
| | | | | Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
* convert struct signal_info elementHeiko Hund2014-01-171-1/+1
| | | | | | | | | | | This one place was forgotten when the elements type was changed from bool to int in the dual stack patch 23d61c56. Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1389972638-8006-2-git-send-email-heiko.hund@sophos.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/8243 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* make sure sa_family_t is definedHeiko Hund2014-01-172-0/+13
| | | | | | | | | | | On Windows there's no sa_family_t. This patch defines it in syshead.h is configure did not find it in the system headers. Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1389972638-8006-1-git-send-email-heiko.hund@sophos.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/8242 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Replace copied structure elements with including <net/route.h>Gert Doering2014-01-161-93/+2
| | | | | | | | | | | | | | | | | | | | | | The code for FreeBSD, Dragonfly, OpenBSD and NetBSD contained copies of structures from <net/route.h> (struct rt_msghdr in particular). OpenBSD changed some structure elements, making OpenVPN incompatible, depending on the specific OpenBSD version. Clean up: remove copied definitions, replace by including <net/route.h> directly - this could not be done originally due to a conflict with "struct route" in OpenVPN and <net/route.h>, cleaned up by the previous commit. Tested on FreeBSD 9.1-RELEASE, NetBSD 5.1, OpenBSD 4.9 (route.c compiles with no warnings, and "openvpn --show-gateway" works, which is the only part of the code that uses the structures in question). Fix trac #340 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1389650074-18455-2-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8230
* Rename 'struct route' to 'struct route_ipv4'Gert Doering2014-01-163-26/+26
| | | | | | | | | | | | To fix trac #340, we need to rename our "struct route" to avoid a collision with "struct route" from <net/route.h> on *BSD. No functional changes. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1389650074-18455-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8231
* Fix compiler warnings in ssl_polarssl.cSteffan Karger2014-01-121-5/+8
| | | | | | | | | | | | | * Made some type casts explicit. * Changed type of sha256_hash to unsigned char[], because polar expects that. * Added missing error.h include. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1389555572-6210-4-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8225 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Remove unused variables from ssl_verify_polarssl.c's x509_get_serial()Steffan Karger2014-01-121-2/+0
| | | | | | | | Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1389555572-6210-3-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8222 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Fix compiler warning for unused result of write()Steffan Karger2014-01-121-1/+2
| | | | | | | | | | Issue a warning instead of ignoring a failed write() completely. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1389555572-6210-2-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8223 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Document issue with --chroot, /dev/urandom and PolarSSL.Gert Doering2014-01-121-0/+10
| | | | | | | | | See trac#218 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <1389441036-12538-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8213
* Cleanup ir6->netbits handling.Gert Doering2014-01-113-59/+18
| | | | | | | | | | | | | | | | | Get rid of all "if (ir6->netbits>=0)" checks, as those are always true (unlike ir->netbits for IPv4, we don't do the special case for "if it's a host, put -1 in there" for IPv6). Merge mroute_helper_{add,del}_iroute and mroute_helper_{add,del}_iroute6 into unified mroute_helper_{add,del}_iroute46() function as they did the same thing anyway, just with slightly different parameters. Make Arne happy. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1389371142-26705-2-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8198
* remove some 'unused variable' warningsGert Doering2014-01-113-3/+3
| | | | | | | | Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1389371142-26705-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8197
* Reduce IV_OPENVPN_GUI_VERSION= to IV_GUI_VER=Gert Doering2014-01-091-2/+2
| | | | | | | | | | Use shorter variable name to signal the same thing (see f3a2cd255a3bc73) to save space in the buffer used by the collective IV_ info sent to server. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1389296891-1487-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8183
* Make code and documentation for --remote-random-hostname consistent.Gert Doering2014-01-092-19/+10
| | | | | | | | | | | | | | Documentation examples, description and code were disagreeing on what this option actually does. Now they will all agree that it will *prepend* a random-byte string to the hostname name before resolving to work around DNS caching (needs a "*" wildcard record in the zone). Fix trac #143 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1384698620-27946-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/7999
* Fix spurious ignoring of pushed config options (trac#349).Jens Wagner2014-01-073-1/+5
| | | | | | | | | | | | | | | | | | | | | | | The function incoming_push_message(...) in push.c uses a local variable option_types_found, that gets passed to do_up(...). If the server push got split into several parts, only the last part (PUSH_MSG_REPLY) option_types_found is used for do_up (initilized as 0 locally), the previous ones (PUSH_MSG_CONTINUATION) are ignored. So e.g. a ping config, pushed by the server in the first push, followed by a lot of "push route" configs, causing a second push message, will have the do_up() called, but without e.g. the OPT_P_TIMER flag, so those options will be silently ignored. The patch resolves that, by introducing "push_option_types_found" in "c->options" and using that as storage. Fix trac bug #349. Acked-by: Gert Doering <gert@greenie.muc.de> URL: https://community.openvpn.net/openvpn/ticket/349 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Document "lz4" argument to "compress" config option.Gert Doering2014-01-061-2/+4
| | | | | | | Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1389012640-24174-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8178
* Provide LZ4 sources in src/compat/ and use if no system lz4 library found.Gert Doering2014-01-065-3/+1044
| | | | | | | | | | | Bundle lz4.c and lz4.h from http://code.google.com/p/lz4/ (r109) as src/compat/compat-lz4.[ch], and use that (via #define NEED_COMPAT_LZ4) if autoconf cannot find lz4.h or -llz4 in the system. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1388613479-22377-2-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8154
* Implement LZ4 compression.Gert Doering2014-01-069-4/+319
| | | | | | | | | | | | | | | | | | Implement LZ4 compression, similar to the existing snappy / push-peer-info model: a LZ4 capable client will send IV_LZ4=1 to the server, and the algorithm is selected by pushing "compress lz4" back. LZ4 does not compress as well as LZO or Snappy, but needs far less CPU and is much faster, thus better suited for mobile devices. See https://code.google.com/p/lz4/ for more details. LZ4 include and library path can be specified by specifying LZ4_LIBS=... and LZ4_CFLAGS=... on the configure command line. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1388613479-22377-1-git-send-email-gert@greenie.muc.de> URL: http://article.gmane.org/gmane.network.openvpn.devel/8153
* Disable export ciphers by default for OpenSSL builds.Steffan Karger2014-01-051-1/+3
| | | | | | | | | | | | | | | Export ciphers are deliberately weak ciphers, and not fully supported by OpenVPN since ephemeral RSA support has been removed a few commits ago. This commit removes them from the default cipher list to avoid confusion. PolarSSL does not support export ciphers, so no action required there. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1388607026-12297-7-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8146 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Make tls_ctx_restrict_ciphers accept NULL as char *cipher_list.Steffan Karger2014-01-054-12/+24
| | | | | | | | | | | | | | | | This adds some ifs to check for NULL in tls_ctx_restrict_ciphers() to prepare for disabling export ciphers by default in OpenVPN 2.4+. Also let tls_ctx_restrict_ciphers always be called, also when *cipher_list is NULL. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <52C8922E.3030607@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8173 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Update IPv6 related readme filesArne Schwabe2014-01-032-20/+17
| | | | | | | | Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1388760580-7548-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8167 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Remove OpenSSL tmp_rsa_callback. Removes support for ephemeral RSA in TLS.Steffan Karger2014-01-031-18/+0
| | | | | | | | | | | | | | | | | | | | | This code would not really generate ephemeral keys every time it is called, but a single key that would be reused during process lifetime and returned each time the function was called; probably not what users would expect. TLS allowes ephemeral keys to be used only when no other key exchange, such as (ephemeral) Diffie-Hellman, is performed. The end result is that it was only used by a number of (weak) export ciphers, which could give users a false sense of security. So, instead of fixing a weak cipher mode, we'll just remove support for it completely. Plenty of better alternatives are available in TLS. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1388607026-12297-5-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8152 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* If --tls-cipher is supplied, make --show-tls parse the list.Steffan Karger2014-01-034-9/+20
| | | | | | | | | | | | This allows to check the available TLS ciphers for a specific configuration by supplying both --tls-cipher and --show-tls options. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1388607026-12297-4-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8150 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Update TLSv1 error messages to SSLv23 to reflect changes from commit 4b67f98Steffan Karger2014-01-031-2/+2
| | | | | | | | | | | | Commit 4b67f98 changed call to TLSv1_{client,server}_method() to SSLv23_{client,server}_method(), this commit updates the corresponding error messages to match the changes in the code. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1388607026-12297-3-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8147 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Also update TLSv1_method() calls in support code to SSLv23_method() calls.Steffan Karger2014-01-031-2/+2
| | | | | | | | | | | | Commit 4b67f98 changed calls to TLSv1_{sever,client}_method() to SSLv23_{client,server}_method() to enable TLS version negotiation. This commit does the same for two calls of TLSv1_method() from support code. Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1388607026-12297-2-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/8148 Signed-off-by: Gert Doering <gert@greenie.muc.de>
* Add warning for using connection block variables after connection blocksArne Schwabe2013-12-171-7/+23
| | | | | | | | | | | | | | | In 2.3 some options that were allowed only in global config before have been moved to connection blocks. This changes the behaviour if the variables were defined after connection block. This patch adds a warning to catch these mistakes. Also let warnings errors show [CONNECTION-OPTIONS] instead of [CMD-LINE] for connection blocks Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1387275767-10303-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/8117 Signed-off-by: Gert Doering <gert@greenie.muc.de>
generated by cgit (git 2.34.1) at 2024-06-07 11:02:28 +0000