| Age | Commit message (Collapse) | Author |
|---|
|
This is the first commit of the big reformatting task. This
is performed by running the ./dev-tools/reformat-all.sh script.
This is based upon the v3 reformat-all.sh/uncrustify.conf version
which is now applied to git master.
Signed-off-by: David Sommerseth <davids@openvpn.net>
|
|
In order to prevent annoying delays upon client connection,
reload the CRL file only if it was modified since the last
reload operation.
If not, keep on using the already stored CRL.
This change will boost client connection time in instances
where the CRL file is quite large (dropping from several
seconds to few milliseconds).
Cc: Steffan Karger <steffan.karger@fox-it.com>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20161201104145.23821-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13345.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
This patch refactors the CRL handling to rely more on the implementation
of the crypto library. It will insert the CRL at the correct time to keep
it up to date, but all additional verification logic is removed from
ssl_verify_<backend>.c. "Less code of our own, less bugs of our own."
In practice, this means extra checks will be performed on the CRL, such as
checking it validBefore and validAfter fields.
This patch was originally written by Ivo Manca, and then molded by Steffan
before sending to the list. All bugs are Steffan's fault.
Thanks also go to Antonio Quartulli for useful feedback. He'll send
follow-up patches to improve CRL handling performance.
Signed-off-by: Ivo Manca <ivo.manca@fox-it.com>
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1477670087-30063-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12809.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
|
|
With c99, "WIN32" is no longer automatically defined when (cross-)building
for Windows, and proper compilation relies on including <windefs.h>,
before checking the macro. "_WIN32" is the official define that is
guaranteed to be defined by the compiler itself, no includes are needed.
So, mechanically change all occurrances of "WIN32" to "_WIN32".
While at it, get rid of unused WIN32_0_1 #define in syshead.h
See also:
http://nadeausoftware.com/articles/2012/01/c_c_tip_how_use_compiler_predefi
ned_macros_detect_operating_system#WindowsCygwinnonPOSIXandMinGW
Trac #746
v2: rebased to master, merge the console[_builtin].c changes
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20161113195228.74090-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13035.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
This removes the dependency of crypto.c on misc.c, which makes testing
(stuff that needs) crypto.c functionality easier.
Apart from that, testing file access really belongs in
options_postprocess_filechecks(), and moving it there enables us to
perform the same check for other private files too.
v2: change indenting, remove remaining warn_if_group_others_accessible()
calls and move function to options.c.
[ DS: This patch is a slightly modified version of the one sent to the
mailing list. It removes all references to --tls-crypt, so it
can be applied eariler to the tree as it contains a good clean-up
as well ]
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1479045751-22297-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13019.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
|
|
Commit 41e4b67a229e774ebc57a882c386e10d80e10e7e broke the exported
keying material functionality while addressing lack of variable-length
arrays in MSVC compilers - turning an array into a gc_malloc()'ed
pointer, but still using "sizeof(ekm)" for buffer size - which is
now "4" (unsigned char *), not the actual buffer length...
Fixed!
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <49496.109.81.184.65.1461736834.squirrel@mail.actumg2.cz>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11509
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
In the past years, the internet has been moving forward wrt deprecating
older and less secure ciphers. Let's follow this example in OpenVPN and
further restrict the default list of negotiable TLS ciphers.
Compared to earlier, this disables the following:
* Ciphers in the LOW and MEDIUM security cipher list of OpenSSL
The LOW suite will be completely removed from OpenSSL in 1.1.0,
the MEDIUM suite contains ciphers like RC4 and SEED.
* Ciphers that do not provide forward secrecy (static DH/ECDH keys)
* DSA private keys (rarely used, and usually restricted to 1024 bits)
v2: added Changes.rst entry.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1460917927-31645-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11457
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Signed-off-by: Niels Ole Salscheider <niels_ole@salscheider-online.de>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1452433475-16779-1-git-send-email-niels_ole@salscheider-online.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10975
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
This fixes a null-pointer dereference in tls_ctx_cert_time(), which will
occur on clients that do not use a client certificate (ie that only have
auth-user-pass in the config, but no key and cert). This bug was
introduced by commit 091edd8e on the master branch, and commit dfd940bb
on the release/2.3 branch.
This bug was found by chipitsine and reported in trac ticket #644.
While touching this function, I also made this function conform to the
openvpn coding style.
v2 - fix memory leak in builds using pre-1.0.2 openssl
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1451814476-32574-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10921
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
and earlier.
Integrating feedback from Steffan Karger, tested by Gert Doering on
FreeBSD 7.4 / OpenSSL 0.9.8.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20151226091900.GU24952@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10881
|
|
The SSL_CTX_get0_certificate() function I used in 091edd8e is available in
OpenSSL 1.0.2+ only. Older versions seem to not have a useful alternative.
The remaining option would then be to create a cache for our parsed
certificate, but that would mean adding more struct members and code for
the select group of people that do use an up-to-date openvpn, but do not
update their openssl. I don't think that's worth it. So just disable the
code for older openssl versions.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1450131285-30182-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10802
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Previously, client certificate expiry warnings would only visible in the
server log, and server certificate expiry warnings in the client log.
Both after a (failed) connection attempt. This patch adds a warning to
log when a users own certificate has expired (or is not yet valid) to ease
problem diagnosis / error reporting.
Note that this is just a warning, since on some systems (notably embedded
devices) there might be no correct time available.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1450123758-31641-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10794
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
This adds support for the --verify-client-cert optional option in PolarSSL
builds, as was earlier added for OpenSSL builds by Jan-Just Keijser.
This patch also adds an additional sanity check that this option may only
be used in combination with some other authentication method, and changes
the warning message about this option to be displayed only once on startup,
instead of for each connecting client.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Jan Just Keijser <janjust@nikhef.nl>
Message-Id: <1444948995-18720-3-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10288
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Add extended client certificate verification support.
Replace --client-cert-not-required with a more flexible option,
that allows for no, optional or mandatory client certificate
verification.
Signed-off-by: Jan Just Keijser <janjust@nikhef.nl>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1444383559-15788-1-git-send-email-janjust@nikhef.nl>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10213
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Commit
https://github.com/OpenVPN/openvpn/commit/685e486e8b8f70c25f09590c24762ff73
4f94a51
introduced a variable length array. Although C99 supports that, MSVS 2013
still requires
size of array to be compiler time constant. As a fix, use malloc/free.
v2:
Replace OPENSSL_malloc with gc_malloc
Signed-off-by: Lev Stipakov <lstipakov@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1445411606-13369-1-git-send-email-lstipakov@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10344
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
There is no need to use OPENSSL_malloc(), so use our own functions that
automatically check for NULL and remove the now redundant NULL check.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <1445380744-21086-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10339
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Keying Material Exporter [RFC-5705] allow additional keying material to be
derived from existing TLS channel. This exported keying material can then be
used for a variety of purposes.
[DS: Updated man page to document both upper and lower length boundaries]
Signed-off-by: Daniel Kubec <niel@rtfm.cz>
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com
Acked-by: David Sommerseth <davids@redhat.com>
|
|
Translation errors are usually not a real problem, since we don't maintain
the complete list of ciphers OpenSSL supports. So, be less verbose if we
can not find a translation.
Also, add 'translations' for commonly used negated cipher suites to
suppress messages about those completely.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1444156707-14087-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10198
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
As reported in trac tickets #304, #358 and #359 (and possibly more), the
usage and interpretation of --tls-cipher (and --show-tls) is tricky. This
patch extends the man page to explain those a bit better and point out
that --tls-cipher is an expert feature (i.e. easy to get wrong). Also add
a notice to the --show-tls output, referring to the man page explanation.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1430840857-6123-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9651
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
As reported in trac #502, SSL compression can cause problems in some corner
cases. OpenVPN does not need SSL compression, since the control channel is
low bandwidth. This does not influence the data channel compressen (i.e.
--comp or --comp-lzo).
Even though this has not yet been relevant for OpenVPN (since an attacker
can not easily control contents of control channel messages), SSL
compression has been used in the CRIME and BREACH attacks on TLS. TLS 1.3
will probably even remove support for compression all together, for
exactly this reason.
Since we don't need it, and SSL compression causes issues, let's just
disable it in OpenSSL builds. PolarSSL has no run-time flag to disable
compression, but is by default compiled without compression.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1424010266-5910-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9453
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
As requested on the mailing list and in trac ticket #410, add an option to
disable 'traditional' Diffie Hellman key exchange. People want to be able
to create ecdh-only configurations.
This patch also disables RSA key exchange by default for OpenSSL builds, to
prevent that people who set "--dh none" but have an OpenSSL version that
doesn't support ECDH end up with a less secure connection. Note that users
that specify their own --tls-cipher override these defaults and thus can
still use whatever OpenSSL supports (and might thus end up with less secure
connections).
PolarSSL does not allow to easily disable RSA key exchange during runtime,
but its default compile options do not include RSA key exchange based
cipher suites.
Finally update the manpage to reflect the new behaviour, and while touching
it change the text to motivate users towards a more secure configuration.
v2 - disable RSA key exchange by default
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1420141569-11773-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9376
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
v2 - don't wrap string for a couple of words, and be more consistent
with wrapping (use curly braces for ifs with wrapping statements)
v3 - change an incorrect crypto_msg() call back to msg()
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <54A430A2.5000409@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9374
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Remove the --disable-ssl configure option and accompanying ENABLE_SSL
defines in the master/2.4 branch, to reduce the code and testing
complexity a bit.
This does not remove to runtime option to run without SSL, just the compile
time option to not include any SSL-related code.
During the community meeting in November 2014 there were no objections
amongst he developers present. Also, this has been announced on the -users
and -devel mailing lists two weeks ago, without any response whatsoever.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <54A4248A.1090501@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9371
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Because using TLS 1.2 breaks certain setups, a user might want to enforce
a maximum TLS version to use. This patch adds that option.
This patch removes a number of #ifdefs from ssl_polarssl.c, because the
polarssl versions we currently support (polar 1.2 for openvpn 2.3, and
polar 1.3 for openvpn-master) have all versions unconditionally enabled.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <544EC052.3080809@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9210
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
All cipher suite names supplied through --tls-cipher are translated by
OpenVPN to IANA names, to get OpenSSL and PolarSSL configuration files
compatible. OpenSSL however supports cipher suite group names, like
'DEFAULT', 'HIGH', or 'ECDH'. To make OpenVPN not complain about these,
entries translating these to themselves were added to the translation
table. However, to make OpenVPN not still complain, the deprecated-name
check has to be reversed from 'if this is a deprecated name then complain'
to 'if this is not a iana name, then complain'. Which this commit does.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1404424065-24787-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8824
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Between the origin patch submission (2011) and now the cipher abstraction
layer has been added. This patch slipped through without proper adjustment.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <53863C41.1020408@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8745
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Sets SSL_MODE_RELEASE_BUFFERS if available, to keep openSSL memory
usage as low as possible.
For more info, see
http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html
https://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html
See also trac #157
Signed-off-by: Cristian Rodriguez <crrodriguez@opensuse.org>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <5381FEFF.1040609@karger.me>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
* Refactored show_library_versions to work around the fact
that some compilers (such as MSVC 2008) can't handle #ifdefs
inside of macro references.
* Declare show_library_versions() in options.h because it's
referenced by other files such as openvpn.c.
* Declare get_ssl_library_version() as returning const char *,
to avoid loss of const qualifier in ssl_openssl.c.
Signed-off-by: James Yonan <james@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1399589436-8730-7-git-send-email-james@openvpn.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8711
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a91a2d6ad7b139ec78d61c8616b8447847e9ecc6)
|
|
This patch is based on Jan Just Keijser's patch from Feb 7, 2012.
When OpenSSL 1.0.2+ or PolarSSL is used, lets the crypto library do the
heavy lifting. For OpenSSL builds, if a user specifies a curve using
--ecdh-curve, it first tries to override automatic selection using that
curve.
For older OpenSSL, tries the following things (in order of preference):
* When supplied, use the ecdh curve specified by the user.
* Try to extract the curve from the private key, use the same curve.
* Fall back on secp384r1 curve.
Note that although a curve lookup might succeed, OpenSSL 1.0.0 and older do
*not* support TLSv1.1 or TLSv1.2, which means no that no EC-crypto can be
used.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <53597BEA.6080408@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8625
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Print the version of the SSL and LZO library (if any) used.
SSL library version is also sent as IV_SSL=<version> to the server if
--push-peer-info is enabled.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20140416152456.GI16637@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8537
|
|
This explicitly disables a number of tls ciphers that OpenVPN has currently
no support for. OpenSSL will automatically detect this during negotiation,
but --show-tls would erroneously show a number of unsupported ciphers.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1393684575-28112-3-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8318
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
OpenSSL 0.9.7 and older are considered obsolete (see
http://www.openssl.org/news/news.html). This patch updates configure.ac to
require OpenSSL 0.9.8 or newer, and removes a number of #ifdefs that are
now no longer needed.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1395582781-27966-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8392
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
stateless session resumption.
OpenVPN doesn't want or need SSL session renegotiation or
resumption, as it handles renegotiation on its own.
For this reason, OpenVPN always disables the SSL session cache:
SSL_CTX_set_session_cache_mode (ctx, SSL_SESS_CACHE_OFF)
However, even with the above code, stateless session resumption
is still possible unless explicitly disabled with the
SSL_OP_NO_TICKET flag. This patch does this.
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1395017376-24554-1-git-send-email-james@openvpn.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8346
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Export ciphers are deliberately weak ciphers, and not fully supported by
OpenVPN since ephemeral RSA support has been removed a few commits ago.
This commit removes them from the default cipher list to avoid confusion.
PolarSSL does not support export ciphers, so no action required there.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1388607026-12297-7-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8146
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
This adds some ifs to check for NULL in tls_ctx_restrict_ciphers() to
prepare
for disabling export ciphers by default in OpenVPN 2.4+.
Also let tls_ctx_restrict_ciphers always be called, also when *cipher_list
is
NULL.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <52C8922E.3030607@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8173
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
This code would not really generate ephemeral keys every time it is called,
but a single key that would be reused during process lifetime and returned
each time the function was called; probably not what users would expect.
TLS allowes ephemeral keys to be used only when no other key exchange, such
as (ephemeral) Diffie-Hellman, is performed. The end result is that it was
only used by a number of (weak) export ciphers, which could give users a
false sense of security.
So, instead of fixing a weak cipher mode, we'll just remove support for it
completely. Plenty of better alternatives are available in TLS.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1388607026-12297-5-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8152
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
This allows to check the available TLS ciphers for a specific configuration
by supplying both --tls-cipher and --show-tls options.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1388607026-12297-4-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8150
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Commit 4b67f98 changed call to TLSv1_{client,server}_method() to
SSLv23_{client,server}_method(), this commit updates the corresponding
error messages to match the changes in the code.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1388607026-12297-3-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8147
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Commit 4b67f98 changed calls to TLSv1_{sever,client}_method() to
SSLv23_{client,server}_method() to enable TLS version negotiation. This
commit does the same for two calls of TLSv1_method() from support code.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1388607026-12297-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8148
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1385728360-32127-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8069
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Acked-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1385210434-28364-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8039
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
OpenSSL's tls_ctx_load_cert_file() had a parameter in which a copy of the
context's certificate chain was stored on return, used by
tls_ctx_use_external_private_key() only and free()d immediately thereafter.
PolarSSL also supported this output parameter, but returned a pointer to
the
context's certificate chain (rather than to a copy of the certificate, as
OpenSSL does) - which meant that we would have to #ifdef the free().
PolarSSL cannot make a copy of a certificate chain, and OpenSSL cannot
store a
pointer to (instead of a copy of) the cert.
So remove the output parameter from tls_ctx_load_cert_file() and
incorporate
the needed functionality directly into tls_ctx_use_external_private_key()
(which is straightforward for both OpenSSL and PolarSSL, as long as you
don't
try to support both at once.)
Signed-off-by: Joachim Schipper <joachim.schipper@fox-it.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1379587649-25506-2-git-send-email-steffan.karger@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7888
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
If a CA certificate file includes intermediate certificates, and any
of them fail to verify, the current code will file with "Cannot load
CA certificate file". Instead, generate a more specific error message
identifying the specific sub-certificate(s) which did not validate.
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <CAK6ywbLVtSgRZEt4N+02fz+vQ0GNp==5KdsbqWtZ+fgUzrZq+g@mail.gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7837
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Load intermediate certificates from a PKCS#12 file and place them in the
extra certs chain, when trusted CA certs are loaded from an external PEM
file with the --ca option, and the CA certs in PKCS#12 are not to be trusted.
Required when client PKCS#12 file is provided by a different CA
than the server CA, the PKCS#12 file contains intermediate certificates
required for client auth, but the server CA is not in the PKCS#12 file.
When --ca is set, the PKCS#12 provided CA certs are not trusted. Without
this patch, they were ignored completely - with this patch, they're loaded
in the extra certs chain which makes them available for chain verification
but still does not make them trusted if --ca is set. Unless when, of
course, a trusted root is found from the --ca file.
Acked-by: James Yonan <james@openvpn.net>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <alpine.DEB.2.02.1306201400320.10116@jazz.he.fi>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7721
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Fixes to allow compilation with Microsoft Visual Studio 2008
* Fixed several instances of declarations after statements.
* In socket.c, fixed issue where uninitialized value (err)
is being passed to to gai_strerror.
* ssl.c is trying to access multi_output_peer_info_env
function in multi.c, causing an undefined symbol warning
at compile time. ssl.c is strictly a client of multi.c
(but not the other way around), therefore ssl.c does not
include multi.h and should not depend on multi.h API. To
fix, moved validate_peer_info_line and multi_output_peer_info_env
from multi.c to misc.c.
* MSVC doesn't support %z as a printf format specifier for size_t
* MSVC doesn't support a const variable being used to dimension
an array.
* Explicitly cast the third parameter to setsockopt to
const void *
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1375049135-21444-1-git-send-email-james@openvpn.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7777
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Updated the TLS negotiation logic to adaptively try to connect using
the highest TLS version supported by both client and server.
Previously, OpenVPN (when linked with OpenSSL) would always connect
using TLS 1.0.
Also added tls-version-min directive to force a higher TLS version
than 1.0:
tls-version-min <version> ['or-highest'] -- sets the minimum
TLS version we will accept from the peer. Examples for version
include "1.0" (default), "1.1", or "1.2". If 'or-highest' is
specified and version is not recognized, we will only accept
the highest TLS version supported by the local SSL implementation.
Examples:
tls-version-min 1.1 -- fail the connection unless peer can
connect at TLS 1.1 or higher.
tls-version-min 1.2 or-highest -- require that the peer
connect at TLS 1.2 or higher, however if the local SSL
implementation doesn't support TLS 1.2 (as it wouldn't
if linked with an older version of OpenSSL), reduce the
minimum required version to the highest version supported
by the local SSL implementation (such as TLS 1.0). This
is intended to allow client configurations to target higher
TLS versions that are supported on the server, even if some
older clients don't support these versions yet.
[
This is a merged patch from on the following commits
on git://github.com/jamesyonan/openvpn.git
03a5599202bdc3ba07983dc4efdae387fb8fb436
d23005413b0e0f28a3c48a6342f494763d5c9b40
]
Signed-off-by: James Yonan <james@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
URL: http://thread.gmane.org/gmane.network.openvpn.devel/7743
URL: http://thread.gmane.org/gmane.network.openvpn.devel/7744
Message-Id: 51C77F12.1090802@openvpn.net
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
used in
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1366059999-31731-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7511
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 51B1DBEF.1090705@fox-it.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/7664
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
Reverts commit 15ca5c297b556fbb, instead change ssl_openssl.c to use
"constrain_int()", which already exists in "integer.h".
Using this instead of min_int() ensures that the result is always bounded
to 0...256 even in the case of a potential MAX_INT overflow.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1367826941-22412-1-git-send-email-gert@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/7586
Signed-off-by: David Sommerseth <davids@redhat.com>
|
|
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1CED409804E2164C8104F9E623B08B9013BC28A538@FOXDFT02.FOX.local>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7480
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
