Menu ▾ ▴
openvpn-devel — OpenVPN developers list
You can subscribe to this list here.
| 2002 | Jan | Feb | Mar | Apr (24) | May (14) | Jun (29) | Jul (33) | Aug (3) | Sep (8) | Oct (18) | Nov (1) | Dec (10) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 | Jan (3) | Feb (33) | Mar (7) | Apr (28) | May (30) | Jun (5) | Jul (10) | Aug (7) | Sep (32) | Oct (41) | Nov (20) | Dec (10) |
| 2004 | Jan (24) | Feb (18) | Mar (57) | Apr (40) | May (55) | Jun (48) | Jul (77) | Aug (15) | Sep (56) | Oct (80) | Nov (74) | Dec (52) |
| 2005 | Jan (38) | Feb (42) | Mar (39) | Apr (56) | May (79) | Jun (73) | Jul (16) | Aug (23) | Sep (68) | Oct (77) | Nov (52) | Dec (27) |
| 2006 | Jan (27) | Feb (18) | Mar (51) | Apr (62) | May (28) | Jun (50) | Jul (36) | Aug (33) | Sep (47) | Oct (50) | Nov (77) | Dec (13) |
| 2007 | Jan (15) | Feb (8) | Mar (14) | Apr (18) | May (25) | Jun (16) | Jul (16) | Aug (19) | Sep (32) | Oct (17) | Nov (5) | Dec (5) |
| 2008 | Jan (64) | Feb (25) | Mar (25) | Apr (6) | May (28) | Jun (20) | Jul (10) | Aug (27) | Sep (28) | Oct (59) | Nov (37) | Dec (43) |
| 2009 | Jan (40) | Feb (25) | Mar (12) | Apr (57) | May (46) | Jun (29) | Jul (39) | Aug (10) | Sep (20) | Oct (42) | Nov (50) | Dec (57) |
| 2010 | Jan (82) | Feb (165) | Mar (256) | Apr (260) | May (36) | Jun (87) | Jul (53) | Aug (89) | Sep (107) | Oct (51) | Nov (88) | Dec (117) |
| 2011 | Jan (69) | Feb (60) | Mar (113) | Apr (71) | May (67) | Jun (90) | Jul (88) | Aug (90) | Sep (48) | Oct (64) | Nov (69) | Dec (118) |
| 2012 | Jan (49) | Feb (528) | Mar (351) | Apr (190) | May (238) | Jun (193) | Jul (104) | Aug (100) | Sep (57) | Oct (41) | Nov (47) | Dec (51) |
| 2013 | Jan (94) | Feb (57) | Mar (96) | Apr (105) | May (77) | Jun (102) | Jul (27) | Aug (81) | Sep (32) | Oct (53) | Nov (127) | Dec (65) |
| 2014 | Jan (113) | Feb (59) | Mar (104) | Apr (259) | May (70) | Jun (70) | Jul (146) | Aug (45) | Sep (58) | Oct (149) | Nov (77) | Dec (83) |
| 2015 | Jan (53) | Feb (66) | Mar (86) | Apr (50) | May (135) | Jun (76) | Jul (151) | Aug (83) | Sep (97) | Oct (262) | Nov (245) | Dec (231) |
| 2016 | Jan (131) | Feb (233) | Mar (97) | Apr (138) | May (221) | Jun (254) | Jul (92) | Aug (248) | Sep (168) | Oct (275) | Nov (477) | Dec (445) |
| 2017 | Jan (218) | Feb (217) | Mar (146) | Apr (172) | May (216) | Jun (252) | Jul (164) | Aug (192) | Sep (190) | Oct (143) | Nov (255) | Dec (182) |
| 2018 | Jan (295) | Feb (164) | Mar (113) | Apr (147) | May (64) | Jun (262) | Jul (184) | Aug (90) | Sep (69) | Oct (364) | Nov (102) | Dec (101) |
| 2019 | Jan (119) | Feb (64) | Mar (64) | Apr (102) | May (57) | Jun (154) | Jul (84) | Aug (81) | Sep (76) | Oct (102) | Nov (233) | Dec (89) |
| 2020 | Jan (38) | Feb (170) | Mar (155) | Apr (172) | May (120) | Jun (223) | Jul (461) | Aug (227) | Sep (268) | Oct (113) | Nov (56) | Dec (124) |
| 2021 | Jan (121) | Feb (48) | Mar (334) | Apr (345) | May (207) | Jun (136) | Jul (71) | Aug (112) | Sep (122) | Oct (173) | Nov (184) | Dec (223) |
| 2022 | Jan (197) | Feb (206) | Mar (156) | Apr (212) | May (192) | Jun (170) | Jul (143) | Aug (380) | Sep (182) | Oct (148) | Nov (128) | Dec (269) |
| 2023 | Jan (248) | Feb (196) | Mar (264) | Apr (36) | May (123) | Jun (66) | Jul (120) | Aug (48) | Sep (157) | Oct (198) | Nov (300) | Dec (273) |
| 2024 | Jan (271) | Feb (147) | Mar (207) | Apr (78) | May (107) | Jun (168) | Jul (151) | Aug (51) | Sep (438) | Oct (221) | Nov (302) | Dec (357) |
| 2025 | Jan (451) | Feb (219) | Mar (326) | Apr (232) | May (306) | Jun (181) | Jul (452) | Aug (282) | Sep (620) | Oct (793) | Nov (682) | Dec |
| S | M | T | W | T | F | S |
|---|---|---|---|---|---|---|
| 1 (12) | 2 (4) | 3 | 4 (1) | 5 (7) | 6 (1) | 7 (2) |
| 8 (6) | 9 (2) | 10 (6) | 11 | 12 | 13 | 14 |
| 15 | 16 | 17 | 18 (2) | 19 (1) | 20 | 21 |
| 22 (4) | 23 (3) | 24 (9) | 25 | 26 (1) | 27 | 28 (2) |
| 29 (5) | 30 (2) | | | | | |
| From: David S. <ope...@to...> - 2014-06-05 21:28:34 |
On 26/05/14 15:25, Daniel Kubec wrote: > Add support for TLS Keying Material Exporters [RFC 5705]. > > Keying Material Exporter allow additional keying material to be derived from existing TLS channel. > This exported keying material can then be used for a variety of purposes. > I've finally had some time to compile and test this patch, as well as done code review of it. First of all, this is a good piece of work! So I'm looking forward to see this arrive in OpenVPN. It will surely help develop more advanced authentication methods. The patch does indeed work quite well. It provides a tls_binding_key environment variable to plugins which supports OPENVPN_PLUGIN_TLS_FINAL. Here's my comments, thoughts and questions ... a) Is the intention that this tls_binding_key variable should only be available when the OPENVPN_PLUGIN_TLS_FINAL plugin call happens? Currently tls_binding_key is available to all plugin *and* script calls happening after OPENVPN_PLUGIN_TLS_FINAL has been called. But *only* after a plugin which supports this hook has run. This smells like a bug. I think I would recommend this variable only to available for the OPENVPN_PLUGIN_TLS_FINAL call. Which means you would need to add a setenv_del() in ssl.c:key_method_2_read() after plugin_call(). I spotted tls_binding_key in the following hooks (using a slightly modified sample-plugin/log/log.c) Client side: PLUGIN_IPCHANGE, PLUGIN_UP, PLUGIN_ROUTE_UP and PLUGIN_ROUTE_DOWN Server side: PLUGIN_IPCHANGE, PLUGIN_CLIENT_CONNECT_V2*, PLUGIN_LEARN_ADDRESS and PLUGIN_CLIENT_DISCONNECT * Most likely PLUGIN_CLIENT_CONNECT too I also tried to use a --client-connect script which dumps 'printenv' to a file. When this log.so plug-in was used, I saw tls_binding_key in the printenv dump. It was not present when log.so was not loaded. b) Should there be a script-hook available for this as well? This could make it possible to make authentication methods using scripts as an addition to plug-ins written in C. Just thinking aloud, not saying it's a requirement. c) The format is currently like this: 0f3d5a7a 8b78fe1a 8a7fce61 58b89142 Is this format the preferred formatting? Other formats are available through format_hex_ex(). I would probably recommend another separator than space, if a separator is needed at all. d) This patch breaks building with PolarSSL. ssl.o: In function `key_method_2_read': ~/openvpn.git/src/openvpn/ssl.c:2129: undefined reference to `key_state_export_keying_material' collect2: error: ld returned 1 exit status I would recommend to add a kind of wrapper function in ssl_polarssl.c which adds this function. Not sure if it would be appropriate to do an ASSERT(0) or do something else. Maybe it should not set anything, just return without adding the tls_binding_key. When plug-ins expecting to see this fails to find this variable, it will the plug-in's responsibility to not explode. e) Has this patch been tested with OpenSSL < 1.0.1? Is it really needed with the #else ASSERT(0); ? f) It should be stated better in the man page that this feature depends on a plug-in supporting OPENVPN_PLUGIN_TLS_FINAL. -- kind regards, David Sommerseth |
| From: Samuli S. <sa...@op...> - 2014-06-05 15:11:05 |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, The OpenSSL project released fixes to several security vulnerabilities today, one of which (the MITM vulnerability) affects OpenVPN: <http://www.openssl.org/news/secadv_20140605.txt> OpenVPN 2.3.2 and 2.3.4 Windows installers that include a fixed version of OpenSSL have now been released: <http://openvpn.net/index.php/download/community-downloads.html> All Windows users of OpenVPN should upgrade their installations immediately to the latest 2.3.2 or 2.3.4 releases. Please note that OpenVPN 2.2.2 Windows installers, which were also vulnerable, have been removed from the main download pages. If you are unable to upgrade to a recent release you can still build 2.2.2 yourself, linking it to a more recent OpenSSL version. - -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlOQiHoACgkQwp2X7RmNIqPhUgCfdKXmmnZGz71w5wF4leaC6aJf kwYAoIDK8M3fNcIx3gAWepaL0Lt04cGe =XOGC -----END PGP SIGNATURE----- |
| From: David S. <ope...@to...> - 2014-06-05 14:31:33 |
On 05/06/14 15:28, Mike Tancsa wrote: > A few more vulnerabilities it would seem. Can anyone shed light on how > this impacts OpenVPN ? > > http://www.openssl.org/news/secadv_20140605.txt > > Does OpenVPN make use of DTLS ? or SSL_MODE_RELEASE_BUFFERS ? I don't remember the details around SSL_MODE_RELEASE_BUFFERS. As I understand, it needs to be explicitly enabled. At a very quick glance (git grep), I don't see that being used at all. But OpenVPN does not make use of DTLS. DTLS came 4-5 years (roughly) after the first OpenVPN release. There are currently no immediate plans to move over to DTLS So, as most of these OpenSSL issues: OpenVPN itself is secure, as long as OpenSSL is safe. And in most cases, enabling --tls-auth is an additional security barrier which can often make attacks on OpenVPN tunnels more difficult. -- kind regards, David Sommerseth |
| From: Arne S. <ar...@rf...> - 2014-06-05 14:30:13 |
Am 05.06.14 15:28, schrieb Mike Tancsa: > A few more vulnerabilities it would seem. Can anyone shed light on how > this impacts OpenVPN ? > > http://www.openssl.org/news/secadv_20140605.txt > > Does OpenVPN make use of DTLS ? or SSL_MODE_RELEASE_BUFFERS ? > > ---Mike OpenVPN does not use DTLS or SSL_MODE_RELEASE_BUFFERS Arne |
| From: Samuli S. <sa...@op...> - 2014-06-05 14:00:58 |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > A few more vulnerabilities it would seem. Can anyone shed light on how > this impacts OpenVPN ? > > http://www.openssl.org/news/secadv_20140605.txt > > Does OpenVPN make use of DTLS ? or SSL_MODE_RELEASE_BUFFERS ? > > ---Mike Hi, According to the developers on #openvpn-devel the MITM vulnerability (CVE-2014-0224) is the only issue that affects OpenVPN. I'm in the process of building and testing updated Windows installers, which should get released in about an hour if all goes well. - -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlOQeBAACgkQwp2X7RmNIqP9WQCfXBWzQw9ub6azmH0EiVcemKmy tcQAnjdqOSJgGqSBfXHubXQfiJjtLZrv =xuKZ -----END PGP SIGNATURE----- |
| From: Mike T. <mi...@se...> - 2014-06-05 13:43:32 |
A few more vulnerabilities it would seem. Can anyone shed light on how this impacts OpenVPN ? http://www.openssl.org/news/secadv_20140605.txt Does OpenVPN make use of DTLS ? or SSL_MODE_RELEASE_BUFFERS ? ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mi...@se... Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ |
| From: Gert D. <ge...@gr...> - 2014-06-05 07:17:44 |
Your patch has been applied to the master branch. commit be46a2c083a6bd77754bc1674249eab583d25dac Author: Heiko Hund Date: Thu Aug 16 10:38:50 2012 +0200 refine assertion to allow other modes than CBC Signed-off-by: Heiko Hund <hei...@so...> Acked-by: Steffan Karger <ste...@fo...> Message-Id: <538...@ka...> URL: http://article.gmane.org/gmane.network.openvpn.devel/8748 Signed-off-by: Gert Doering <ge...@gr...> -- kind regards, Gert Doering |
