As described in trac #484, the current inline file size limit of 10000
bytes is becoming an issue for some users. Since RSA keys and signature
sizes are increasing, we need to adjust our limits. As #484 reports,
10000 can be too small for PKCS#12 files with 4K RSA keys. Instead of
postponing this issue by increasing the static limit, dynamically increase
the buffer size while reading. This keeps the memory usage limited but does
allow for larger inlined files.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1430122342-11742-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9607 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Tue, 28 Apr 2015 10:20:19 +0000 (12:20 +0200)]
explain effect of --topology subnet on --ifconfig
The fact that the second parameter of --ifconfig is no longer
a "remote address" but a "netmask" when using --dev tun and
--topology subnet was not documented clearly enough.
Gert Doering [Tue, 28 Apr 2015 11:04:23 +0000 (13:04 +0200)]
Print helpful error message on --mktun/--rmtun if not available.
OpenVPN only supports --mktun/--rmtun to create/destroy persistant
tunnels on Linux. On BSD OSes, "ifconfig tun0 create" can do the
same job, so we do not actually need to support it - but the previous
error message ("unknown option") wasn't helpful. So always accept
the option now, and on non-supported systems, direct user to manpage.
Trac #85
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Message-Id: <1430219063-12291-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9617
Gert Doering [Tue, 21 Apr 2015 20:49:12 +0000 (22:49 +0200)]
Fix leftover 'if (false) ;' statements
Commit a4b8f653ee5be9c2292c removed the #ifdefs for ENABLE_HTTP_PROXY and
ENABLE_SOCKS, thus making this "if (false) ; else if (...)" construct
superfluous. Spotted by David Sommerseth.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1429649352-21034-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9603
Steffan Karger [Thu, 26 Mar 2015 00:01:29 +0000 (01:01 +0100)]
Remove unneeded parameter 'first_time' from possibly_become_daemon()
The static helper function possibly_become_daemon() is called only once,
by do_init_first_time(), which checks 'first_time' to be true before
calling possibly_become_daemon(). This makes the parameter useless.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1427328089-886-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9555 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Vasily Kulikov [Wed, 25 Feb 2015 16:07:18 +0000 (19:07 +0300)]
Mac OS X Keychain management client
This patch adds support for using certificates stored in the Mac OSX
Keychain to authenticate with the OpenVPN server. This works with
certificates stored on the computer as well as certificates on hardware
tokens that support Apple's tokend interface. The patch is based on
the Windows Crypto API certificate functionality that currently exists
in OpenVPN.
This patch version implements management client which handles RSA-SIGN
command for RSA offloading. Also it handles new 'NEED-CERTIFICATE'
request to pass a certificate from the keychain to OpenVPN.
OpenVPN itself gets new 'NEED-CERTIFICATE" command which is called when
--management-external-cert is used. It is implemented as a multiline
command very similar to an existing 'RSA-SIGN' command.
v4:
- added '--management-external-cert' argument
- keychain-mcd now parses NEED-CERTIFICATE argument if 'auto' is passed
as cmdline's identity template
- fixed typo in help output option name
- added '--management-external-cert' info in openvpn(8) manpage
- added 'certificate' command documentation into doc/management-notes.txt
v3:
- used new 'NEED-CERTIFICATE' command for certificate data request
instead of 'NEED-OK'
- improved option checking
- improved invalid certificate selection string handling
- added man page for keychain-mcd
- handle INFO, FATAL commands from openvpn and show them to user
* ACK from Arne Schwabe for OpenVPN part
* ACK from James based on Arne's testing
v2 (http://sourceforge.net/p/openvpn/mailman/message/33225603/):
- used management interface to communicate with OpenVPN process
v1 (http://sourceforge.net/p/openvpn/mailman/message/33125844/):
- used RSA_METHOD to extend openvpn itself
Signed-off-by: Vasily Kulikov <segoon@openwall.com>
-- Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20150225160718.GA6306@cachalot>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9486 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Sat, 27 Dec 2014 20:59:43 +0000 (21:59 +0100)]
Remove count_netmask_bits(), convert users to use netmask_to_netbits2()
The previous Linux/iproute2 code converted binary netmasks to string
representation (print_in_addr_t()), just to immediately scanf() it back
to binary to count bits. netmask_to_netbits2() directly works on the
in_addr_t.
Lev Stipakov [Thu, 5 Mar 2015 20:33:56 +0000 (22:33 +0200)]
Fix mssfix default value in connection_list context
Due to this bug, mssfix hasn't been assigned to fragment value
and used default value (1450) instead. As a consequence, TCP packets
get fragmented, which causes performance penalty.
This fix assigns mssfix value to fragment value for connection_entry
inside connection_list instead of connection_entry inside options struct
(which does not work for connection_list case).
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1425587636-23338-1-git-send-email-lstipakov@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9507
Steffan Karger [Thu, 5 Mar 2015 21:37:31 +0000 (22:37 +0100)]
Allow for CN/username of 64 characters (fixes off-by-one)
This is an alternative patch to fix the issue reported in trac #515 by
Jorge Peixoto. Instead of increasing the TLS_USERNAME_LEN define, do +1 at
the relevant places in the code.
Also see Jorge's original patch and the discussion on the maillinglist:
http://thread.gmane.org/gmane.network.openvpn.devel/9438
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <54F8CC9B.9040104@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9508 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Thu, 5 Mar 2015 21:58:35 +0000 (22:58 +0100)]
Get rid of old OpenSSL workarounds.
We now only support OpenSSL 0.9.8+, so we don't have to work around the bug
in 0.9.6b anymore. Also, OBJ_txt2nid() now takes a const char * (instead
of a char *), so we no langer have to cast away const.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1425592716-14243-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9512 Signed-off-by: Gert Doering <gert@greenie.muc.de>
CBC mode is the only mode that OpenVPN supports that needs padding. So,
only include the worst case padding size in the frame size calculation when
using CBC mode.
While doing so, rewrite crypto_adjust_frame_parameters() to be better
readable, and provide debug output (for high debug levels).
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1406667144-17674-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8952 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Mon, 29 Dec 2014 17:48:45 +0000 (18:48 +0100)]
Print remote IPv4 address on a dual-stack v6 socket in IPv4 format
Previously, the code would print IPv4-mapped format ("::ffff:1.2.3.4"),
which is technically correct but adds no extra value, and is confusingly
different from the output if using a v4 socket. Print "1.2.3.4" instead,
whatever socket type is used.
Affects client IP address in log file, status output (mroute_addr_print_ex),
and environment (setenv_sockaddr).
The fact that a dual-stack socket was used is still visible in the initial
peer connect message in the log:
'... Peer Connection Initiated with [AF_INET6]::ffff:1.1.3.4:53779'
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1419875325-96015-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9363
Gert Doering [Sun, 8 Feb 2015 10:18:45 +0000 (11:18 +0100)]
New approach to handle peer-id related changes to link-mtu.
Instead of statically increasing link-mtu by +3, keep the old value for
OCC compatibility with old servers/clients, and only increase link-mtu
if peer-id option is enabled (right now: is pushed by server).
If link-mtu has been set in the config, keep configured value, and log
warning (because the extra overhead has to decrease tun-mtu).
Reserve extra +3 bytes in frame->extra_link.
v2: use frame->extra_link, not frame->extra_buffer (receive path on server)
introduce frame_add_to_link_mtu() to manipulate frame->link_mtu value
rework comments to make more clear what is happening
Steffan Karger [Sun, 15 Feb 2015 14:24:26 +0000 (15:24 +0100)]
Disable SSL compression
As reported in trac #502, SSL compression can cause problems in some corner
cases. OpenVPN does not need SSL compression, since the control channel is
low bandwidth. This does not influence the data channel compressen (i.e.
--comp or --comp-lzo).
Even though this has not yet been relevant for OpenVPN (since an attacker
can not easily control contents of control channel messages), SSL
compression has been used in the CRIME and BREACH attacks on TLS. TLS 1.3
will probably even remove support for compression all together, for
exactly this reason.
Since we don't need it, and SSL compression causes issues, let's just
disable it in OpenSSL builds. PolarSSL has no run-time flag to disable
compression, but is by default compiled without compression.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1424010266-5910-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9453 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Fri, 6 Feb 2015 12:38:00 +0000 (14:38 +0200)]
Fix NULL dereferencing
In certain cases buf.len can be -1, which causes BPTR to return NULL and
NULL pointer dereferencing on the next line.
As a fix, process only packets with non-zero length. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1423226280-9580-1-git-send-email-lstipakov@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9444
Lev Stipakov [Wed, 7 Jan 2015 19:26:38 +0000 (21:26 +0200)]
Disallow lameduck's float to an address taken by another client
Existing check didn't take into account the case when floated client is
lame duck (CN for lame duck is NULL), which allowed lame duck to float
to an address taken by another client.
As a fix we use cert_hash_compare function which, besides fixing
mentioned case, also allows lame duck to float to an address already
taken by the same client. Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1420658798-29943-1-git-send-email-lstipakov@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9386
Steffan Karger [Thu, 1 Jan 2015 19:46:09 +0000 (20:46 +0100)]
Add option to disable Diffie Hellman key exchange by setting '--dh none'
As requested on the mailing list and in trac ticket #410, add an option to
disable 'traditional' Diffie Hellman key exchange. People want to be able
to create ecdh-only configurations.
This patch also disables RSA key exchange by default for OpenSSL builds, to
prevent that people who set "--dh none" but have an OpenSSL version that
doesn't support ECDH end up with a less secure connection. Note that users
that specify their own --tls-cipher override these defaults and thus can
still use whatever OpenSSL supports (and might thus end up with less secure
connections).
PolarSSL does not allow to easily disable RSA key exchange during runtime,
but its default compile options do not include RSA key exchange based
cipher suites.
Finally update the manpage to reflect the new behaviour, and while touching
it change the text to motivate users towards a more secure configuration.
v2 - disable RSA key exchange by default
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1420141569-11773-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9376 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Remove the --disable-ssl configure option and accompanying ENABLE_SSL
defines in the master/2.4 branch, to reduce the code and testing
complexity a bit.
This does not remove to runtime option to run without SSL, just the compile
time option to not include any SSL-related code.
During the community meeting in November 2014 there were no objections
amongst he developers present. Also, this has been announced on the -users
and -devel mailing lists two weeks ago, without any response whatsoever.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <54A4248A.1090501@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9371 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Sat, 25 Oct 2014 18:49:26 +0000 (20:49 +0200)]
openssl: add more descriptive message for 'no shared cipher' error
Overzealous users using the --tls-cipher option, or users with actual
incompatible crypto libaries often waste quite some time debugging the
'no shared cipher' error from openssl. See e.g. trac ticket #359:
https://community.openvpn.net/openvpn/ticket/359
This change adds a more clear, verb 1 error message reporting the problem
directly to the user, instead of just printing the openssl error.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <544EB12E.40200@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9209 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Sat, 25 Oct 2014 20:35:22 +0000 (22:35 +0200)]
openssl: add crypto_msg(), to easily log openssl errors
This works towards removing OpenSSL-specific error printing code from
error.c. The crypto_msg() functions provide convenience wrappers, specific
to OpenSSL. Instead of passing the magical 'M_SSLERR' flag to msg(), a
developer now just calls crypto_msg() to get OpenSSL errors dumped to log.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1414269324-14102-5-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9199 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Default gateway can't be determined on illumos/Solaris platforms
The logic which is used on BSD is preserved. The only distinction
is that illumos doesn't provide sa_len field in sockaddr structures. Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1413315802-62359-5-git-send-email-alp@rsu.ru>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9129
Steffan Karger [Sun, 28 Dec 2014 10:25:13 +0000 (11:25 +0100)]
Set tls-version-max to 1.1 if cryptoapicert is used
OpenVPN's current cryptoapicert implementation does not support TLS 1.2
(and newer). Fixing this requires a rewrite of our cryptoapi code to use
Microsofts' "Cryptography API: Next Generation", and several hacks to work
around that API. As long as we don't fix that, make openvpn automatically
cap the TLS version to 1.1 when using cryptoapi (and tell the user we're
doing so). This enables the user to use cryptoapi + TLS version
negotiation (upto TLS 1.1) without having to change his configuration.
This patch has been tested on Windows 8.1 for both the master and
release/2.3 branches.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1419762313-31233-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9361 Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Woodhouse [Thu, 11 Dec 2014 13:03:35 +0000 (13:03 +0000)]
pkcs11: Load p11-kit-proxy.so module by default
If the user specifies --pkcs11-id or --pkcs-id-management but neglects
to explicitly provide a --pkcs11-provider argument, and if the system
has p11-kit installed, then load the p11-kit proxy module so that the
system-configured tokens are available.
Trac: 490 Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1418303015.31745.78.camel@infradead.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9342 Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 6f1d3cf062d5c33cbad4d521d157d43d53ffc7d1)
The coding style was somewhat chaotic. Cleaning it up using the astyle
tool. The style parameters are coherent to what was agreed upon at the
Munich Hackathon 2014 [1].
astyle --style=allman --indent=spaces=4 -c
Also included a "Local variables" section which some editors may pick
up automatically.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1418078751-3614-1-git-send-email-openvpn.list@topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9331 Signed-off-by: Gert Doering <gert@greenie.muc.de>
sockets: Remove the limitation of --tcp-nodelay to be server-only
The assert(0) happening if trying to use --tcp-nodelay in a client
config is really not helpful at all. When this assert(0) was removed,
another warning appeared that this could only be used in server
configs. That itself is also quite silly, as clients can choose to
use --socket-flags TCP_NODELAY in the client config instead. This
behaviour does not help the user in any way.
This patch removes the server-only restriction and rather provides
a more helpful warning when using --tcp-nodelay on the client side.
Trac: 489 Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: 1418118764-17846-1-git-send-email-openvpn.list@topphemmelig.net
URL: http://article.gmane.org/gmane.network.openvpn.devel/9334
Lev Stipakov [Mon, 8 Dec 2014 16:48:45 +0000 (18:48 +0200)]
Prevent memory drain for long lasting floating sessions
For every float event we generate prefix, which allocates 256 + 64
bytes. That memory is reclaimed when client disconnects, so long lasting
and constantly floating sessions drain memory.
As a fix use preallocated buffer inside multi_instance for storing
multi_prefix.
Signed-off-by: Lev Stipakov <lstipakov@gmail.com> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: 1418057325-13265-1-git-send-email-lstipakov@gmail.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/9321 Signed-off-by: David Sommerseth <davids@redhat.com>
Lev Stipakov [Mon, 8 Dec 2014 17:06:02 +0000 (19:06 +0200)]
Add the peer-id to the output of the status command
This adds peer-id to the status output which might help analyze floating
logs. This will change the output of status in the same way commit 662ce6acc065bddf6490b3494725b8b3987b7def did.
Signed-off-by: Lev Stipakov <lstipakov@gmail.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: 1418058362-13480-1-git-send-email-lstipakov@gmail.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/9322 Signed-off-by: David Sommerseth <davids@redhat.com>
Steffan Karger [Sun, 7 Dec 2014 18:48:15 +0000 (19:48 +0100)]
Update doxygen (a bit)
This is not a full update, but just updates some data channel-related docs
I came across. Other pages probably need a bit of attention too.
Stuff that was changed:
* Explain data channel crypto format in crypto.h
* Add P_DATA_V1 and P_DATA_V2 packet format spec
* Remove '2.1' from title
* Update some OpenSSL-specific text
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1417978095-19427-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9318 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sat, 6 Dec 2014 13:15:03 +0000 (14:15 +0100)]
Remove possibility of using --tls-auth with non OpenVPN Static key files
In older version OpenVPN would hash a --tls-auth file
if it does not conform to the expected format Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1417871704-30273-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9306
David Sommerseth [Sun, 16 Nov 2014 14:31:02 +0000 (15:31 +0100)]
down-root plugin: Replaced system() calls with execve()
The system() call is prone to shell expansions and provides far more
environments variables to the executable run than what is usually
preferred. By moving over to exevce() shell expansions are far more
difficult to achieve and only the OpenVPN provided environment
variables are available.
This is a response to the patch submitted to openvpn-devel ML:
http://article.gmane.org/gmane.network.openvpn.devel/7919
v2 - Pulling it up again, fixing a few whitespace and spelling issues
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1416148262-20978-1-git-send-email-openvpn.list@topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9238 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Tue, 2 Dec 2014 20:42:00 +0000 (21:42 +0100)]
Really fix '--cipher none' regression
... by not incorrectly hinting to the compiler the function argument of
cipher_kt_mode_{cbc,ofb_cfb}() is nonnull, since that no longer is the
case.
Verified the fix on Debian Wheezy, one of the platforms the reporter in
trac #473 mentions with a compiler that would optimize out the required
checks.
Also add a testcase for --cipher none to t_lpback, to prevent further
regressions.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1417552920-31770-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9300 Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Mon, 24 Nov 2014 18:09:38 +0000 (19:09 +0100)]
autotools: Fix wrong ./configure help screen default values
enable_crypto_ofb_cfb is "yes" by default, so the --help screen
should show --disable-ofb-cfb and not --enable-ofb-cfb.
enable_small and enable_password_save are both "no" by default, so
the --help screen should state "default: no". Now it says "yes" as
default, but is really disabled in the reality.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1416852578-7581-1-git-send-email-openvpn.list@topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9278 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Thu, 20 Nov 2014 12:43:05 +0000 (13:43 +0100)]
Drop too-short control channel packets instead of asserting out.
This fixes a denial-of-service vulnerability where an authenticated client
could stop the server by triggering a server-side ASSERT().
OpenVPN would previously ASSERT() that control channel packets have a
payload of at least 4 bytes. An authenticated client could trigger this
assert by sending a too-short control channel packet to the server.
Thanks to Dragana Damjanovic for reporting the issue.
This bug has been assigned CVE-2014-8104.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1CED409804E2164C8104F9E623B08B9018803B0FE7@FOXDFT02.FOX.local> Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Sun, 23 Nov 2014 15:17:11 +0000 (17:17 +0200)]
Peer-id patch v7
Added new packet format P_DATA_V2, which includes peer-id. If server
supports, client sends all data packets in the new format. When data
packet arrives, server identifies peer by peer-id. If peer's ip/port has
changed, server assumes that client has floated, verifies HMAC and
updates ip/port in internal structs.
Changes in v7:
A few nitpicks.
Changes in v6:
Fixed: Make sure float won't happen if hmac check failed (regression).
Fixed: Access outside of bounds of array, which has caused memory
corruption and crash.
Various review fixes.
Changes in v5:
Protection agains replay attack by commiting float changes only after
existing packet processing flow has completed.
If peer floats to an address which is already taken by another active
session, drop float packet, otherwise disconnect existing session.
Changes in v4:
Handles correctly float to an address which is used by another peer.
This also has fixed crash on assert in multi_client_disconnect.
Changes in v3:
Bugfix: If float happens after TLS renegotiation and there are no
data packets between reneg and float, server will not recognize floated
client. Acked-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1416755831-21250-1-git-send-email-lstipakov@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9270
David Sommerseth [Thu, 13 Nov 2014 14:43:37 +0000 (15:43 +0100)]
systemd: Reworked the systemd unit file to handle server and client configs better
Systemd can delay starting a service if the network isn't fully available
yet. This feature is useful in client configurations, where OpenVPN will
not be started before the client can reach the Internet. It is the network
service manager which tells systemd if the system is "online" or not.
For server configurations, the OpenVPN should be able to be started,
regardless if the system is "online" or not. This is also the old
behaviour of most of the old init.d script and the last systemd unit file.
This patch splits the previous systemd unit file into to two files. One
which is aimed at clients (openvpn-client@.service) and one for server
configurations (openvpn-server@.service). These files will also pick
the configurations from different sub-directories. The unit file for
openvpn-client@ will use /etc/openvpn/client and the server unit file
will use /etc/openvpn/server. This also ensures that config files
are not started in the wrong manner.
The arguments given to the openvpn binary have also shifted order,
to ensure that some of them cannot be overridden by the config file,
such as --daemon and --writepid. For server configurations a
--status file is also added with the status format set to 2. This
can be overridden by the configuration file.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1415889817-28049-1-git-send-email-openvpn.list@topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9222 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Sat, 15 Nov 2014 16:25:07 +0000 (17:25 +0100)]
Fix compilation on Windows
The local member in struct link_socket_address went away a while ago.
Fixing the code to compile again under Windows. While there, also
fix the code to deal with struct link_socket_info.af == AF_UNSPEC
Steffan Karger [Wed, 22 Oct 2014 22:14:29 +0000 (00:14 +0200)]
Modernize sample keys and sample configs
I kept most of the certificate properties equal to the old
certs, since some people's test scripts might rely on them (and
it does not require any creativity from my part).
Changes:
* Add script to generate fresh test/sample keys
(but keep sample keys in git for simple testing)
* Switch from 1024 to 4096 bits RSA CA
* Switch from 1024 to 2048 bits client/server RSA keys
* Switch from 1024 to 2048 bits Diffie-Hellman parameters
* Generate EC client and server cert, but sign with RSA CA
(lets us test EC <-> RSA interoperability)
* Remove 3DES cipher from 'sample' config
* Add 'remote-cert-tls server' to client config
* Update config files to deprecate nsCertType in favour of the
keyUsage and extendedKeyUsage extensions.
* Make naming more consistent
Steffan Karger [Mon, 25 Aug 2014 22:03:23 +0000 (00:03 +0200)]
Add --tls-version-max
Because using TLS 1.2 breaks certain setups, a user might want to enforce
a maximum TLS version to use. This patch adds that option.
This patch removes a number of #ifdefs from ssl_polarssl.c, because the
polarssl versions we currently support (polar 1.2 for openvpn 2.3, and
polar 1.3 for openvpn-master) have all versions unconditionally enabled.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <544EC052.3080809@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9210 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Sat, 8 Nov 2014 10:15:08 +0000 (11:15 +0100)]
Fix assertion error when using --cipher none
Some commits ago, the cipher mode checks were cleaned up to
remove code duplication (and fix the issue in #471), but broke
'--cipher none' (reported in #473). This commit fixes that.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <545DED2C.5070002@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9217 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Fix regression with password protected private keys (polarssl)
Between versions 1.2 and 1.3, polarssl changed the errors
returned by the X509 parsing functions, which broke the OpenVPN
implementation for password protected private keys in polarssl
builds. This patch fixes that by checking for the new errors in
OpenVPN.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <5432E951.6020405@fox-it.com> Signed-off-by: Gert Doering <gert@greenie.muc.de>
TDivine [Wed, 22 Oct 2014 07:07:39 +0000 (10:07 +0300)]
Fix "code=995" bug with windows NDIS6 tap driver.
Modification to address bug where OpenVPN enters state where it is
unresponsive and cannot be terminated. Log output is continuous spew
of "code=995" errors.
Revised fix for code=995 sped bug.
Adding new tap adapters while connected:
https://community.openvpn.net/openvpn/ticket/430
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1413961660-19251-2-git-send-email-samuli@openvpn.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9165 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1413961660-19251-3-git-send-email-samuli@openvpn.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9167 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Samuel Thibault [Thu, 9 Oct 2014 21:40:49 +0000 (23:40 +0200)]
Ensure that client-connect files are always deleted
On a long-running, busy server using either a plug-in which hooks into
OPENVPN_PLUGIN_CLIENT_CONNECT or a configuration using --client-connect
a lot of unused files will be lingering and potentially filling up
the file system with temporary files if the plug-in or --client-connect
script fails.
This patch ensures that these files are always removed in the end,
regardless if the plug-in or script succeeds or fails.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 20141012195919.GU3738@type
URL: http://thread.gmane.org/gmane.network.openvpn.devel/9104/focus=9118
extract_x509_extension(): hide status message during normal operation.
For each recognized extension in a certificate, extract_x509_extension()
would issue an "ASN1 ERROR: can not handle field type" debug message at
verb 2. Reduce that to verb 9 (D_TLS_ERRORS -> D_TLS_DEBUG) and alter the
message text accordingly.
Signed-off-by: Andris Kalnozols <andris@hpl.hp.com> Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <53E6A61C.7010106@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8981 Signed-off-by: Gert Doering <gert@greenie.muc.de>
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
Currently, when compiling with --enable-iproute2 , OpenVPN does not
create a correct route when the user is connected to the Internet
without a gateway (e.g. via ppp). This patch implements the
corresponding FIXME.
Signed-off-by: Philipp Hagemeister <phihag@phihag.de> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <54259015.2030005@phihag.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9056 Signed-off-by: Gert Doering <gert@greenie.muc.de>
systemd: Use systemd functions to consider systemd availability
This is another systemd implementation clean-up. It was found that
SELinux will block OpenVPN from checking /sys/fs/cgroups. As OpenVPN
only checked /sys/fs/cgroups and /sys/fs/cgroups/systemd to see if
systemd was available or not, it was considered better to query
systemd directly to see whether or not to query for usernames and
passwords via systemd.
This patch has been compile tested on Fedora 19 and Fedora 21 alpha and
function tested on Fedora 19.
v2 - Use PKG_CHECK_MODULES() + check for libsystemd before
libystemd-daemon. systemd >= 209 use a unified library
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1412356567-27125-1-git-send-email-openvpn.list@topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9072 Signed-off-by: Gert Doering <gert@greenie.muc.de>
ocsp_check - double check if ocsp didn't report any errors in execution
in case the reposnses are too old, ocsp tool can return text like this:
Response verify OK
ca/cert.pem: WARNING: Status times invalid. 139990703290240:error:2707307D:OCSP routines:OCSP_check_validity:status
expired:ocsp_cl.c:358:
good
This Update: Sep 21 12:12:48 2014 GMT
Next Update: Sep 22 12:12:48 2014 GMT
light change in buffering can cause "verify OK" and "ca/cert.pem: good"
to be placed in a way that matching will be valid Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1411727041-11884-2-git-send-email-hkario@redhat.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9055
ocsp_check - signature verification and cert staus results are separate
when openssl returns result of parsing and verification of the
OCSP response, the signature verification is separate from the certificate
status, as such it's necessary to check both of them.
Otherwise results like:
Response Verify Failure 140170966779776:error:27069076:OCSP routines:OCSP_basic_verify:signer
certificate not found:ocsp_vfy.c:85:
ca/cert.pem: good
This Update: Sep 23 12:12:28 2014 GMT
will be accepted as being trustworthy.
Note that "Response verify OK" is printed on stderr, so it can't
be discarded.
Steffan Karger [Wed, 20 Aug 2014 21:00:26 +0000 (23:00 +0200)]
Fix clang warning in options.c
fixed warning: expression which evaluates to zero treated as a
null pointer constant of type 'struct addrinfo *'
Seems to be innocent, but clang is correct that this is strange.
init_tun() expects two pointers, but options_string() tried to
feed it two uint32_t values.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Message-Id: <1408568426-19601-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9004 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Remove quadratic complexity from openvpn_base64_decode()
Every four input characters, openvpn_base64_decode called token_decode,
which in turn called strlen() on the remaining input. This means that
base64 decoding in openvpn had quadratic complexity.
All we really need to know is whether the token is complete, so replace
the check to check just that, and make the complexity linear wrt the
input length.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <5408494D.7050407@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9016 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Do the proper closing of the pipe ends which is not being used,
also in error situations. Moved the closing of the parent side
before the waitpid(), to be consistent with the child side (as
early as possible).
Also improved the error messages with more details.
[v2 - Don't call close() if execve() fails]
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 20140909202408.GK1118@greenie.muc.de
URL: http://article.gmane.org/gmane.network.openvpn.devel/9036
It was discovered that the child processes openvpn fork()ed would
be lingering around until openvpn stopped. This was due to the lack
of a wait() call.
This patch also cleans up a few minor white-space issues in the same
code segment.
[v2 proper initialisation of status variable]
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: 1409930731-15263-2-git-send-email-davids@redhat.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/9021
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
On modern systems, topology subnet should always be set, but it's
missing in the configuration file.
Add it with a short explanation.
Signed-off-by: Philipp Hagemeister <phihag@phihag.de> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <53BF9998.5020906@phihag.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8878 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sun, 13 Jul 2014 12:28:47 +0000 (14:28 +0200)]
Fix server routes not working in topology subnet with --server [v3]
The IPv4 routing code needs an IPv4 address to point a route to, and
in --topology subnet mode, the *server* did not have one set by default.
So we now just default --route-gateway to the next address right after
the server address - the specific address doesn't matter, as the correct
next-hop will not be resolved by the host OS but by the OpenVPN daemon.
All that is needed is "it's in the subnet routed to the tun interface".
Using the server address itself would work on unix, but doesn't work with
the Windows TAP driver (as it does not spoof ARP responses for itself).
Signed-off-by: Arne Schwabe <arne@rfc2549.org> Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1405254527-23833-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8904
Don't exit daemon if opening or parsing the CRL fails.
As requested in trac ticket #83, the daemon should not exit if opening the
CRL file during a connection attempt fails; OpenVPN should merely deny the
connection.
CRL files need to be periodically updated. When users update their CRL in
place and a connection attempt takes place simultaneously, the CRL file
might temporarily not be available, or not be in a consistent state.
Previously, that would result in the daemon exiting. With this patch, that
results in one (or possibly a few) failed connection attempts, but service
will restore automatically as soon as the CRL is again available in a valid
state.
Note that on startup OpenVPN still checks the existence and accessibility
of the CRL file, and will refuse to start on error.
While I was touching the code, I improved error reporting for the PolarSSL
code a bit. The polar code opens and parses the CRL in a single call, so
on error retrieve details from polarssl and report those to the user.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <53BED57C.7070300@fox-it.com> Signed-off-by: Gert Doering <gert@greenie.muc.de>
Andris Kalnozols [Sat, 28 Jun 2014 17:41:02 +0000 (19:41 +0200)]
Do not upcase x509-username-field for mixed-case arguments.
I revisited options.c to refine its brute-force upcasing behavior. Now, the
upcasing is done only if the option argument is all lowercase. Mixed-case
arguments and those with the "ext:" prefix are left unchanged. This
preserves the original intent of the "helpful" upcasing feature for
backwards compatibility while limiting its scope in a straightforward way.
Signed-off-by: Andris Kalnozols <andris@hpl.hp.com> Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <53B1BDD8.8020705@karger.me> Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 7 Jul 2014 12:12:22 +0000 (14:12 +0200)]
Remove ENABLE_BUFFER_LIST
it is unconditionally enabled and OpenVPN does not compile if disabled Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1404735142-31420-4-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8841
Gert Doering [Tue, 8 Jul 2014 07:20:54 +0000 (09:20 +0200)]
Call init script helpers with explicit path (./)
The provided OpenVPN init scripts scan /etc/openvpn for *.conf and run
an OpenVPN process for each, and if a .sh script with the same base name
exists, this is run before openvpn. Change from running "$name.sh" to
"./$name.sh" - depending on the shell used, the script won't be found
otherwise, and ensuring that the script isn't searched in $PATH is the
right thing anyway.
Reported in trac #423
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Message-Id: <1404804054-32424-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8858
Gert Doering [Tue, 8 Jul 2014 14:45:58 +0000 (16:45 +0200)]
Fix t_lpback.sh platform-dependent failures
commit e97aa06dc058 introduced "full openvpn cipher testing", but fails
on OpenSSL 0.9.8 with DES-CFB1 (skip), on NetBSD for RC5-* (needs extra
library, libcrypto_rc5.a) and on Solaris for POSIXly "tail" (rewrite).
Don't issue warning for 'translate to self' tls-ciphers
All cipher suite names supplied through --tls-cipher are translated by
OpenVPN to IANA names, to get OpenSSL and PolarSSL configuration files
compatible. OpenSSL however supports cipher suite group names, like
'DEFAULT', 'HIGH', or 'ECDH'. To make OpenVPN not complain about these,
entries translating these to themselves were added to the translation
table. However, to make OpenVPN not still complain, the deprecated-name
check has to be reversed from 'if this is a deprecated name then complain'
to 'if this is not a iana name, then complain'. Which this commit does.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1404424065-24787-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8824 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Sun, 8 Jun 2014 16:16:13 +0000 (18:16 +0200)]
Add proper check for crypto modes (CBC or OFB/CFB)
OpenSSL has added AEAD-CBC mode ciphers like AES-128-CBC-HMAC-SHA1, which
have mode EVP_CIPH_CBC_MODE, but require a different API (the AEAD API).
So, add extra checks to filter out those AEAD-mode ciphers.
Adding these made the crypto library agnostic function cfb_ofb_mode()
superfuous, so removed that on the go.
Also update all cipher mode checks to use the new cipher_kt_mode_*()
functions for consistency.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1402244175-31462-3-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8779 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger [Sun, 8 Jun 2014 16:16:12 +0000 (18:16 +0200)]
Rename ALLOW_NON_CBC_CIPHERS to ENABLE_OFB_CFB_MODE, and add to configure.
Makes OFB/CFB compile time configurable, and fixes output of --show-ciphers
to also show OFB/CFB ciphers along the way (becasue crypto.h was not
included from crypto_openssl.c).
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1402244175-31462-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8781 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Tue, 10 Jun 2014 14:04:32 +0000 (16:04 +0200)]
implement adding/deleting routes on AIX, for IPv4 and IPv6
AIX only has TAP interfaces, so always use gateway address as next hop,
not interface name.
AIX route works much more reliable if passed netbits than netmask - do so
(introducing a new helper function netmask_to_netbits2()) Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1402409073-54067216-4-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8785
Gert Doering [Tue, 10 Jun 2014 14:04:31 +0000 (16:04 +0200)]
Add tap driver initialization and ifconfig for AIX.
AIX is special... ifconfig only works if it can add the data to
the ODM right away, so setup a local enviromnment set that has
"ODMDIR=/etc/objrepos" in it (hard-coded, nobody changes that).
Only --dev tap or --dev tapNN are supported right now. AIX has no
tun driver (so tun mode would need to dynamically add/remove ethernet
headers to/from AIX).
Signed-off-by: Gert Doering <gd@medat.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1402409073-54067216-3-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8788 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Tue, 10 Jun 2014 14:04:30 +0000 (16:04 +0200)]
Recognize AIX, define TARGET_AIX
force "have_tap_header=yes", as configure won't like AIX headers otherwise
(no tun related headers, just <net/if_tap.h>).
force ROUTE to be "/usr/sbin/route" - not executable by non-root users, so
configure testing for executables will not find it
force "ac_cv_header_net_if_h=no", because AIX' <net/if.h> pulls in AIX'
<net/route.h>, which #defines ROUTE_H, disabling our "route.h"... (and
we don't need <net/if.h> on AIX anyway)
Signed-off-by: Gert Doering <gd@medat.de> Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1402409073-54067216-2-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8787 Signed-off-by: Gert Doering <gert@greenie.muc.de>
James Bekkema [Thu, 26 Jun 2014 11:40:39 +0000 (21:40 +1000)]
Fix socket-flag/TCP_NODELAY on Mac OS X
Hi All,
OpenVPN 2.3.4 will currently throw a warning of "NOTE: setsockopt
TCP_NODELAY=1 failed (No kernel support) when attempting to use the
TCP_NODELAY socket option on Mac OS X/Darwin. Kernel support is there,
however the required header file where TCP_NODELAY is defined is not being
included. This patch simply alters syshead.h to include <netinet/tcp.h> on
Darwin platforms.
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <A1005665-126D-45D5-A6F2-75ED0EAE30FE@sparklabs.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8809
Steffan Karger [Tue, 24 Jun 2014 20:03:26 +0000 (22:03 +0200)]
Update README.polarssl
PolarSSL support has been extended and adjusted, but README.polarssl was
not accordingly adjusted. This updates README.polarssl to the current state
of affairs for the master branch.
Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1403640206-7024-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8803 Signed-off-by: Gert Doering <gert@greenie.muc.de>
projects / thirdparty / openvpn.git / log
