update metadata references for pkcs11-helper v1.30
remove local patches incorporated in new upstream
Signed-off-by: Marc Becker <marc.becker@astos.de>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231204153345.1146-1-marc.becker@astos.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27678.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This option was removed in 2.3.0.
Change-Id: I243ba135ce36cff36ba77eead7dcd9354bd94ab7
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20231204153444.56906-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27677.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The name state_change is more confusing than helpful as it not really
indicates if there was a state change but rather if processing should
be continued. There even some states that are definitively state changes
(setting to_link buffer) that require continue_tls_process to be set
to false.
Change-Id: Ib6d713f2eb08a4c39d97de3e1a4a832cedc09585
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20231128103704.61046-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27571.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The cmake file defined that file to be never present in contrast to the
old msvc-config.h that always had it present.
Remove also the compat implementation taken from mingw. All our current
build environments already have that header in place.
Change-Id: I9c85ccab6d51064ebff2c391740ba8c2d044ed1a
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20231128103950.62407-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27573.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Recent autoconf warns:
configure.ac:448: warning: The macro `AC_TYPE_SIGNAL' is obsolete.
And it turns out that we do not actually use RETSIGTYPE.
Additionally, there is no reason to do so since as the
autoconf documentation says:
"These days, it is portable to assume C89, and that signal
handlers return void, without needing to use this macro or
RETSIGTYPE."
Change-Id: I7da7c2d7d34c7e5efd52d448646b4398a1005e77
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20231128103740.61160-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27572.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This can happen if the memory alloc fails.
Patch V2: add goto error
Patch V3: return -ENOMEM instead of going to error
Change-Id: Iee66caa794d267ac5f8bee584633352893047171
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20231121170603.886801-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27541.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The inner loop used i instead of j when iterating through the buffers.
Since i is always between 0 and 2 and ks->send_reliable->size is
(when it is defined) always 6 (TLS_RELIABLE_N_SEND_BUFFERS) this does not
cause an index of out bounds. So while the check was not doing anything
really useful with i instead of j, at least it was not crashing or
anything similar.
Noticed-By: Jon Williams (braindead-bf) on Github issue #449
Change-Id: Ia3d5b4946138df322ebcd9e9e77d04328dacbc5d
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231128104359.62967-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27576.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This debug code is not very useful as it is outdated and the same
functionality is provided by --show-gateway
Change-Id: Ie7fd59cc84e2eb024086c28c2ec2a5606a2b2e7c
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231201111717.14940-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27624.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This removes some leftover references to extract_x509_field_test that
was removed 15 years ago in commit 564cbab5f.
Change-Id: Ie511a586cf022afcab9d67891ff80676ac7d47b9
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231201111846.15097-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27625.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Update to latest stable release
- Work-around patches not required anymore
- Official URL of repo has changed
Change-Id: I9b8e69f2b9838cea4cb9001f4e8960b8a39724ef
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20231201123649.18127-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27635.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When we receive an SSL alert from a server we currently only log a
very cryptic OpenSSL error message:
OpenSSL: error:0A00042E:SSL routines::tlsv1 alert protocol version:SSL alert number 70
This also enables logging the much more readable SSL error message:
Received fatal SSL alert: protocol version
which previously needed --verb 8 to be displayed (now verb 3). Also rework the
message to be better readable.
Change-Id: I6bdab3028c9bd679c31d4177a746a3ea505dcbbf
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231121103930.15175-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27523.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Instead of repeating near identical code several times
in manage.c, use a small helper function instead.
Change-Id: I91f739f5cb43386b2ce767cf3603a76e6b93e216
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20231121104254.15701-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27525.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Old expiration was October 2024, less than a year away.
Give everyone the chance to get the new keys before tests
start failing.
Change-Id: Ie264ec1ec61fd71e8cc87987be3e2adc2735c201
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231121110430.16893-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27530.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Add support for tls-crypt packets in protocol_dump(). Currently,
protocol_dump() will print garbage for tls-crypt packets.
This patch makes protocol_dump print the clear text parts of the packet such
as the auth tag and replay packet id. It does not try to print the wKc for
HARD_RESET_CLIENT_V3 or CONTROL_WKC_V1 packets. It also intentionally
does not print ENCRYPTED placeholders for ack list and DATA, to cut down
on the noise.
Signed-off-by: Reynir Björnsson <reynir@reynir.dk>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <8237adde-2523-9e48-5cd4-070463887dc1@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27310.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
As of version 3.5.0 the TLS-Exporter function is not yet implemented in
mbed TLS, and the exporter_master_secret is not exposed to the
application either. Falling back to an older PRF when claiming to use
TLS1.3 seems like false advertising.
Change-Id: If4e1c4af9831eb1090ccb3a3c4d3e76b413f0708
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231115151740.23948-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27453.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Some pushed options (such as DOMAIN-SEARCH) require DHCP server to work.
Warn user that such options will not work if the current driver (such
as dco-win) doesn't support DHCP.
Change-Id: Ie512544329a91fae15409cb18f29d8be617051a1
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231115120656.6825-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27403.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When tap-windows6 driver is used, both --dhcp-option and
--dns options are applied with DHCP. When processing --dns options,
we don't set "tuntap_options.dhcp_options" member, which is required
for DHCP string to be sent to the driver. As a result, --dns options
are not applied at all.
Fix by adding missing assignment of tuntap_options.dhcp_options.
Github: fixesOpenVPN/openvpn#447
Change-Id: I24f43ad319bd1ca530fe17442d02a97412eb75c7
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231115120623.6442-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27402.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When a key_state is in S_UNDEF the send_reliable is not initialised. So
checking it might access invalid memory or null pointers.
Github: fixesOpenVPN/openvpn#449
Change-Id: I226a73d47a2b1b29f7ec175ce23a806593abc2ac
[a@unstable.cc: add check for !send_reliable and message]
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20231115103331.18050-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27401.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This is a regression from commit
01341840 ("add basic CMake based build")
S_IRUSR and S_IWUSR should NOT be defined as 0 but
as _S_IREAD and _S_IWRITE, as it was already fixed in commit
077445d0 ("Fix some more wrong defines in config-msvc.h")
Those are used as permission mode when opening a file. Passing
zero makes file read-only, which break for example --status-file
functionality.
Github: fixesOpenVPN/openvpn#454
Trac: #1430
Change-Id: I53eaee85d7b284af6bc63da5f6d8f310ddd96c47
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20231114141653.10486-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27393.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Fixed typographical errors in various documentation files for improved clarity and readability.
Signed-off-by: Aquila Macedo <aquilamacedo@riseup.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <4a3a9f1d691704f25f07653bb0de2583@riseup.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27320.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This broke in the CMake build since previously we
just always set HAVE_CHDIR to 1 in the MSVC build.
But actually the code should just not check HAVE_CHDIR
on Windows.
Github: fixesOpenVPN/openvpn#448
Change-Id: I0c78ce452135fe2c80275da449215ba926471018
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20231111081808.30967-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27362.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This overwrites the default that cmake automatically sets. In the
case of debug builds, this breaks debugging as -O1 already optimises
many variables away.
Change-Id: I3ca6965799b23d542ababc3e38880317cb46a3ac
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231107141755.30559-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/search?l=mid&q=20231107141755.30559-1-frank@lichtenheld.com
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When I refactored the tls_state_change method in
9a7b95fda5 I accidentally changed a break into
a return true while it should return a false.
The code here is extremely fragile in the sense
that it assumes that settings a keystate to S_ERROR
cannot have any outgoing buffer or we will have a
use after free. The previous break and now restored
return false ensure this by skipping any further
tls_process_state loops that might set to ks->S_ERROR
and ensure that the to_link is sent out and cleared
before having more loops in tls_state_change.
CVE: 2023-46850
This affects everyone, even with tls-auth/tls-crypt enabled.
Change-Id: I2a0f1c665d992da8e24a421ff0ddcb40f7945ea8
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: David Sommerseth <davids@openvpn.net>
Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20231108124947.76816-3-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20231108124947.76816-3-gert@greenie.muc.de
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 57a5cd1e12)
This is a find cases where the session already has planned to send out
a packet but encounters some other errors that invalidate the session,
setting it to S_ERROR and leaving the buffer behind.
This will detect and clear that to_link buffer in that case.
Change-Id: I5ffb41bed1c9237946b13d787eb4c4013e0bec68
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: David Sommerseth <davids@openvpn.net>
Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20231108124947.76816-2-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20231108124947.76816-2-gert@greenie.muc.de
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit cd4d819c99)
This code was necessary before the frame/buffer refactoring as we
always did relative adjustment to the frame.
This also fixes also that previously initial_frame was initialised too
early before the fragment related options were initialised and contained
0 for the maximum frame size. This resulted in a DIV by 0 that caused an
abort on platforms that throw an exception for that.
CVE: 2023-46849
Only people with --fragment in their config are affected
Change-Id: Icc612bab5700879606290639e1b8773f61ec670d
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: David Sommerseth <davids@openvpn.net>
Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20231108124947.76816-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20231108124947.76816-1-gert@greenie.muc.de
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 1cfca65924)
Most struct fields in mbedtls 3 are private and now need accessor
functions. Most of it was straightforward to adapt, but for two things
there were no accessor functions yet:
* Netscape certificate type
* key usage (you can check key usage, but not get the raw bytes)
I decided to remove Netscape certificate type checks when using OpenVPN
with mbedtls. The key usage bytes were printed in an error message, and
I removed that part from it.
Adding the random number functions to the load private key function may
look weird, but the purpose is to make side channels for elliptic curve
operations harder to exploit.
Change-Id: I445a93e84dc54b865b757038d22318ac427fce96
Signed-off-by: Max Fillinger <max@max-fillinger.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231025121830.1030959-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27295.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Since we're trying to use Gerrit for patch reviews, but the actual
merge process is still implemented against the ML and Patchwork,
I wrote a script that attempts to bridge the gap.
It extracts all relevant information about a patch from Gerrit
and converts it into a mail compatible to git-am. Mostly this
work is done by Gerrit already, since we can get the original
patch in git format-patch format. But we add Acked-by information
according to the approvals in Gerrit and some other metadata.
This should allow the merge to happen based on this one mail
alone.
v3:
- handle missing display_name and email fields for reviewers
gracefully
- handle missing Signed-off-by line gracefully
v4:
- use formatted string consistently
Change-Id: If4e9c2e58441efb3fd00872cd62d1cc6c607f160
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20231022105919.21779-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27279.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The -fno-sanitize-recover=all flag ensures that for all errors we actually
abort the tests in the automated testing and not just print some errors in red
that nobody sees. Also add the undefined tests to catch more bugs.
For libreSSL we do not add the udefined behaviour as we have (even with the
latest LibreSSL version) an undefined behaviour in LibreSSL itself.
Change-Id: I204b396dea9f22d68e8e091d181a85ffebde4c17
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231022105756.21080-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27278.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Servers 2.4.0 - 2.4.4 support peer-id and AEAD ciphers,
but only send DATA_V1 packets. With DCO enabled on the
client, connection is established but not working.
This is because DCO driver(s) are unable to handle
DATA_V1 packets and forwards them to userspace, where
they silently disappear since crypto context is in
DCO and not in userspace.
Starting from 2.4.5 server sends DATA_V2 so problem
doesn't happen.
We cannot switch to non-DCO on the fly, so we log this
and advice user to upgrade the server to 2.4.5 or newer.
Github: fixesOpenVPN/openvpn#422
Change-Id: I8cb2cb083e3cdadf187b7874979d79af3974e759
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20231022082751.8868-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27272.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Half of them used unsigned int, the other half size_t.
Standardize on one. Could've also standardized on the
other, both are much too big for the expected numbers
anyway.
Add a new utility function clamp_size_to_int for
cases we need to change from size_t to int (there
are a lot of those all over our codebase).
Resolves some -Wconversion warnings.
Change-Id: Ic996eca227d9e68279a454db93fcbc86a7bd0380
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20231008104022.20200-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/search?l=mid&q=20231008104022.20200-1-frank@lichtenheld.com
Signed-off-by: Gert Doering <gert@greenie.muc.de>
inet_ntoa is officially deprecated and in some places
its use already causes warnings (e.g. Fedora submissions).
Since we mostly use inet_ntop already, just convert the
remaining usages to that.
Change-Id: I052bebe720ddf26340827f25b94705945e470bfa
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20231008103415.19625-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/search?l=mid&q=20231008103415.19625-1-frank@lichtenheld.com
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This is a contribution for loading engine key. OpenSSL engine is
deprecated since OpenSSL 3.0 and James Bottomley has not agreed to
the proposed license chagne. He is also okay with removing the
feature from the current code base as it is obsolete with OpenSSL 3.0.
The original commit ID was a0a8d801dd0d84e0ec844b9ca4c225df7 (plus
subsequent fixes).
Change-Id: I2d353a0cea0a62f289b8c1060244df66dd7a14cb
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20231006111910.3541180-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27133.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Since in the end this always ends up as an uint16_t
anyway, just make the conversion much earlier. Cleans
up the code and removes some -Wconversion warnings.
v2:
- proper error handling in options.c
v4:
- also introduce a minimum mssfix
Change-Id: Id8321dfbb8ad8d79f4bb2a9da61f8cd6b6c6ee26
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20231009105151.34074-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/search?l=mid&q=20231009105151.34074-1-frank@lichtenheld.com
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Print dco-win driver version using the new ioctl.
Requires dco-win driver 1.0.0 or newer to work.
Change-Id: I1d0d909e7fca3f51b5c848f1a771a989ab040f17
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20231008112755.23568-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27174.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The peer temporary key in TLS session is related to the PFS
exchange/generation. From the SSL_get_peer_tmp_key manual page:
For example, if ECDHE is in use, then this represents the
peer's public ECDHE key.
Change-Id: Iaf12bb51a2aac7bcf19070f0b56fa3b1a5863bc3
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231009105518.34432-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27192.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
OpenSSL has a weird way of only reporting EC curves that are implemented
in a certain way in the list of all EC curves. Note this fact and point
out that also the very important curves X448 and X25519 are affected.
Change-Id: I86641bf60d62a50e9b2719e809d2429d65c00097
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231009105714.34598-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27193.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
OpenVPN 2.6 already warned about this feature being removed. OpenVPN
2.7 will with this change no longer accept these configurations without
having a --allow-deprecated-insecure-static-crypto added to the command
line or the configuration itself. This will serve as a last and final
warning for people who missed the warning message in OpenVPN 2.6.
This commit also removes the documentation for --secret and the static key
mode.
Change-Id: I4f29953b91cf8e8daf2c9503da44073ad96d0ff5
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20231009105832.34762-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27194.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>