gmane.network.openvpn.devel

Re: [Translation Question] Traditional Chinese

Heiko Hund — 2012-05-22T16:42:44

Took me a little while, but I just finished integrating it into the GUI. Don't 
know what .lang file is for, but I suppose it's another project you contribute 
translation to. The .rc file is now part of the official OpenVPN-GUI. Thanks 
for your efforts!


I released a new snapshot binary. You should be able to download it once it's 
spread across the Sourceforge download mirrors at 
http://sf.net/projects/openvpn-gui/files/Snapshot%20Binaries/2012-05-22/

Will you do the translation to Simplified Chinese as well? Is so, please base 
it on the openvpn-gui-res-zh-hant.rc file in the repository. I made some 
changes to the one you sent.

Thanks again
Heiko

Re: [PATCH] build: check minimum polarssl version

Adriaan de Jong — 2012-05-21T11:56:25

Looks good! I'll give it a feature ack. I don't see any problems in the autoconf code, but I'm not an expert in that area. So a tentative ack there too.

Adriaan


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

[PATCH] build: check minimum polarssl version

Alon Bar-Lev — 2012-05-21T11:04:14

Pre 1.1 is unsupported, API was changed.

Signed-off-by: Alon Bar-Lev <alon.barlev< at >gmail.com>
---
 configure.ac |   21 +++++++++++++++++++++
 1 files changed, 21 insertions(+), 0 deletions(-)

diff --git a/configure.ac b/configure.ac
index 4592727..5ace128 100644
--- a/configure.ac
+++ b/configure.ac
< at >< at > -743,6 +743,27 < at >< at > if test -z "${POLARSSL_LIBS}"; then
 )
 fi
 
+if test "${with_crypto_library}" = "polarssl" ; then
+AC_MSG_CHECKING([polarssl version])
+old_CFLAGS="${CFLAGS}"
+CFLAGS="${POLARSSL_CFLAGS} ${CFLAGS}"
+AC_COMPILE_IFELSE(
+[AC_LANG_PROGRAM(
+[[
+#include <polarssl/version.h>
+]],
+[[
+#if POLARSSL_VERSION_NUMBER <= 0x01010000
+#error invalid version
+#endif
+]]
+)],
+[AC_MSG_RESULT([ok])],
+[AC_MSG_ERROR([invalid polarssl version])]
+)
+CFLAGS="${old_CFLAGS}"
+fi
+
 AC_ARG_VAR([LZO_CFLAGS], [C compiler flags for lzo])
 AC_ARG_VAR([LZO_LIBS], [linker flags for lzo])
 have_lzo="yes"

Re: [Translation Question] Traditional Chinese

Yi-Wen Cheng — 2012-05-17T09:06:06

Hi,I just finished both of files for translating to traditional chinese.
 
The attachments are the files I provide.
 
Btw,how can I see the new GUI of traditional chinese on my laptop?
 
Thanks
 
Regards
 
YiWen 
 
On 05/14/12, Heiko Hund <heiko.hund< at >sophos.com> wrote: 
# this is a language file for Vistalizator
# compatible versions: 2.30
# author: froggie
# save this file in Unicode or UTF to preserve special characters
# put this file into program's "Languages" subfolder to have it loaded automatically at program's startup
# (it will be silently skipped if there is a built-in language with the same "EnglishName" value in its header)
# after approval, this translation can become a new buit-in language amongst others and will be included in a pack of all languages available for download
# English is a fallback language for missing lines (built in program)
# "|" represents a newline character (only messages 043, 084-096, 100 and 600-800: otherwise it is ignored as not expected/allowed), e.g. "Line

Re: Pre-2.3-alpha2 Windows installers now available

Alon Bar-Lev — 2012-05-16T19:11:35

Hello All,

I want to emphasis the request to test as:

1. The installer was fully re-written almost nothing remained from the
original one.

2. We now provide both 32bit and 64bit binaries, so far only 32bit
binaries were provided.

3. All userspace binaries are compiled using mingw-w64 compiler, this
is also a change from previous releases.

4. The tap-windows driver has its own installer which is embedded
as-is within the openvpn installer.

Any input will be much appreciated!

Alon.

On Wed, May 16, 2012 at 3:45 PM, Samuli Seppänen <samuli< at >openvpn.net> wrote:

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Openvpn

Re: eurephia plugin

David Sommerseth — 2012-05-16T15:57:30

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 16/05/12 16:39, Alon Bar-Lev wrote:
[...snip...]

Just to clarify, as Alon and I have had an IRC discussion today.
We've agreed that we will keep this code snippet enabled by default in
v2.3.  In v2.4 we will flip it to disabled by default.  And in v2.5,
it will go away.

The reason is also that code from James have arrived into the v2.3
code base which provides pretty much the same information as
'tls_digest_%d' does, using a new feature: --x509-track

See commit 9356bae859938c and commit 5cdb5e0111df7b3d for more
information about that.


I will take care of modifying eurephia and it's documentation.


Plug-ins can use the plug-in API v3 indeed.  Scripts however need to
use the new --x509-track feature instead and be rewritten to extract
the information from a different environment variable.  Both are new
features in the coming OpenVPN v2.3.  So we do need a transition
period before pulling this feature.

So, leave it as is in v2.3, flip to disabled by defa

Re: eurephia plugin

Alon Bar-Lev — 2012-05-16T14:39:13

On Wed, May 16, 2012 at 5:30 PM, David Sommerseth
<openvpn.list< at >topphemmelig.net> wrote:

Well, this is exactly my point in rejecting these kind of merges into
the code, examples: Android case, Windows privilege separation case.
A great example!

There are no temporary merges, only maintenance costs and code complexity.
This why features should be maintained outside of tree until properly
merged with proper design.
This process it is not unique to this project.

I am for announcing the removal have the time for all plugins authors
which may use this feature to modify their code. There is enough time
to do so, we are talking about ~5 months.

I am not sure that anyone knows this one even exists as was unique to
David's need. So most probably only the eurephia should be modified.

Samuli, I think it is simple enough... in the 2.3_alpha2 announcement,
announce that the tls_digest_* environment is obsolete and until 2.3
release all plugins authors must modify their plugins to use the V3
interface to extract this

Re: eurephia plugin

David Sommerseth — 2012-05-16T14:30:53

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 16/05/12 14:38, Alon Bar-Lev wrote:

I would prefer not to change this at the current point.  The eurephia
plug-in needs to be updated before we can do such a move.

And even though eurephia is the only known user of this information
currently;  We don't know if there are others who have began using
this information already which we don't know about.  So we might break
things, especially if other users are scripts.


Please, look carefully at the plug-in API.  It provides an extra array
pointer, which contains the environment variables.

OPENVPN_PLUGIN_DEF int OPENVPN_PLUGIN_FUNC(openvpn_plugin_func_v1)
     (openvpn_plugin_handle_t handle, const int type, const char
      *argv[], const char *envp[]);

OPENVPN_PLUGIN_DEF int OPENVPN_PLUGIN_FUNC(openvpn_plugin_func_v2)
     (openvpn_plugin_handle_t handle,
      const int type,
      const char *argv[],
      const char *envp[],
      void *per_client_context,
      struct openvpn_plugin_string_list **return_

Re: Pre-2.3-alpha2 Windows installers now available

Samuli Seppänen — 2012-05-16T12:45:55

Forgot to mention... If you're interested in testing just the TAP-driver
installer, it's available here:

<http://build.openvpn.net/downloads/snapshots/tap-windows-9.9.0_master.exe>

Best regards,

Samuli




------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

Re: eurephia plugin

Alon Bar-Lev — 2012-05-16T12:38:54

On Wed, May 16, 2012 at 3:33 PM, David Sommerseth
<openvpn.list< at >topphemmelig.net> wrote:

Oh... so if the 2.3 can provide this information to your plugin, can
we remove this entirely?


But plugins should not communicate via environment...
I was confused, as I concluded that if you set the environment the
target consumer is a script.


Oh... I think that if you can do this with the v3 API we can simply
remove the code.


I thought of having the default as enabled and put '-' before element
to remove...
-* can remove all like Gentoo USE flags :)

But now that you describe you can do this using the plugin API, why
not modify the plugin to perform this and just remove this?

Alon.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threat

Re: eurephia plugin

David Sommerseth — 2012-05-16T12:33:24

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 16/05/12 14:03, Alon Bar-Lev wrote:
[...snip...]

I think when James is concerned about stability issues, it is more the
situation of the code changing than growing the environment list too
long.  However, a too big environment list may cause stability issues
as well (overflow situations, etc).  So you have a good argument as well.

(In my case with the eurephia support, I added the #ifdef to make it
more likely that it would be accepted by James.)


I like this idea.  However, the plug-in v3 API is probably solving
some of these things as well, as that provides access to the whole
X509 structure.  That doesn't solve it for scripts, though, but for
plug-ins that will provide all the information ever needed directly.

But if I see it from a security perspective, reducing the amount of
environment variables and only providing the information requested for
makes a lot of sense - and this would affect both plug-ins and scripts
too.  So from a 'need to know' basis

Re: eurephia plugin

Alon Bar-Lev — 2012-05-16T12:03:44

On Wed, May 16, 2012 at 2:37 PM, David Sommerseth
<openvpn.list< at >topphemmelig.net> wrote:

OK, I am starting to understand.
Had I needed to implement this I would have done this differently...
As PKI already establish trust, usually all you need is the subject
name and/or issuer name to differentiate between certificates.

But if I get this right, a new configuration option is needed, not
compile time directive, something like:

--setenv-data [-]<data>, ...

data :: cert-digest-sha1

This way, only users which require this functionality may enable it
and perform hash of the chain. No stability issues in this mode.

In this scheme we can add more data types if required, and assign data
types for existing functionality, allowing to disable using "-",
example is cert-serial or cert-subject or certh-depth.

What do you think?

Alon.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
thr

Re: eurephia plugin

David Sommerseth — 2012-05-16T11:37:10

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 16/05/12 12:55, Alon Bar-Lev wrote:
[...snip...]
[...snip...]

For the most common setup where you only have a single CA and the
client cert, the tls_digest_0 env. variable is the important factor.

But some users might do some tricks with certificate chains, using CA
and sub-CA(s), which a plug-in/script then can better validate if it
has all the levels.

For example, the firewall profiles for each user can be different
based on which kind of device you're connecting from (workstation,
laptop, tablet, etc) - and each group of devices can have certificates
issued by different sub-CAs.  But the end-user have only one
username/password to care about (the certificates/keys are distributed
by the enterprise in their preferred way to their devices), and based
on the certificate chain, the network access changes.

This way, if one sub-CA is removed/disabled from the eurephia
database, you can easily remove access from a complete group.  Maybe
that's something you o

Pre-2.3-alpha2 Windows installers now available

Samuli Seppänen — 2012-05-16T11:27:49

Hi all,

Here are the first fully-functional Windows installers built (by me)
with Alon's new cross-compilation environment (a.k.a. "generic"
buildsystem):

<http://build.openvpn.net/downloads/snapshots/openvpn-install-2.3_master-I000_master-i686.exe>
<http://build.openvpn.net/downloads/snapshots/openvpn-install-2.3_master-I000_master-x86_64.exe>

The installers and executables and libraries in them have been signed
with a self-signed test certificate. This means that Windows Vista/7
64-bit will refuse to install the (self-signed) TAP-drivers, unless this
CA certificate is in the system keystore:

<http://build.openvpn.net/downloads/openvpntestca-cert.cer>

This certificate can be imported using Microsoft management console
(mmc.exe):

- Add  the "Certificates" snap-in
- Go to "Trusted root certificates"
- Right-click "Certificates"
- Select "All tasks" -> "Import"

After this you can run the OpenVPN installer and it should just work. A
version of OpenVPN signed with paid-for certificate is coming soonish.
T

Re: eurephia plugin

Alon Bar-Lev — 2012-05-16T10:55:11

On Wed, May 16, 2012 at 1:46 PM, David Sommerseth
<openvpn.list< at >topphemmelig.net> wrote:

hmmm... why not to digest only end certificate? this what you actually
need right?


The whole point of plugin is that no change in base... conditionals
should be based on functionality.

Thanks,
Alon

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: eurephia plugin

David Sommerseth — 2012-05-16T10:46:08

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 16/05/12 12:37, Alon Bar-Lev wrote:

It was actually the other way around.  If people had stability issues,
which might be related to environment tables growing too big (or
somewhat related issues), this feature could be disabled to see if
that helped it.  Doing it like it is implemented made James happy, so
I didn't argue about it.


AFAIK, eurephia is the only plug-in depending on this feature, and it
this feature arrived first in v2.2.  So it was kind of to have a
clearer reference to what this feature is about.  But I see that this
information can be useful for other plug-ins/scripts as well.


kind regards,

David Sommerseth
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+zhW0ACgkQDC186MBRfrr5hQCfepddgwecRP0a8V+hJaM5n+Y9
gK8An3mlCMUAwjl5AlHojMOah3w0rGAd
=y4TQ
-----END PGP SIGNATURE-----

------------------------------------------------------------------------

Re: eurephia plugin

Alon Bar-Lev — 2012-05-16T10:37:56

On Wed, May 16, 2012 at 1:27 PM, David Sommerseth
<openvpn.list< at >topphemmelig.net> wrote:

Thanks.
I don't see any reason why not to remove the #ifdef for 2.3... it is
default enabled anyway, so it is not like people should explicit
enable this and get lower stability.
Anyway, if the need of the digest is valid then it is not specific to
this plugin.

Alon.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: eurephia plugin

David Sommerseth — 2012-05-16T10:27:22

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 16/05/12 09:17, Alon Bar-Lev wrote:

You can find more info about the plug-in here:  http://www.eurephia.net/

Basically, it's a username/password authentication plug-in which also
matches a user account up against a certificate too (plus some extra
features too as well).  The 'tls_digest_%d' environment variable is
used to get better data when matching certificates information against
the database.

I've been thinking that this whole #ifdef could go away in v2.4.  It
was a requirement from James to make this optional which is the reason
it is how it is.  He wanted to be sure it can be disabled if there
were stability concerns.  As this has been enabled by default in 2.2
and will be in 2.3, I thought 2.4 would be a reasonable time to
confirm the stability.

The [eurephia] string can also be removed then from options.c too; and
I'll make sure the eurephia docs states that v2.4 contains the support
even though not explicitly announced.


kind regards,

David So

eurephia plugin

Alon Bar-Lev — 2012-05-16T07:17:11

Hello David,

I guess this is yours:
---
 *  Additions for eurephia plugin done by:
 *         David Sommerseth <dazo< at >users.sourceforge.net> Copyright (C) 2009
---

Looking at the code the eurephia plugin only do the following:
---
#ifdef ENABLE_PLUGIN_EUREPHIA
  /* export X509 cert SHA1 fingerprint */
  {
    unsigned char *sha1_hash = x509_get_sha1_hash(peer_cert, &gc);

    openvpn_snprintf (envname, sizeof(envname), "tls_digest_%d", cert_depth);
    setenv_str (es, envname, format_hex_ex(sha1_hash, SHA_DIGEST_LENGTH, 0, 1,
                                          ":", &gc));
  }
#endif
---

Can you please explain what this plugin is and why just remove the conditional?

Thanks,
Alon.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malw

[PATCH] cleanup: update .gitignore

Alon Bar-Lev — 2012-05-15T22:21:15

Signed-off-by: Alon Bar-Lev <alon.barlev< at >gmail.com>
---
 .gitignore |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/.gitignore b/.gitignore
index 9f546a3..f762089 100644
--- a/.gitignore
+++ b/.gitignore
< at >< at > -1,4 +1,5 < at >< at >
 *.[oa]
+*.l[oa]
 *.dll
 *.exe
 *.exe.*
< at >< at > -17,6 +18,7 < at >< at > Release
 Debug
 Win32-Output
 .deps
+.libs
 Makefile
 Makefile.in
 aclocal.m4

Re: [RFC] Split plugins into their own repositories

Alon Bar-Lev — 2012-05-15T07:38:09

So basically what you want is to use adding the auth radius into the
core package.

Alon.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel