From patchwork Fri Dec 7 16:03:26 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Sommerseth X-Patchwork-Id: 637 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.27.255.55]) by backend30.mail.ord1d.rsapps.net with LMTP id eJuLH9s0C1wtNQAAIUCqbw for ; Fri, 07 Dec 2018 22:04:59 -0500 Received: from proxy14.mail.iad3a.rsapps.net ([172.27.255.55]) by director7.mail.ord1d.rsapps.net with LMTP id yEJzHds0C1wobQAAovjBpQ ; Fri, 07 Dec 2018 22:04:59 -0500 Received: from smtp36.gate.iad3a ([172.27.255.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy14.mail.iad3a.rsapps.net with LMTP id kJKhGNs0C1yMGQAA1+b4IQ ; Fri, 07 Dec 2018 22:04:59 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp36.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=sf.lists.topphemmelig.net; dmarc=fail (p=none; dis=none) header.from=sf.lists.topphemmelig.net X-Suspicious-Flag: YES X-Classification-ID: 0b7d3508-fa96-11e8-a906-525400575b2b-1-1 Received: from [216.105.38.7] ([216.105.38.7:65187] helo=lists.sourceforge.net) by smtp36.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id A6/FA-26613-AD43B0C5; Fri, 07 Dec 2018 22:04:58 -0500 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1gVSuD-0006BN-Bm; Sat, 08 Dec 2018 03:03:49 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1gVSuB-0006B4-VB; Sat, 08 Dec 2018 03:03:47 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:MIME-Version:Date:Message-ID:Subject: From:To:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=qr8kpKCVjV9Sp9l3OWU7ZnseyTujQo3OaQb6nPRd2E8=; b=QFAmQXW5XHSx/61YE8h4X7Ur0Y CmMxWu5XB+ZEWvqE8RQs4ZmGkGxYhP2UdhNSMDTIGZJbdjOUQyf1ADYyFEp8simZYFySXCVNFgSNj EoMYWthHaBZimTzhQbe6Y2m1rR9GYzpBVhZVriCUrQVk3eurpF58RCtW8IRKAyf+WzMY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:MIME-Version:Date:Message-ID:Subject:From:To:Sender:Reply-To :Cc:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=qr8kpKCVjV9Sp9l3OWU7ZnseyTujQo3OaQb6nPRd2E8=; b=k 04EvqkWVOoq6eYaE0JqlNRu5HMoiD5pAzFyr2QgYNA09fwc2fKIhzqfy/5oTMwKYDpzArOGgUY53V 3AhDQjTZ3LqZ05Sn+inPh7ShfXea4HCObnS+S72wwRMsFE/4BdB80EwvDqGezshueRAukCN5Jl80z uZEl9DcMvC2ccKzo=; Received: from mx0.basenordic.cloud ([185.212.44.139]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) id 1gVSu8-006tzI-Pj; Sat, 08 Dec 2018 03:03:47 +0000 Received: from localhost (unknown [IPv6:::1]) by mx0.basenordic.cloud (Postfix) with ESMTP id ACBD68184F7; Sat, 8 Dec 2018 03:03:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sf.lists.topphemmelig.net; s=inouz9eefah2too5; t=1544238213; bh=qr8kpKCVjV9Sp9l3OWU7ZnseyTujQo3OaQb6nPRd2E8=; h=To:From:Subject:Date:From; b=JzTdyGzjF4Qs1c2C4jGngqCQs64QwyFLBI2thcDHZw8e4zw59+VVBGHaqBv4pkhlU s2CAbcgWLf3wNXlPpm6+ZnlCLzs9iDm40EVC2qY+RPZDGjqRtBCv1ewlYTKx/9LUBY 96hxLwjIwwpadWwiKDr8KW5cvkjw3gygYyAKyOxuj+S9Y0urXjHIuHsXB/toMc0y89 0Lq+PPvmuT7Um7wZsjzLKhoGaaKbAAMpUs2w/Wdow8fRhJngPcg+IN8ejj45FU4OPO gX++OMxv8MkFGcYRhAYH8TrhiTTgdOJnXsNVO/2mOeL6TRF9r5YvnDECLUokFKIL1M 69aHZKLC2ihyg== Received: from mx0.basenordic.cloud ([127.0.0.1]) by localhost (winterfell.topphemmelig.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1S6fGZttqRHo; Sat, 8 Dec 2018 04:03:31 +0100 (CET) Received: from zimbra.sommerseth.email (zimbra.sommerseth.email [172.16.33.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx0.basenordic.cloud (Postfix) with ESMTPS id 4AE198184ED; Sat, 8 Dec 2018 04:03:31 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by zimbra.sommerseth.email (Postfix) with ESMTP id A35B14213797; Sat, 8 Dec 2018 04:03:30 +0100 (CET) Received: from zimbra.sommerseth.email ([127.0.0.1]) by localhost (zimbra.sommerseth.email [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id vKNyg6Gv304x; Sat, 8 Dec 2018 04:03:29 +0100 (CET) Received: from optimus.homebase.sommerseths.net (optimus.homebase.sommerseths.net [10.35.0.233]) by zimbra.sommerseth.email (Postfix) with ESMTPS id 087804213795; Sat, 8 Dec 2018 04:03:28 +0100 (CET) To: "openvpn-devel@lists.sourceforge.net" , OpenVPN Users From: David Sommerseth Openpgp: id=7ACD56B74144925C6214329757DB9DAB613B8DA1 Autocrypt: addr=openvpn@sf.lists.topphemmelig.net; keydata= xsFNBFe8U5oBEAD7NpEZctk38ecz1l/6em+Pkx6ifsqOTUtZzpMHycnc94Tk0p+HDeB3IgmP gXjhVrWUWahu6sFd7h2UieJJFfHFAsYeFFjiWUrfAtbNaJe+Ea3MNUgtOLddPGX9zbXzzg/r eWQOXToloHjzwOFMy3nFPhY3Ydvo86IDLf8MB7DOA5WM6p7m3I/YUv40fgEXSt/VUC/YOCsf y0QlMIHLpvBWzb+Jrt0j31wOmieupiOtdZf4gFsNEt/zbYB0gv+nwMvDDQIZ5fN44fcO93Iy uhCcsq2wrWNV8zgKjV3A08v4Fgr58u20wNHf13blf3r13KU2F7ig5WFapT4rSGXR8obJcVV+ qTQxIqpZo4sXAVv45BtoTcWGDqUN4w8yXGvFGOSoFvTxlk0+3wtZjXNrMZEIHNO5xQMV/DuR 37oatg/LZ/7SmJeWi3uNyZeV6/XDdyawl0AZERvExKCD2ReE0/XHK69he/TUAVfHBp6YjmNa CMQ16+DbGlTOSHq3mghQjXzx8HxcBT3PqfM3nM1nxHSaYog2oO5wWhusANHh4Sv/u4HDEYq/ d4ARFMJYz8GtjGojHnNOzTEmkagFubkrONBSTm9AP2fbhGfZcXQ2qV47AQsjVJHnrQ61xT1B lyke8MEt+2ZiZJxDSQ7BFVLi84mqOASUlurbw8FGfcZn8U0nvwARAQABzUFEYXZpZCBTb21t ZXJzZXRoIChPcGVuVlBOIFRlY2hub2xvZ2llcywgSW5jKSA8ZGF2aWRzQG9wZW52cG4ubmV0 PsLBfwQTAQIAKQIbAwUJEswDAAIeAQIXgAIZAQUCV7xUUwQLCQgHBRUKCQgLBRYCAwEAAAoJ EFfbnathO42hyn8QAMgCFfdnXFCD0HhLhRmdpghx0tLgSGXhHP/bqJAZDXWQCZ+OZecqucLq SyOBZ2fkynHsMt3dIMYOtUjJe3bJxaufJUgoTY2ahqAOYN316gJ9/Vlr42+0W0qe+aLmCV/m 5MTORIFVbKQLtB/oTybK6urQed1UvX9wJeeXhK+g0EYBIjfxLnchuU5VWj7QjR4MVOnZZy93 XlSFwepmp9o3mIYLUE1wIQ8cFt/9NekP1DkwV6sdAFONWJr5uMuwnEwOrPiS1mV1LQNcustf KU5y/1fT/ZXqcoNqjnriDJvAFwU866tVFlz26DGtqm8M53MI/hybvyPWJgwa5gNRNW8G9dV6 z74CnYIZC5MVkUuNPyClIQbcRDLIZgr2xKSqIbM3FFeuiuKewtv/Yh/u+YZcdjV3/27J+qPg RR1eHgusoWq5CPgtYyJOPBo6tOlmYRX9Dtv5lDebj6qyaZRG3RduFB8LSUOY4Yy7f2b0RTRT IOvr7zFRRL4q0gA9KqjGIMN1a1OkiZQonfcARkubHpiPBb7D5PCvs/W/1yZdMGY2OQjooqGK AT72FbrWYyVx7if8kF85YYADrI42BqsjQUrrznmMuORGvJ+OIe7IRllFZXxImDrxFsT5pDxK h1jCbVX1YxBKhmcs/u7hUA08J26DJDOpE6FupvXdc/zDm1IG8d9mzsFNBFe8U5oBEAC60Tp3 ueUDqfIPvR17m1RVjb9gNrCMgSKFvrwY/K3Qnkt23nVd6dQSN7Ds9WGskteXjUJs7ij371NS xIeqUX7Ra9OuUUU2BNcnk9Est8F2+1GnITCpT3MUeQ73S9n3WrTxlBIX5ZI2Q52NkH/KzPZQ QVrZ5DcLdEtWeYwH2q4RTqtK/Suf3twmntdXZxUD1zCjFGIbuEiPdUTiRPTO7z/cra/xFiN0 vZeB22n5nLIL3OGhjXYd81uiJLbVGQdflRnNvBR2Y1lXwdpdAcXvrHLF9h/DgzFy1h3/akxm 1c5RblhzXK+czCJZznExSdye2VtYuSRxatm0ixWWJ/O3tSwsaW85AMrxaqwpATcoloZp4oPU jm5B6QaXhDxW/ioeZoJHUC5qc70XO5XrxXgq6mFwRntGa2cZ9+WqrSE5IcyEom1ctbvxU8PX VtMXQV9En/fAuNGNvQIvgMSkJFLdtCqEluDoI8b/ei5SLqTCqi+slQOJad6XVJsWm3ZVEtJl 9FUtBdKEaKk524V1YI9jLO9hLtLRPL8BMaBoOwRBG0HrR3n+i0b1UDxJe3ZAcZpS/EJ6LDz6 koJpnU58NlCIOtmjyxsfeTmqQRxm2TmKKajwGnFjXWe6N/fEfu163028Uj6L9o4xXw9Ns0+p wrCoBKqnm4e5Lc383Ss3/QsIfG6elQARAQABwsFlBBgBAgAPBQJXvFOaAhsMBQkSzAMAAAoJ EFfbnathO42h/KkQAOa2lt7i+INbMUbsd4TBCdigDvvju2iOo27GdTUe4nH0ie1RFINSj48X LKBsIfJcSN9X/2TEkuotbESGXYyxPnG/ssZfZcGbHeyPXdYXbRAFo/P7EAdrOW6Ft3z804e9 REHSoDF140/ZcY1kM/KX+EhkFJyxJskXbUJeJ51Z8vqVXqNRlRJBuBsENoHfblZzGxPfLbem U5zZQq937YbMZmQpmiHBQpi/0+det/kVuFZHLQFSH+74t7RRojNhx2bAseXIxV4RHnyTqe0g xxJMxMhXHJTR5LT21IV1fxkclU7emPa0kyJD71L8O4KONMoc9v8qVsh+WayxhmzBRFMcUS38 hrY7kkUWDZK+ijrXY9XD1d32qwcE0G0+BR50Qkqw2XEsCj6Hb6zRoB7iL29n9Sd6cM7PDXWc ziL+PSrRnuwWv92EioMjL8nzNtz44fT6xw65upvB0KXYpdxHbC/Mq+e/mv7xHQoStagLrGLV qoOzq3d7EGKtGzclRO8J1lifj5/xnyqUOEvQpZYobgb3J23hKYgRPPmVYcr7CW6jy0O3ywd8 OAOsvXAViUkg/9ps+nIr7rXdxY9shjQuL38PwzhW22paj8Xfag7oNT8rCPP5LbhukVfXi2Ya mDk7zWIlS4qDgfGwq5wv+G4J/1HEpwMLlmOQaT+g4HdWxr2i7plr Message-ID: Date: Sat, 8 Dec 2018 04:03:26 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0 MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1gVSu8-006tzI-Pj Subject: [Openvpn-devel] Release of OpenVPN 3 Linux v1 (Beta) X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox OpenVPN 3 Linux v1 (beta) release ================================= The first beta release of the new OpenVPN 3 Linux client is now available. This is release is considered reasonably stable and is suitable for daily usage by people willing to test new cutting edge software. The OpenVPN 3 Linux client is a very different way of interfacing with VPN tunnels than the previous OpenVPN 2.x releases, where privilege separation and runtime security is tightened a lot more. This is done by building on the capabilities D-Bus provides. The result is that unprivileged end-users are capable of starting and managing their own VPN connections and sessions without needing any additional privileges. This is also the first release to provide a new API (over D-Bus) used to create, configure and manage TUN devices, including DNS configuration. This new interface has been modelled after the Android VPN API. What is really the biggest change is the handling of DNS configurations. Currently, the DNS handling is done by taking control over /etc/resolv.conf directly; similar to what the update-resolv-conf approach OpenVPN 2 needs to use. But the difference is that this works out-of-the-box with the default install. In coming releases we will extend this to support more backends for DNS configuration, such as systemd-resolved and similar. Unfortunately, currently NetworkManager does not provide an external API for doing similar approaches. Another big difference is the provided Python 3 module for OpenVPN 3. This is a reference implementation of how to write your own tooling in Python to manage VPN configurations as well as starting and managing VPN sessions. Since this builds on the D-Bus API enabled in OpenVPN 3 Linux, this is not restricted to Python itself, but the Python implementation can be considered a reasonable study case for other platforms supporting D-Bus. Finally, this OpenVPN 3 Core library provided in this release very recently been extended with tls-crypt-v2 support, which can be tested against OpenVPN 2 git master branch builds, which contains the coming v2.5 release. The OpenVPN 3 Linux release needs to be heavily tested. But there are some features which are not available in OpenVPN 3 in general. There are no TAP device support planned, further features like --fragment is unsupported. Other missing features are the script hooks and plug-in interface (which can use the D-Bus interface to trigger external events). In general, if your existing VPN client configuration works with OpenVPN Connect or OpenVPN for Android with the OpenVPN 3 backend enabled, then it will work with the Linux client. Source code ----------- - Source package: - PGP signature: - GitLab: - GitHub: Binary packages --------------- Fedora 28, 29 and EPEL: The Fedora EPEL repository provides packages for Red Hat Enterprise Linux 7 which also works on CentOS 7 and Scientific Linux 7. Debian and Ubuntu packages are in the pipe and we will announce their availability as soon as they are ready. Known issues ------------ - man-pages are far from completed. Currently man-pages for openvpn2 and openvpn3-autoload are generated as well as a brief overview of the openvpn3 front-end. But this will be improved with time. - mbed TLS v2.7.0 or newer is required Quite recently the OpenVPN 3 Core library added a fix to avoid using a deprecated function. It was not noticed at that point that this change would break the building of OpenVPN 3 on Debian 9 or similar distributions which ships an older mbed TLS library. Current workaround is to apply the attached patch, which will restore the old API present in older mbed TLS versions. To apply the attached patch: $ tar xvJf openvpn3-linux-1_beta.tar.xz $ cd openvpn3-linux-1_beta $ patch -p1 < /path/to/fix-openvpn3-linux-mbedtls-older-than-2.7.patch Then follow the build instructions in the README.md file. - Lacking OpenSSL build support. In a coming release, the OpenSSL library will be replacing the current mbed TLS library as the default. But it will be possible to build with both of them. - Read the README.md file carefully when building OpenVPN 3 Linux yourself. One important detail which might make things simpler for you, is to ensure the 'openvpn' user and group accounts are created before you start building and in particular run 'make install'. - On Debian and Ubuntu, the OpenVPN 3 Python library is installed in the wrong directory. Most distributions use /usr/lib/python3.Y/site-packages, while Debian 9 uses just /usr/lib/python3.Y. Quick workaround is to just install a symlink: # cd /usr/lib/python3.X && ln -sf site-packages/openvpn3 The Python module must be functional for the 'openvpn2' and 'openvpn3-autoload' tools can work. - *Some* systems *might* not reload the D-Bus policy as quickly as expected. Sometimes it works better when forcing the dbus-daemon to reload its configuration. This can be done via: systemctl reload dbus (Do _NOT_ attempt to _restart_ dbus-daemon on a running system, it might make your system misbehave afterwards) --- a/openvpn3-core/openvpn/mbedtls/ssl/sslctx.hpp.orig 2018-12-07 23:35:14.288411887 +0100 +++ b/openvpn3-core/openvpn/mbedtls/ssl/sslctx.hpp 2018-12-07 23:35:27.648043080 +0100 @@ -1224,11 +1224,7 @@ { const int SHA_DIGEST_LEN = 20; static_assert(sizeof(AuthCert::issuer_fp) == SHA_DIGEST_LEN, "size inconsistency"); - if(mbedtls_sha1_ret(cert->raw.p, cert->raw.len, ssl->authcert->issuer_fp)) - { - OPENVPN_LOG_SSL("VERIFY FAIL -- SHA1 calculation failed."); - fail = true; - } + mbedtls_sha1(cert->raw.p, cert->raw.len, ssl->authcert->issuer_fp); } } else if (depth == 0) // leaf-cert