From patchwork Tue Jan 14 09:43:55 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "d12fk (Code Review)" X-Patchwork-Id: 4050 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:b7cb:b0:5e7:b9eb:58e8 with SMTP id en11csp2137973mab; Tue, 14 Jan 2025 01:44:23 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCXh2ftK7rZjHsMPcLueJpGQjiRRttKRgXTH8cIkKj8sbUkMo+bBhXmkNiHOfB3SlXkGwWkNPNnSOk0=@openvpn.net X-Google-Smtp-Source: AGHT+IG5nV6K7pyuwqPo6ecfZDcjlbr94nfwP7D7kroJeGsrUuoJwv3rz3RkO/aKs1BjmAItzJwU X-Received: by 2002:a05:6830:6802:b0:718:1863:a3fa with SMTP id 46e09a7af769-721e2e252a9mr15827525a34.10.1736847862828; Tue, 14 Jan 2025 01:44:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1736847862; cv=none; d=google.com; s=arc-20240605; b=f0bMtPcWXc05//HPKN4o0MQ851GYVem+sYTeS+/d8b0iq8QcV0gLbRRCav481/osBa WkK6p0pSE/8/pVG9rFgtPGp7Nx1yTzVq81g5q7PbIYNi+6qmlKSUl9k6edgmz1n2qB2i 6PgdZG06DTtUqTHlvfx/SFBM6SGq87mzo25LeTFwjmmF7rorafEhN52sAne5kBWqhGMZ 6YrV8wcxEh9TLbnrd5X11BelRLIP2FBYU2sxcTVJslsS6ME/Nr/H11SxkdIa0LiEUQCY zN7/xVGiswtPt54cHUdkmIirRKNcqHCTuIph9hwF5tyVQBMaYDHcj0f6NPwoWis7tXH0 EL4A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=WNXR24yC+eeRcMLknwyqL8MMg2XF7W2WFUmfA3KHVtM=; fh=lm0MLPW7DntlrDqRECIiC9JlE1uPxhepE0URYHIf+eE=; b=It1byuDD/+kvd2FCQFg7sJjtGjRPiTANlDm9YyCj+ahfLV137dCaL9YY/ttygt4Y4l gDJpPp4KFeyj0QuL8BzVIPL5nNQ1eaQCRRryB7B8cPR7OkaxIuzBZbADZEyAYnj0xqJ6 sxG9KDM9g063Vl86IIFTRJAo6uR9e0TR8lySpcdWXhNCsayjPB8R4QijkYEjPGAIsPUo lXZr2NhDbc6TJfHLnM/QXvx57DaKCPGqS9uOu0iLphkSVXFsU3jr4zbrrJVdqiX9NIdP uWZK2icZVrmoSM2oymnxqSBsv+GVaVaJ2oanSJxGeeUTuXqmh1AkDGjFExVMDgAOSxxT zVCA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=PpuaeyND; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=jjKLT25p; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b="Fm/nwo3/"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net; dara=fail header.i=@openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 46e09a7af769-7231854b145si8658497a34.51.2025.01.14.01.44.22 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 14 Jan 2025 01:44:22 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=PpuaeyND; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=jjKLT25p; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b="Fm/nwo3/"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net; dara=fail header.i=@openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1tXdT3-00088q-CK; Tue, 14 Jan 2025 09:44:12 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1tXdT2-00088j-9p for openvpn-devel@lists.sourceforge.net; Tue, 14 Jan 2025 09:44:11 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=OtBSuVffR78PieuFAAmLiUMgfEn/twV1ctG3csYC5Jw=; b=PpuaeyNDgH0K2uIo8y4Yo+Md5v sTHOqdBv075AahkKB7xTsQqfNrlhJFYS3nd5pojhqeHqlwQ73L5LPL6tjJS8yDvE2cWWEeh6M5Arh wEXt2kS9bbT911MXANEqX1WfFk97ikP+n1lg7NuoXe0RMtVkQmjyW1FW/te/S2Es0tVY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=OtBSuVffR78PieuFAAmLiUMgfEn/twV1ctG3csYC5Jw=; b=j jKLT25plDru0hAJSxgeEO7LVwBcUVxflaXzy8bB0wWwkI/GQzMd0Pj68xOi/lGXpMvUzz/zs8H0kj y4iNzPyMUCWIRlaLwF8U4u56TsYuKU2z7OKQ5KLF9t8ZZQjfzlUPu3plhB1l2ZKyRPM+XVI1j/CF2 xGGnEeyUrckqeKck=; Received: from mail-wm1-f43.google.com ([209.85.128.43]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1tXdSy-0000pG-QL for openvpn-devel@lists.sourceforge.net; Tue, 14 Jan 2025 09:44:09 +0000 Received: by mail-wm1-f43.google.com with SMTP id 5b1f17b1804b1-4364a37a1d7so54516905e9.3 for ; Tue, 14 Jan 2025 01:44:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1736847837; x=1737452637; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=OtBSuVffR78PieuFAAmLiUMgfEn/twV1ctG3csYC5Jw=; b=Fm/nwo3/wZ4KbSkn6RxHg4nwYlw1Og+nviImXQmmPp01CYYfoyT/Jix4OHJLfAh2ly c95o3ngsZRgQ4nXXkB9hX+XyQYGnkZwGNG2JzPjB2BA86Xpe35GuGf6fdFegRbKa0npR EdgAKNZj6vrXMRntR9cmvdU0PfSYq3cahlqy7itnU1X76GR+EUJUia71obkhnwb5oAhf f2Xcjx0EqzQnsKDaPDaLE0YZ28thQ2Glm+bQa1mGFzzSMsKquv1HDfXtFc0EGyCR1Fg/ sUmUalqzWF8L7mgCARdOB7kUP7YeoODhe1VUmFNVU7Yu9VSvNdwKlSUcD/wHib2v41jc ohsA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736847837; x=1737452637; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=OtBSuVffR78PieuFAAmLiUMgfEn/twV1ctG3csYC5Jw=; b=avxrVb2cfOZFVuO6s1GD0uJzNVg0iL5LOeV0DUBeypidLrTWBJbQ9gvtM9Aa5uchIo 7oER85Z4zfCXnrTDFVUBfpNqUp6YMY2MzS7ooGC0AodwSse8TZqlttSd30ven2xB5I+s orQ7Rs9RK49Pkf4P+HjHvzXoQpQUCVbdv41blAiHTTINo8a5p/tQlqCsL6tUQzd0obxw DoZ68JJBQCvYe1s9AH4bEevn4erjvDUmVLOrXrlrXQfJeNJ+NN4zBPEwMALyCBbZsljW 4bdYHGJwrn3VwBZgSVI7VXR+QszTrOAT5WuHpaetqqoNqmxPM3TfkdZ/4vmRLHtmq0LX kKpw== X-Gm-Message-State: AOJu0YwsanibS65FAgWPJ8/0TJ2rBG4TRiwEx0+jz9tIHpVAVacqpNUM mNPRCOhGiRQPqRoE05QldMyJ5N0QETIrt5zZMple7YcjyhNyZ0uaS5tvfqHGgySCu/0oNwLCyrj Z X-Gm-Gg: ASbGncvPu3SCOO/LGYI5s44o32khrWonSqNUdggRYvFejlyvusKT6h3gyOTnhuxLaZc Zk6af2/m02WRWkpn1Uv5s623SHx8GH7l/5edFRAZrx72AbPPByEDeBBKRmIoOkzqaFkcNFEUriL Pc9FiVFEW/f6uHqXyFVXSmYnbnLq954ZTtudt7+mrnxrw4m5y3SxSgwBXO8qdXQfPmFbYTSJYcW fKsz8vbKAiOXCWRkIfk+W7Jk3K6M6Qp30tRfO9JyLVNquxPL1Gtn8ebezMYwZGfnHEjAHwlNz6k BEecGRIXocWIjCzcAr3WIJMnrDVwGpmXxxnFczAXShaHiK8r X-Received: by 2002:a05:600c:3149:b0:434:f297:8e78 with SMTP id 5b1f17b1804b1-436e267fbe1mr225420875e9.7.1736847836963; Tue, 14 Jan 2025 01:43:56 -0800 (PST) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-436e9dc895esm167564325e9.13.2025.01.14.01.43.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Jan 2025 01:43:56 -0800 (PST) From: "plaisthos (Code Review)" X-Google-Original-From: "plaisthos (Code Review)" X-Gerrit-PatchSet: 1 Date: Tue, 14 Jan 2025 09:43:55 +0000 To: flichtenheld Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: I9a12a0c127908af9f09d88fb3a493df3763d0cc5 X-Gerrit-Change-Number: 859 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: 95c1e8e22a8b5180a65cd80ef367a7a7cef5e138 References: Message-ID: <57a9ad9e2c345ece460491326b4df9285578df19-HTML@gerrit.openvpn.net> MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -2.0 (--) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit Content analysis details: (-2.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.128.43 listed in list.dnswl.org] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [209.85.128.43 listed in bl.score.senderscore.com] 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [209.85.128.43 listed in sa-trusted.bondedsender.org] -1.8 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.128.43 listed in wl.mailspike.net] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML X-Headers-End: 1tXdSy-0000pG-QL Subject: [Openvpn-devel] [S] Change in openvpn[master]: Improve peer fingerpint documentation X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net, frank@lichtenheld.com Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1821216984892529816?= X-GMAIL-MSGID: =?utf-8?q?1821216984892529816?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/859?usp=email to review the following change. Change subject: Improve peer fingerpint documentation ...................................................................... Improve peer fingerpint documentation - fix typo in peer-fingerprint - use ec_paramgen_curve instead of requiring a subshell Note: we still use -nodes instead of -noenc as it is more compatible. closes: issue #666 Change-Id: I9a12a0c127908af9f09d88fb3a493df3763d0cc5 Signed-off-by: Arne Schwabe --- M doc/man-sections/example-fingerprint.rst 1 file changed, 10 insertions(+), 4 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/59/859/1 diff --git a/doc/man-sections/example-fingerprint.rst b/doc/man-sections/example-fingerprint.rst index 7cdda19..31ca0c1 100644 --- a/doc/man-sections/example-fingerprint.rst +++ b/doc/man-sections/example-fingerprint.rst @@ -18,7 +18,7 @@ 2. Generate a self-signed certificate for the server: :: - openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -keyout server.key -out server.crt -nodes -sha256 -days 3650 -subj '/CN=server' + openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 -keyout server.key -out server.crt -nodes -sha256 -days 3650 -subj '/CN=server' 3. Generate SHA256 fingerprint of the server certificate @@ -28,7 +28,7 @@ openssl x509 -fingerprint -sha256 -in server.crt -noout - This output something similar to: + This outputs something similar to: :: SHA256 Fingerprint=00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff @@ -64,6 +64,12 @@ # Ping every 60s, restart if no data received for 5 minutes keepalive 60 300 + # Uncomment the line below if you want to have persistent IP addresses + # ifconfig-pool-persist /etc/openvpn/server/ipp.txt + + # Uncomment the line below to push a DNS server to clients + # push "dhcp-option DNS 1.1.1.1" + 5. Add at least one client as described in the client section. 6. Start the server. @@ -85,7 +91,7 @@ different name for each client. :: - openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -nodes -sha256 -days 3650 -subj '/CN=alice' + openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 -keyout - -nodes -sha256 -days 3650 -subj '/CN=alice' This generate a certificate and a key for the client. The output of the command will look something like this: @@ -162,7 +168,7 @@ ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00:ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00 99:88:77:66:55:44:33:22:11:00:ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00:88:77:66:55:44:33 - + 6. (optional) if the client is an older client that does not support the :code:`peer-fingerprint` (e.g. OpenVPN 2.5 and older, OpenVPN Connect 3.3