Menu
▾
▴
[Openvpn-commits] SF.net Git: OpenVPN with experimental and new features - which requires a lot of testing branch, master, created. v2.2-RC2-16-g43c1f78
|
From: <ope...@li...> - 2011-03-25 07:38:21
|
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenVPN with experimental and new features - which requires a lot of testing".
The branch, master has been created
at 43c1f78ae018f30a55bf1aa72cdd4d6f7bf8bded (commit)
- Log -----------------------------------------------------------------
commit 43c1f78ae018f30a55bf1aa72cdd4d6f7bf8bded
Author: Pierre Bourdon <de...@gm...>
Date: Mon Oct 11 00:56:04 2010 +0200
Adding support for SOCKS plain text authentication
This patch adds support for SOCKS plain text (username/password)
authentication as described in RFC 1929. It adds an optional third
parameter to the socks-proxy option, which is a file containing the
login credentials.
I've been using this patch for two weeks now and it does not seem to
cause any problem. The only modifications are in the SOCKS handshake
handling and the options parser.
Signed-Off-By: Pierre Bourdon <de...@gm...>
Acked-by: Gert Doering <ge...@gr...>
Acked-by: David Sommerseth <da...@us...>
Signed-off-by: David Sommerseth <da...@us...>
commit a2d4ad1b2531b41ed5defa240db6b035eb6be634
Author: Mathieu GIANNECCHINI <mat...@fr...>
Date: Tue Mar 2 00:26:57 2010 +0100
enhance tls-verify possibility
It should be nice to enhance tls-verify check possibilities against peer
cert during a pending TLS connection like :
- OCSP verification
- check any X509 extensions of the peer certificate
- delta CRL verification
- ...
This patch add a new "tls-export-cert" option which allow to get peer
certificate in PEM format and to store it in an openvpn temporary file.
Peer certificate is stored before tls-script execution and deleted after.
The name of the related temporary file is available under tls-verify
script by an environment variable "peer_cert".
The patch was made from OpenVPN svn Beta21 branches.
Here is a very simple exemple of Tls-verify script which provide OCSP
support to OpenVPN (with tls-export-cert option) without any OpenVPN
"core" modification :
X509=$2
openssl ocsp \
-issuer /etc/openvpn/ssl.crt/RootCA.pem \
-CAfile /etc/openvpn/ssl.capath/OpenVPNServeur-cafile.pem \
-cert $peer_cert \
-url http://your-ocsp-url
if [ $? -ne 0 ]
then
echo "error : OCSP check failed for ${X509}" | logger -t
"tls-verify"
exit 1
fi
This has been discussed here:
<http://thread.gmane.org/gmane.network.openvpn.devel/2492>
<http://thread.gmane.org/gmane.network.openvpn.devel/3150>
<http://thread.gmane.org/gmane.network.openvpn.devel/3217>
This patch has been modified by David Sommerseth, by fixing a few issues
which came up to during the code review process. The man page has been
updated and tmp_file in ssl.c is checked for not being NULL before calling
delete_file().
Signed-off-by: David Sommerseth <da...@us...>
Acked-by: Gert Doering <ge...@gr...>
commit e4f38dc332f973bfe6d20238a0819a663c1893a8
Author: Karl O. Pinc <ko...@mo...>
Date: Tue Mar 2 21:41:06 2010 +0100
Several updates to openvpn.8 (man page updates)
This is a collection of 4 patches sent to the -devel mailing list:
* [PATCH] Frob the openvpn(8) man page tls-verify section to clarify
* [PATCH] More improvments to openvpn(8) --tls-verify
* [PATCH] Yet another tweak of openvpn(8) --tls-verify
* [PATCH] Final frobbing of openvpn(8) --tls-verify
Signed-off-by: David Sommerseth <da...@us...>
Acked-by: David Sommerseth <da...@us...>
commit 936a95b534b6e4d2a9c80f2113bf5c4bc33fbc0e
Author: Mathieu GIANNECCHINI <mat...@fr...>
Date: Tue Mar 2 00:26:57 2010 +0100
enhance tls-verify possibility
It should be nice to enhance tls-verify check possibilities against peer
cert during a pending TLS connection like :
- OCSP verification
- check any X509 extensions of the peer certificate
- delta CRL verification
- ...
This patch add a new "tls-export-cert" option which allow to get peer
certificate in PEM format and to store it in an openvpn temporary file.
Peer certificate is stored before tls-script execution and deleted after.
The name of the related temporary file is available under tls-verify
script by an environment variable "peer_cert".
The patch was made from OpenVPN svn Beta21 branches.
Here is a very simple exemple of Tls-verify script which provide OCSP
support to OpenVPN (with tls-export-cert option) without any OpenVPN
"core" modification :
X509=$2
openssl ocsp \
-issuer /etc/openvpn/ssl.crt/RootCA.pem \
-CAfile /etc/openvpn/ssl.capath/OpenVPNServeur-cafile.pem \
-cert $peer_cert \
-url http://your-ocsp-url
if [ $? -ne 0 ]
then
echo "error : OCSP check failed for ${X509}" | logger -t
"tls-verify"
exit 1
fi
This has been discussed here:
<http://thread.gmane.org/gmane.network.openvpn.devel/2492>
<http://thread.gmane.org/gmane.network.openvpn.devel/3150>
<http://thread.gmane.org/gmane.network.openvpn.devel/3217>
This patch has been modified by David Sommerseth, by fixing a few issues
which came up to during the code review process. The man page has been
updated and tmp_file in ssl.c is checked for not being NULL before calling
delete_file().
Signed-off-by: David Sommerseth <da...@us...>
Acked-by: Gert Doering <ge...@gr...>
commit 29f3e73422d23d1544dddca48be06f6797456bc0
Author: Joe Patterson <j.m...@gm...>
Date: Mon Mar 21 18:02:59 2011 -0400
common_name passing in auth_pam plugin
Added the ability to have "COMMONNAME" replaced with certificate common
name in pam conversation.
Signed-off-by: Joe Patterson <j.m...@gm...>
Acked-By: David Sommerseth <da...@re...>
Signed-off-by: David Sommerseth <da...@re...>
commit c2b22ff1f32565522018491fbaf43c9e9939f36c
Author: Stefan Hellermann <st...@th...>
Date: Mon Feb 28 16:53:26 2011 +0100
Fixed typo in plugin.h
A additional ';' had sneaked in commit 4c4b8cedfa98e8892a53. Lets
kick it out again.
Signed-off-by: Stefan Hellermann <st...@th...>
Acked-by: David Sommerseth <da...@re...>
Signed-off-by: David Sommerseth <da...@re...>
commit 57478791c3bd71c04cb8d634ec1097d6a6700cc0
Author: Stefan Hellermann <st...@th...>
Date: Sun Feb 27 22:15:44 2011 +0100
plugin.h: update prototype of plugin_call dummy in !ENABLE_PLUGIN case
Commit 2db5a0ac3e053857d97e468de53e70a605f54561 adds two arguments to
plugin_call(...), but missed the !ENABLE_PLUGIN case. With
!ENABLE_PLUGIN, plugin_call(...) is only a dummy, so add these two
parameters there too.
Signed-off-by: Stefan Hellermann <st...@th...>
Acked-by: David Sommerseth <da...@re...>
Signed-off-by: David Sommerseth <da...@re...>
commit 691582b5a16ebc8a71d5d02ef456fefa2e2ec4c3
Author: David Sommerseth <da...@us...>
Date: Thu Jan 6 23:24:52 2011 +0100
Separate the general plug-in version constant and v3 plug-in structs version
After a review of the second round of the the v3 plug-in implementation, it
was decided to use a separate constant defining the version of the structs
used for argument and return value passing, instead of OPENVPN_PLUGIN_VERSION.
To not make it too complex, this patch uses a shared version constant for all
the v3 structures. It is not expected that these strucutures will change too
much and too often.
Signed-off-by: David Sommerseth <da...@us...>
Acked-by: James Yonan <ja...@op...>
commit 7efbfdea878ea80c66dde605c4186e0ab2d11ed9
Author: David Sommerseth <da...@us...>
Date: Fri Dec 10 01:20:43 2010 +0100
Added a simple plug-in demonstrating the v3 plug-in API.
To build the plug-in, do ./build log_v3 in the plugin/examples directory.
This plug-in can be tested by running an OpenVPN server like this:
# ./openvpn --plugin plugin/examples/log_v3.so --dev tun \
--server 192.168.240.0 255.255.255.0 --ca sample-keys/ca.crt \
--cert sample-keys/server.crt --key sample-keys/server.key \
--dh sample-keys/dh1024.pem
The client can be started like this:
# ./openvpn --client --remote localhost --ca sample-keys/ca.crt \
--cert sample-keys/client.crt --key sample-keys/client.key \
--dev tun --nobind --auth-user-pass
This plug-in will only log arguments and environment variables it receives
during all the different plug-in phases OpenVPN currently supports. It will
also parse the X509 certificate information given during the TLS_VERIFY phase.
Signed-off-by: David Sommerseth <da...@us...>
Acked-by: James Yonan <ja...@op...>
commit d974980144f6fb17ed253f981ec99fb24a18a052
Author: David Sommerseth <da...@us...>
Date: Fri Dec 10 01:16:09 2010 +0100
Extend the v3 plug-in API to send over X509 certificates
The certificates sent to the plug-in API will only happen during the
OPENVPN_PLUGIN_TLS_VERIFY phase and will contain a pointer to the OpenSSL
X509 certificate data.
Signed-off-by: David Sommerseth <da...@us...>
Acked-by: James Yonan <ja...@op...>
commit 4879ccd65cd5e7d83cc514f64709deef66ad2926
Author: David Sommerseth <da...@us...>
Date: Fri Dec 10 00:15:27 2010 +0100
Implement the core v3 plug-in function calls.
Let OpenVPN call the openvpn_plugin_open_v3() and
openvpn_plugin_func_v3() plug-in functions if they exist in the plug-in.
Signed-off-by: David Sommerseth <da...@us...>
Acked-by: James Yonan <ja...@op...>
commit 7e9b6690055e900aaf06dccc446b36f7a4f0fb34
Author: David Sommerseth <da...@us...>
Date: Fri Dec 10 00:09:20 2010 +0100
Define the new openvpn_plugin_{open,func}_v3() API
This just implements the basic API changes needed for the newer and more
flexible plug-in API.
Signed-off-by: David Sommerseth <da...@us...>
Acked-by: James Yonan <ja...@op...>
commit 43c1e98dff8217dda163a0f5a454c8270c1bdb01
Author: David Sommerseth <da...@us...>
Date: Mon Nov 29 23:57:44 2010 +0100
Provide 'dev_type' environment variable to plug-ins and script hooks
Normally OpenVPN is configured with --dev {tun,tap}, but it is also possible
to use --dev myvpn instead. In these situations, OpenVPN will request
--dev-type as well to be able to set up a tun or tap device properly.
The 'dev' environment variable will contain the value provided by --dev. In
those cases where the plug-in/script need to behave differently when using a tun
device versus using a tap device, there are no possibilities for it to know what
kind of device --dev myvpn would be.
This patch adds a 'dev_type' environment variable which contains a string of the
device type, either automatically discovered based on the --dev name, or set using
the --dev-type option.
Signed-off-by: David Sommerseth <da...@us...>
Acked-by: James Yonan <ja...@op...>
commit eb9e4ec45573f6dbbe743d9a958ccfd7f08e155a
Author: James Yonan <ja...@op...>
Date: Mon Dec 13 09:27:08 2010 +0000
Misc fixes to r6708.
Fixed issue where "signal SIGTERM" entered from the management
interface might get subsequently downgraded to a SIGUSR1.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6716 e7ae566f-a301-0410-adde-c780ea21d3b5
commit a00869b9d1f8877c90f444b53e9b6bd8103d7a18
Author: James Yonan <ja...@op...>
Date: Thu Dec 9 11:21:04 2010 +0000
Added "management-external-key" option. This option can be used
instead of "key" in client mode, and allows the client to run
without the need to load the actual private key. When the SSL
protocol needs to perform an RSA sign operation, the data to
be signed will be sent to the management interface via a
notification as follows:
>RSA_SIGN:[BASE64_DATA]
The management interface client should then sign BASE64_DATA
using the private key and return the signature as follows:
rsa-sig
[BASE64_SIG_LINE]
.
.
.
END
This capability is intended to allow the use of arbitrary
cryptographic service providers with OpenVPN via the
management interface.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6708 e7ae566f-a301-0410-adde-c780ea21d3b5
commit 32e0dfa74da8655205300094748712fcda897098
Author: Markus Koetter <ko...@rr...>
Date: Fri Dec 10 20:30:09 2010 +0100
Add extv3 X509 field support to --x509-username-field
This allows using other X509 certificate fields for the certificate
authentication. To use altSubjectName, use
--x509-username-field ext:altSubjectName
This feature requires OpenVPN to be built with --enable-x509-alt-username
This patch is slightly modified, to honour --enable-x509-alt-username
compile time configuration. Two #ifdef's are added.
Signed-off-by: Markus Koetter <ko...@rr...>
Signed-off-by: David Sommerseth <da...@re...>
Acked-by: David Sommerseth <da...@re...>
Signed-off-by: David Sommerseth <da...@re...>
-----------------------------------------------------------------------
hooks/post-receive
--
OpenVPN with experimental and new features - which requires a lot of testing
|
