From: Josh C. <jos...@us...> - 2013-12-18 02:05:43
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here's an update about Easy-RSA v3 in case there were any lingering contributions or ideas. As of Dec 01, info & downloads have been available on the users list for v3.0.0-rc1. No replies have been sent to that thread, though a few improvements have been made following the release; these are slated for an -rc2 to be release shortly, quickly followed by an official 3.0.0 release if there are no known issues or other hold-ups. I plan to add a Win32 integration-branch for openvpn-build at that point. The notable fix since -rc1 has been support for OpenSSL-0.9.8 (commit 8b1fe01.) While I hope this isn't a common need, the fix was simple enough, and this is still a supported OpenSSL version. Additional feature improvements include PKCS#7 support, some minor fixes, code style, and updated docs. I also plan to add in a passphrase change command for -rc2 so private keys can be re/un-encrypted. At this point, the notable thing missing compared to the 2.x-series is PKCS#11 support. My thought here is that it should either have universal support for both Windows and *nix platforms or be exposed as distro-centric additions. I'd rather see a pkcs11 frontend script that is targeted to each platform, and envision this as a 3.1 release target feature. - -- Josh Cepek -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (GNU/Linux) iQGcBAEBAgAGBQJSsQLhAAoJENcx2Xpgb9RjbF4MAKTomgBgRwJ/2WZ8h+PuHlPj Us+aZMfqvsCKcuMK2wG0qy7RawnCQAzp6eTa43XJG8/lInatAFVBJJVC4TvlxQxR e9/tytzhFlzP43wc/CE04y1Hh/cL97YzXEBJNQZvpW0Ztqu3Q8zvjFMXpdPl8exN z2ByFG9tW2lKL+HcjsL2kruTDvUK10FsuV8Fa51V8CrMwdDwzvAht0WiU9dSIKob pA2dupUGe26z1o7Y00CG7uXh65y380XHEy2hqgM+hIG9x0MIVDyqm2MBGMZseYhn 440vLQPbe8CKE/lu0Vm+dl0Nep0+LaxLTipNwZS6d+KCxpyp0hnZhEB8h2wlK5Cz G1wPZTG3SYrZuL9E38M0hWlyDZzqTgkTMHivX3k+LXCsrQmWl+Albirvl5HR0TVF JCVNxOReumT0kn2sm76rqA5To7+3EfBma5AjaHR2YLnrTcSu1NRmZxHh7+UOsDmT HMIuLngW7PZPT1b8BPgw1DoLb5jvPD8/NHng+PQgCQ== =7GLZ -----END PGP SIGNATURE----- |
From: Samuli S. <sa...@op...> - 2013-12-19 11:01:45
|
> Here's an update about Easy-RSA v3 in case there were any lingering > contributions or ideas. > > As of Dec 01, info & downloads have been available on the users list for > v3.0.0-rc1. No replies have been sent to that thread, though a few > improvements have been made following the release; these are slated for > an -rc2 to be release shortly, quickly followed by an official 3.0.0 > release if there are no known issues or other hold-ups. I plan to add a > Win32 integration-branch for openvpn-build at that point. > > The notable fix since -rc1 has been support for OpenSSL-0.9.8 (commit > 8b1fe01.) While I hope this isn't a common need, the fix was simple > enough, and this is still a supported OpenSSL version. > > Additional feature improvements include PKCS#7 support, some minor > fixes, code style, and updated docs. I also plan to add in a passphrase > change command for -rc2 so private keys can be re/un-encrypted. > > At this point, the notable thing missing compared to the 2.x-series is > PKCS#11 support. My thought here is that it should either have universal > support for both Windows and *nix platforms or be exposed as > distro-centric additions. I'd rather see a pkcs11 frontend script that > is targeted to each platform, and envision this as a 3.1 release target > feature. > Hi Josh, Do you think easy-rsa 3.0 would be a drop-in replacement for 2.0 by the time we push out the OpenVPN 2.4 alpha(s)? I believe that'll happen in Q1 next year. I can package easy-rsa 3.0 for deb/rpm distros as well as add it to the NSIS installer for Windows. -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock |
From: Josh C. <jos...@us...> - 2013-12-23 16:10:53
|
On 12/19/13 05:01, Samuli Seppänen wrote: > Do you think easy-rsa 3.0 would be a drop-in replacement for 2.0 by the > time we push out the OpenVPN 2.4 alpha(s)? I believe that'll happen in > Q1 next year. I can package easy-rsa 3.0 for deb/rpm distros as well as > add it to the NSIS installer for Windows. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yes, this is very doable, and an -rc2 is pending shortly to allow testing with the recent changes. In particular I have been informed Tunnelblick requires the 0.9.8 OpenSSL support, so this will be good to release for review at large. The functionality now is a replacement for all v2 features available today under Windows since PKCS#11 was targeted to Unix-alikes and wouldn't have worked without modification anyway. Some of the features like nsCertType extensions are not the default in v3, and updated documentation will make upgrade differences very clear. I toyed a bit with including PKCS#11 support at a basic level for 3.0, but simply porting the existing v2 setup won't work well with splitting the keypair and request generation (allows new requests from existing keypairs) which is a potential goal for 3.1 for improved flexibility. In light of the complexity involved with external tokens, I don't think PKCS#11 makes sense to ship with 3.0, but as distro-specific additions for a 3.1 release. This too will be made clear in the documentation. - -- Josh Cepek -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (GNU/Linux) iQGcBAEBAgAGBQJSuF+DAAoJENcx2Xpgb9Rjh2AMALTiOVvYuNjxoEPFRPDpUC1/ gyyJ4Om1hn2Q2/CDxl+NPOPdjBJxzcPv1DUE8yn489YtNeXBkKHf7y0OqGrQ0Ltp 7z+50sXYkQGy3Q5GJkziTbnQMKLyFlZuSurjMr9X9HCx/QMAWzoX+jnor0EYF7Cd bVLYDJtyY7OYgyPOQ0Z/nKWh0UY3RSv86+QGHNtaxLqbhQUAPE3/XC09pvQRFxy8 7SuxbkSkGVoSsx4/09e0ZmTkD3d+ou14px9YQZbGx2sDxvxJSlobr2kUP8ucJsqB vn9gArKwspfygRfQY/soDPb9paCGFEEbHDhzECKW6XtvUGmc7g0EJp7z54NaLXlP wMv4BkI+i4xXaalKx3opsl8EFlH+CmnIALt3+Yhq59vKDkLeWTX4WkrhCXjeBzmK wm4bdmD3SmIo0pKamIV4z1wXFxrjM3cVNcaFKcctzyzKPqb4KQXhBRwCO1vXmma9 YQW9YIFDZ3BC07pveUemodOrWf8eSQoZFAd3lUg6QA== =4aoX -----END PGP SIGNATURE----- |
From: Mike T. <mi...@se...> - 2013-12-23 01:34:59
|
On 12/17/2013 9:05 PM, Josh Cepek wrote: > Here's an update about Easy-RSA v3 in case there were any > lingering contributions or ideas. At this point, the notable thing > missing compared to the 2.x-series is PKCS#11 support. My thought > here is that it should either have universal support for both > Windows and *nix platforms or be exposed as distro-centric > additions. I'd rather see a pkcs11 frontend script that is targeted > to each platform, and envision this as a 3.1 release target > feature. Hi, Its been a while since I tried / checked, but is there any support for generating keys on an actual hardware token in Windows ? Specifically, it would be great if I could do this with the Safenet/Aladin java etoken. I can do it on Unix using the older non java version keys, but I never quite figured out how to do it in Windows, and there is no Java etoken support that I have found on FreeBSD as it requires pkcs15 via OpenSC. ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mi...@se... Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ |
From: Eric C. <ec...@se...> - 2013-12-23 04:21:22
|
If you want specific hardware support, your best bet is to send a hardware token we can test to a developer. Contact me if you need help. > On Dec 22, 2013, at 7:34 PM, Mike Tancsa <mi...@se...> wrote: > >> On 12/17/2013 9:05 PM, Josh Cepek wrote: >> Here's an update about Easy-RSA v3 in case there were any >> lingering contributions or ideas. At this point, the notable thing >> missing compared to the 2.x-series is PKCS#11 support. My thought >> here is that it should either have universal support for both >> Windows and *nix platforms or be exposed as distro-centric >> additions. I'd rather see a pkcs11 frontend script that is targeted >> to each platform, and envision this as a 3.1 release target >> feature. > > Hi, > Its been a while since I tried / checked, but is there any support for > generating keys on an actual hardware token in Windows ? > Specifically, it would be great if I could do this with the > Safenet/Aladin java etoken. > > I can do it on Unix using the older non java version keys, but I never > quite figured out how to do it in Windows, and there is no Java etoken > support that I have found on FreeBSD as it requires pkcs15 via OpenSC. > > ---Mike > > -- > ------------------- > Mike Tancsa, tel +1 519 651 3400 > Sentex Communications, mi...@se... > Providing Internet services since 1994 www.sentex.net > Cambridge, Ontario Canada http://www.tancsa.com/ > > ------------------------------------------------------------------------------ > Rapidly troubleshoot problems before they affect your business. Most IT > organizations don't have a clear picture of how application performance > affects their revenue. With AppDynamics, you get 100% visibility into your > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! > http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk > _______________________________________________ > Openvpn-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openvpn-devel |
From: Jan J. K. <ja...@ni...> - 2013-12-23 09:38:44
|
Hi Mike, *, Mike Tancsa wrote: > On 12/17/2013 9:05 PM, Josh Cepek wrote: > >> Here's an update about Easy-RSA v3 in case there were any >> lingering contributions or ideas. At this point, the notable thing >> missing compared to the 2.x-series is PKCS#11 support. My thought >> here is that it should either have universal support for both >> Windows and *nix platforms or be exposed as distro-centric >> additions. I'd rather see a pkcs11 frontend script that is targeted >> to each platform, and envision this as a 3.1 release target >> feature. >> > > Hi, > Its been a while since I tried / checked, but is there any support for > generating keys on an actual hardware token in Windows ? > Specifically, it would be great if I could do this with the > Safenet/Aladin java etoken. > > I can do it on Unix using the older non java version keys, but I never > quite figured out how to do it in Windows, and there is no Java etoken > support that I have found on FreeBSD as it requires pkcs15 via OpenSC. > the newer Safenet java etokens require the Safenet driver software (or Aladdin eToken driver v5.0+). If you don't have access to this software then you're out of luck. If you do have access then generating keys on the token is doable (but not supported by easy-rsa at this moment). I've written scripts that work in both Windows (cygwin) and Linux to generate and install keys and certs on Aladdin/SafeNet etokens (32K/64K/72K). At one point I documented this for an older version of the eToken driver http://wiki.nikhef.nl/grid/EToken esp section http://wiki.nikhef.nl/grid/Storing_your_grid_certificate_on_an_Aladdin_eToken but the basic principe is the same for the newer driver (use eTPKcs11.dll on Windows) If there's any interest we could integrate this into the easy-rsa scripts, but as Eric Crist pointed out, this is VERY hardware and platform dependent. HTH, JJK |
From: Mike T. <mi...@se...> - 2013-12-23 19:24:14
|
On 12/23/2013 4:38 AM, Jan Just Keijser wrote: Hi, >> Its been a while since I tried / checked, but is there any support for >> generating keys on an actual hardware token in Windows ? >> Specifically, it would be great if I could do this with the >> Safenet/Aladin java etoken. >> >> I can do it on Unix using the older non java version keys, but I never >> quite figured out how to do it in Windows, and there is no Java etoken >> support that I have found on FreeBSD as it requires pkcs15 via OpenSC. >> > the newer Safenet java etokens require the Safenet driver software (or > Aladdin eToken driver v5.0+). If you don't have access to this software > then you're out of luck. If you do have access then generating keys on > the token is doable (but not supported by easy-rsa at this moment). > I've written scripts that work in both Windows (cygwin) and Linux to > generate and install keys and certs on Aladdin/SafeNet etokens > (32K/64K/72K). At one point I documented this for an older version of > the eToken driver > http://wiki.nikhef.nl/grid/EToken > esp section > http://wiki.nikhef.nl/grid/Storing_your_grid_certificate_on_an_Aladdin_eToken > > but the basic principe is the same for the newer driver (use > eTPKcs11.dll on Windows) > If there's any interest we could integrate this into the easy-rsa > scripts, but as Eric Crist pointed out, this is VERY hardware and > platform dependent. Thanks! I will give this a try over the holidays. I do have the drivers and client software for Windows. I just was never able to get a cert generated under windows ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mi...@se... Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ |
From: Josh C. <jos...@us...> - 2013-12-23 20:29:46
|
On 12/23/13 13:24, Mike Tancsa wrote: >> > the newer Safenet java etokens require the Safenet driver software (or >> > Aladdin eToken driver v5.0+). If you don't have access to this software >> > then you're out of luck. If you do have access then generating keys on >> > the token is doable (but not supported by easy-rsa at this moment). >> > I've written scripts that work in both Windows (cygwin) and Linux to >> > generate and install keys and certs on Aladdin/SafeNet etokens >> > (32K/64K/72K). At one point I documented this for an older version of >> > the eToken driver >> > http://wiki.nikhef.nl/grid/EToken >> > esp section >> > http://wiki.nikhef.nl/grid/Storing_your_grid_certificate_on_an_Aladdin_eToken >> > >> > but the basic principe is the same for the newer driver (use >> > eTPKcs11.dll on Windows) >> > If there's any interest we could integrate this into the easy-rsa >> > scripts, but as Eric Crist pointed out, this is VERY hardware and >> > platform dependent. > Thanks! I will give this a try over the holidays. I do have the drivers > and client software for Windows. I just was never able to get a cert > generated under windows -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm curious to hear about your results. If you are able to get keypair generation working on your device through OpenSSL and/or the driver software for your token, I'd welcome the ability to integrate this into easy-rsa if you'd like to help make that happen. Part of my plan at this point is to better separate the keypair generation from the request; this allows better flexibility by enabling a new request to be generated from an existing keypair, for instance. This flexibility also has the benefit of making PKCS#11 integration easier. In particular, if you have success with your token and want to help maintain support for your platform & token combination, consider sharing some of the following details: 1) How is the keypair generated? It would be nice to support both RSA and EC keypairs, although partial support is still better than no support. 2) What else is needed to generate the request? Does creating another request require another keypair to be generated for the token? 3) How does a signed certificate get loaded back onto your token? Remember that in the easy-rsa v3 model, it is more likely that the request is sent to a separate CA for signing, which means this may be a logically separate step. Thanks for the interest! - -- Josh Cepek -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (GNU/Linux) iQGcBAEBAgAGBQJSuJytAAoJENcx2Xpgb9RjtpMMAKCQR5C3y9omZ6folnusAyaC QKzKUnGL5mad7fsHxZSfWBMZYavb6q1TFW0qbrpBbP1WkWsLVf8Qtz8i8/f2oMK7 qrcJ4ZAGJ1y9y84sdAvwpn4Q6nGYSsDOVQ1sy312kUdvaTC388Vf2TKn4ekRs3pp pjkGLLyRm5u4lIp98bKgG9qRVGI4nOAmU2HveQUe3KKsFqq3ypvORbV+69lzn1gJ Hv5PmEiAQdaK+EIMzAZBtYptmy5vbw8eOUgOJ4MnXNThQ/QOxxBUWzgtjCRscfs1 GAMXw9PNYIDazmvK7ieZ5ruKBSJdxRBlo5PEoxOPwL9H2CLYAyhbyAA73QmVgUh8 VNnKOtQV0gU3XDoVexN2ByHSU/Vs8oqa+BT/Uh+aa4W6SUsA19FnMn/etP2mtw9s LVb0rq2oe/yBT55PBxXNeyR4PNJCN6QvH5jIqSV2pDaBZKR612FLrryhpFjCg+gv GT1l3AShxAfZfbPgeSeG8Fqzisb+xorzNVSTabkwvg== =TReB -----END PGP SIGNATURE----- |
From: Jonathan K. B. <jkb...@gm...> - 2014-07-15 03:58:16
|
On Tue, Dec 17, 2013 at 9:05 PM, Josh Cepek <jos...@us...> wrote: > The notable fix since -rc1 has been support for OpenSSL-0.9.8 (commit > 8b1fe01.) While I hope this isn't a common need, the fix was simple > enough, and this is still a supported OpenSSL version. > Any update on the availability of an -rc2 with this fix? |
From: Eric C. <ec...@se...> - 2014-07-15 04:21:37
Attachments:
signature.asc
|
Josh and I spoke on this today and we're going to push to close a couple bugs and try to get an RC-2 published some time this week. ----- Eric F Crist On Jul 14, 2014, at 22:57:29, Jonathan K. Bullard <jkb...@gm...> wrote: > On Tue, Dec 17, 2013 at 9:05 PM, Josh Cepek <jos...@us...> wrote: > The notable fix since -rc1 has been support for OpenSSL-0.9.8 (commit > 8b1fe01.) While I hope this isn't a common need, the fix was simple > enough, and this is still a supported OpenSSL version. > > Any update on the availability of an -rc2 with this fix? > > ------------------------------------------------------------------------------ > Want fast and easy access to all the code in your enterprise? Index and > search up to 200,000 lines of code with a free copy of Black Duck > Code Sight - the same software that powers the world's largest code > search on Ohloh, the Black Duck Open Hub! Try it now. > http://p.sf.net/sfu/bds_______________________________________________ > Openvpn-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openvpn-devel |
From: Jonathan K. B. <jkb...@gm...> - 2014-07-15 04:13:01
|
On Tue, Jul 15, 2014 at 12:05 AM, Eric Crist <ec...@se...> wrote: > Josh and I spoke on this today and we're going to push to close a couple > bugs and try to get an RC-2 published some time this week. > Terrific. Thanks for the update. > On Jul 14, 2014, at 22:57:29, Jonathan K. Bullard <jkb...@gm...> > wrote: > > > On Tue, Dec 17, 2013 at 9:05 PM, Josh Cepek <jos...@us...> wrote: > > The notable fix since -rc1 has been support for OpenSSL-0.9.8 (commit > > 8b1fe01.) While I hope this isn't a common need, the fix was simple > > enough, and this is still a supported OpenSSL version. > > > > Any update on the availability of an -rc2 with this fix? > |