Re: OpenVPN cipher negotiation patch set

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 3474 bytes --]

Hello,

> On 18 Mar 2024, at 11:27, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
> 
> Hi Erik,
> 
> On 18/03/2024 08:49, ummeegge wrote:
>> Good morning Adolf,
>> if i know in what chunks you would like to split the diff i can may
>> help you to sort things a little. Am currently not sure what should be
>> in and what not so i can offer you some explanations according to the
>> already written code and you can amend the wanted changes?!
>> So you can write me a PM and include the topics which are not clear and
>> i can try to give an explanation of the already written code.
> 
> Thanks very much. I think that could be useful.
> 
> However I will wait first as Michael is looking at doing an update related negotiation as it looks like the latest Mac OS client is failing to connect for a similar reason as some forum members using windows have been reporting.

Tunnelblick has been updated to 4.0.0 recently and disables a couple of backwards-compatible things in OpenSSL (i.e. the legacy provider). It also ships OpenVPN 2.6.9 and there seem to be problems if users have created a specific configuration.

> Once Michael has merged his changes then I can look again at what is still left as a delta and will then come back to you with my questions.
>> My time is a little less but if needed we can try it.
> I realise that, so thank you very much and I will try and focus my questions to you.
> 
> Regards,
> Adolf.
>> Best,
>> Erik
>> Am Sonntag, dem 17.03.2024 um 12:35 +0100 schrieb Adolf Belka:
>>> Hi Michael,
>>> 
>>> I am afraid I don't have a patch set. It is just a single diff
>>> change.
>>> 
>>> I took Erik's original patch set and applied it to the latest
>>> ovpnmain.cgi version at that time and then removed some of the items
>>> that I decided could wait till later or were not needed.
>>> 
>>> This created a single diff file, which I was able to apply and test
>>> out to confirm it did what I expected it to do, which it seemed to
>>> do.
>>> 
>>> The next step I then had intended to do was to break that single diff
>>> into multiple patches but I found this very difficult to do as I
>>> could not easily figure out which bits needed to go together in
>>> different patches. Trying to understand all the changes and what each
>>> were related to I struggled to make sense of.
>>> 
>>> My next step was therefore going to be to go back to an unmodified
>>> ovpnmain.cgi file and make the changes a step at a time, to match
>>> what I had previously done and therefore end up with a patch set of
>>> small self consistent changes.
>>> 
>>> However to do this I had to go back to the start and figure out which
>>> of Erik's changes to apply and what parts of those changes and every
>>> time I did something else in IPFire for a week or so I was having to
>>> go back to square one in trying to remember what I had been going to
>>> do next.
>>> 
>>> The diff patch file I created is at
>>> 
>>> https://git.ipfire.org/?p=people/bonnietwin/ipfire-2.x.git;a=commit;h=4fbf17f4a10fbf2a0ddeae1aa436cf26f6b3a035
>>> 
>>> Hopefully you can use this as a basis to extract just the bits needed
>>> for the cipher negotiation.
>>> 
>>> I will also go back and start again to work on it but focus on it
>>> without diverting to anything else, after I have dealt with the wsdd
>>> patch modification.
>>> 
>>> Regards,
>>> 
>>> Adolf.
>>> 
> 
> -- 
> Sent from my laptop