wiki:Topics-2024-05-08

IrcMeetings

Basic info

  • Time: Wednesday 8 May 2024 at 13:00 CEST (11:00 UTC)
  • Place: #openvpn-meeting channel on LiberaChat IRC network

Topics

Current topics

  • Closed: Discussion related to DNS IV flag
    This was done with a IV_PROTO_DNS_OPTION_V2 proto flag.
  • New, closed: TunnelVision vulnerability.
    This looks to be basically the same as the TunnelCrack vulnerability.
    Mitigations for TunnelCrack are underway but take time to deliver as the implementation is different on each platform.
    What we'll do is add a wiki article for TunnelVision that redirects to TunnelCrack statement already present on our wiki.
    We'll add a section there specific to the TunnelVision aspect of this.
  • Updated: Tunnelcrack progress TunnelCrack community wiki article
    Status update on TunnelCrack mitigations:
    Windows, openvpn2: ready to merge. openvpn3: in code review.
    Linux, openvpn2: in progress. openvpn3: in progress.
    macOS: to be determined.
    iOS: to be determined.
    Android: not vulnerable.
  • New: BlackHat? announcement regarding 'OVPNX'. BlackHat? announced a presentation about OVPNX vulnerabilities that lead to privilege escalation.
    This is by the same guy, Vladimir Tokarev, that reported these issues to us that we then solved.
    The problem is they are announcing it as zero-day vulnerabilities, which is simply not true.
    These were responsibly disclosed and in cooperation were fixed and published with the OpenVPN 2.6.10 and 2.5.10 releases.
    We did reach out to clarify things but haven't had a response yet.
    A security advisory and a blog post will be posted in the next day or so on the main website, and it will be added to the company newsletter as well.
    These will set the record straight that it's not zero-day, and furthermore point out that this is not that critical of an issue as you need privileges anyways to exploit it.
    Also this only affects OpenVPN2 GUI on Windows.
  • Updated: forums topics
    rob0 and novaflash volunteered to take a look at the web server config to make it work correctly.
    However due to other ongoing things, didn't have time yet, but will be able to spend time on it soonish.
    Plan is to soon switch URLs so new forum is on forums.openvpn.net and old forums is on archive address.
    - email confirmation on registration was suggested.
    - mod permissions, guide, hard or soft delete (chuck board?), what to do with GDPR, etc. (write it down and actually make it available to mods, maybe a hidden topic)
    - access for mods to logs so one can see what others did
  • Updated: mattock topics
    PR created to add t_server_null tests to buildbot.
    There's a parallelism issue to fix between t_server_null.sh and t_client.sh - will work on that.
  • Security mailing list procedure can stand improvement
    company will improve process on picking up tasks from security mailing list in the next week or so.
    The idea being that community guys will continue doing their thing as usual, and company guys monitor the list for company related items and follow up on those.
    The idea of an NDA is also revived. But it was made clear internally that we need like a one-page simple NDA for community members, not the unnecessarily restrictive one originally suggested by legal guys.
  • DCO and Linux upstreaming, API change
    Upstreaming DCO to Linux is proceeding, it is in review stage at the moment.
    ordex will send a patchset v3 based on feedback received today.
    There will be an API change that makes it incompatible with the current implementation.
    A graceful solution to that was already discussed and in motion. giaan will be working on this.
    (in a nutshell, make OpenVPN understand old and new API, DKMS and kernel versions both will then use new API, then we drop old API)
  • donation collection
    From earlier exploration it is clear that setting up a legal entity is not worth the expense at this point. We're just starting out with donations.
    What we can do is start out with an existing company that can collect the money and puts it to good community use. ordex volunteers to take this on.
    There are some options to consider. There may be existing solutions that we want to consider.
    PayPal? seems overly expensive with all their fees.
    Stripe could be worth considering for credit card processing.
    GitHub? Sponsors was mentioned as a possible solution, this is worth investigating.
    Open Collective was also mentioned, that needs some investigating how that exactly would work for us.
  • OpenVPN community meetup 2024
    Naming: We decided to rename from 'Hackathon' to 'OpenVPN community meetup'. This has a more open spirit to it.
    Where: Karlsruhe, Germany. Meeting room location to be determined.
    When: At the moment tentatively set to 20-22 September 2024.
    Who: We'll do an open invitation to openvpn-devel mailing list, but also CC: specifically past attendees and people of interest.
    Shirts: There is plenty of time still to prepare a shirt design.
    There's a wiki page up now where we can coordinate: https://community.openvpn.net/openvpn/wiki/CommunityMeetup2024
  • website release process
    Waiting for faster way to update community downloads and security advisories on main site.
    Again postponed due to issues. Now planned for this week. We'll see.
  • Status of SBOM
    There was a discussion between MaxF and djpig and others.
    For OpenVPN2 / OpenVPN-NL, there is not much overlap, as OpenVPN2 doesn't ship much in terms of libraries, but OpenVPN-NL does.
    The interesting use-case for an SBOM is really the OpenVPN Windows GUI client.
  • status of trac/wiki
    No progress since last meeting.
    This will probably have to wait until "--dev null" is done
    Should have access controls so only approved members can edit.
  • OpenVPN 2.6 performance results.
    tests should cover: gre, ipsec, userland, dco
    linux, freebsd, windows
    requires time to be dedicated to doing this, when time available will do it
  • software code signing topic
    company switched EV code signing to cloudhsm, this is same cert type we use for driver signing, is also suitable for binary signing.
    in future we could possibly switch community to that same key. saves having to maintain 2 different keys.
    depends on how hard/easy it is to access company key signing thingee from community infrastructure.
    also no high priority at the moment, we have a working solution now.
  • Management interface documentation on main website will be updated with info from doc/management-notes.txt
    novaflash will pick this up at some point

Mattock topics

--dev null server testing

Latest status in ServerSideTestingImprovementPlan. Additional details in https://github.com/mattock/openvpn/blob/dev_null/doc/dev-null-test-suite.rst. Current PoC code is available in mattock's "dev_null" branch. A good starting point is t_server_null.sh.

Potential next steps:

  • Expand the test suite
  • Integrate into Buildbot (i.e. get to production)
  • Support multiple client versions (depends on Buildbot integration)

Git commit history needs to be cleaned up and there may be other small fixes / improvements here and there to be done:

  • Enable disabling the test suite (requires root so we can't run it by default)

Debian/Ubuntu snapshot publishing

  • In a previous meeting we agreed to publish snapshot Debian/Ubuntu packages on *build.openvpn.net*
  • The tool to use to publish is aptly
  • aptly does not have direct support for running commands (e.g. rsync, scp) after publishing packages, e.g. to a local filesystem on the buildmaster
    • Option 1 (hacky): use inotifywait with rsync or scp to copy the published repo to build.openvpn.net
    • Option 2 (less hacky): use NFS to publish "directly" to build.openvpn.net
    • Both options require a fair amount of tinkering
  • Mattock moved this forward a bit at the buildbot end (get the files out from workers)
Last modified 11 days ago Last modified on 05/08/24 12:00:38