)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"b84aa2d2c3a0fd91954fe24d99bc50c38319065f","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"651d33ef_73c95cfd","updated":"2025-10-27 16:19:32.000000000","message":"Looks good but I would like a few minor issues to be addressed","commit_id":"0e15f470b131a42204152c824132ce6ee74d179e"}],"doc/man-sections/tls-options.rst":[{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"b84aa2d2c3a0fd91954fe24d99bc50c38319065f","unresolved":true,"context_lines":[{"line_number":570,"context_line":""},{"line_number":571,"context_line":"--tls-crypt-v2-max-age n"},{"line_number":572,"context_line":"  Reject tls-crypt-v2 client keys that are older than n days or have"},{"line_number":573,"context_line":"  no timestamp."},{"line_number":574,"context_line":""},{"line_number":575,"context_line":"--tls-exit"},{"line_number":576,"context_line":"  Exit on TLS negotiation failure. This option can be useful when you only"}],"source_content_type":"text/x-rst","patch_set":4,"id":"17d09927_5a722c44","line":573,"updated":"2025-10-27 16:19:32.000000000","message":"should add in the description what happen if tls-crypt-v2 client keys are used that don\u0027t use the timestamp.","commit_id":"0e15f470b131a42204152c824132ce6ee74d179e"},{"author":{"_account_id":1000030,"name":"MaxF","email":"max@max-fillinger.net","username":"MaxF"},"change_message_id":"e0eb0b3c8d291e92649e6ae31668a9566fd41743","unresolved":true,"context_lines":[{"line_number":570,"context_line":""},{"line_number":571,"context_line":"--tls-crypt-v2-max-age n"},{"line_number":572,"context_line":"  Reject tls-crypt-v2 client keys that are older than n days or have"},{"line_number":573,"context_line":"  no timestamp."},{"line_number":574,"context_line":""},{"line_number":575,"context_line":"--tls-exit"},{"line_number":576,"context_line":"  Exit on TLS negotiation failure. This option can be useful when you only"}],"source_content_type":"text/x-rst","patch_set":4,"id":"ce9f65dd_da5e5dc5","line":573,"in_reply_to":"17d09927_5a722c44","updated":"2025-11-05 00:11:50.000000000","message":"Not sure what you mean. It says that keys without timestamp are rejected.","commit_id":"0e15f470b131a42204152c824132ce6ee74d179e"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"4e3eca267ad44214c060b50ee33c8d3e49ff0c8a","unresolved":false,"context_lines":[{"line_number":570,"context_line":""},{"line_number":571,"context_line":"--tls-crypt-v2-max-age n"},{"line_number":572,"context_line":"  Reject tls-crypt-v2 client keys that are older than n days or have"},{"line_number":573,"context_line":"  no timestamp."},{"line_number":574,"context_line":""},{"line_number":575,"context_line":"--tls-exit"},{"line_number":576,"context_line":"  Exit on TLS negotiation failure. This option can be useful when you only"}],"source_content_type":"text/x-rst","patch_set":4,"id":"667def20_c16857ea","line":573,"in_reply_to":"ce9f65dd_da5e5dc5","updated":"2025-11-19 13:56:49.000000000","message":"Done","commit_id":"0e15f470b131a42204152c824132ce6ee74d179e"}],"src/openvpn/tls_crypt.c":[{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"4dec1ccbd782231f8acc8f889d4eb61898de4063","unresolved":true,"context_lines":[{"line_number":676,"context_line":""},{"line_number":677,"context_line":"    if (opt \u0026\u0026 opt-\u003etls_crypt_v2_max_age \u003e 0)"},{"line_number":678,"context_line":"    {"},{"line_number":679,"context_line":"        return tls_crypt_v2_check_client_key_age(ctx, opt-\u003etls_crypt_v2_max_age);"},{"line_number":680,"context_line":"    }"},{"line_number":681,"context_line":""},{"line_number":682,"context_line":"    if (opt \u0026\u0026 opt-\u003etls_crypt_v2_verify_script)"}],"source_content_type":"text/x-csrc","patch_set":2,"id":"a2d3dd24_9363c859","line":679,"updated":"2025-10-26 21:16:40.000000000","message":"that is logically wrong. You skip the verify_metadata check below unconditionally, but can only that on failure. You can just copy the if from below since only the last check can do it this way.","commit_id":"aa1a4d7e822436239bc9ca244828f3edd608d6ee"},{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"d8ba08a6bb935405453b840f278e12660d4ef385","unresolved":false,"context_lines":[{"line_number":676,"context_line":""},{"line_number":677,"context_line":"    if (opt \u0026\u0026 opt-\u003etls_crypt_v2_max_age \u003e 0)"},{"line_number":678,"context_line":"    {"},{"line_number":679,"context_line":"        return tls_crypt_v2_check_client_key_age(ctx, opt-\u003etls_crypt_v2_max_age);"},{"line_number":680,"context_line":"    }"},{"line_number":681,"context_line":""},{"line_number":682,"context_line":"    if (opt \u0026\u0026 opt-\u003etls_crypt_v2_verify_script)"}],"source_content_type":"text/x-csrc","patch_set":2,"id":"f76fba9a_587eaa9c","line":679,"in_reply_to":"906940de_55b6796f","updated":"2025-10-27 11:48:33.000000000","message":"Done","commit_id":"aa1a4d7e822436239bc9ca244828f3edd608d6ee"},{"author":{"_account_id":1000030,"name":"MaxF","email":"max@max-fillinger.net","username":"MaxF"},"change_message_id":"82f646338d8b1d8de389833823371ca744c010df","unresolved":true,"context_lines":[{"line_number":676,"context_line":""},{"line_number":677,"context_line":"    if (opt \u0026\u0026 opt-\u003etls_crypt_v2_max_age \u003e 0)"},{"line_number":678,"context_line":"    {"},{"line_number":679,"context_line":"        return tls_crypt_v2_check_client_key_age(ctx, opt-\u003etls_crypt_v2_max_age);"},{"line_number":680,"context_line":"    }"},{"line_number":681,"context_line":""},{"line_number":682,"context_line":"    if (opt \u0026\u0026 opt-\u003etls_crypt_v2_verify_script)"}],"source_content_type":"text/x-csrc","patch_set":2,"id":"906940de_55b6796f","line":679,"in_reply_to":"a2d3dd24_9363c859","updated":"2025-10-27 08:51:13.000000000","message":"That was bad, thanks for catching that! Should be fixed now.","commit_id":"aa1a4d7e822436239bc9ca244828f3edd608d6ee"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"b84aa2d2c3a0fd91954fe24d99bc50c38319065f","unresolved":true,"context_lines":[{"line_number":534,"context_line":"    const uint8_t *metadata \u003d ctx-\u003etls_crypt_v2_metadata.data;"},{"line_number":535,"context_line":"    if (*metadata !\u003d TLS_CRYPT_METADATA_TYPE_TIMESTAMP)"},{"line_number":536,"context_line":"    {"},{"line_number":537,"context_line":"        msg(M_WARN, \"ERROR: Client key doesn\u0027t have a timestamp.\");"},{"line_number":538,"context_line":"        return false;"},{"line_number":539,"context_line":"    }"},{"line_number":540,"context_line":"    int64_t timestamp;"}],"source_content_type":"text/x-csrc","patch_set":4,"id":"5baff829_139564bf","line":537,"updated":"2025-10-27 16:19:32.000000000","message":"I would go for the bit more formal form here and use \"does not\" instead of the short form \"doesn\u0027t\"","commit_id":"0e15f470b131a42204152c824132ce6ee74d179e"},{"author":{"_account_id":1000030,"name":"MaxF","email":"max@max-fillinger.net","username":"MaxF"},"change_message_id":"e0eb0b3c8d291e92649e6ae31668a9566fd41743","unresolved":false,"context_lines":[{"line_number":534,"context_line":"    const uint8_t *metadata \u003d ctx-\u003etls_crypt_v2_metadata.data;"},{"line_number":535,"context_line":"    if (*metadata !\u003d TLS_CRYPT_METADATA_TYPE_TIMESTAMP)"},{"line_number":536,"context_line":"    {"},{"line_number":537,"context_line":"        msg(M_WARN, \"ERROR: Client key doesn\u0027t have a timestamp.\");"},{"line_number":538,"context_line":"        return false;"},{"line_number":539,"context_line":"    }"},{"line_number":540,"context_line":"    int64_t timestamp;"}],"source_content_type":"text/x-csrc","patch_set":4,"id":"6cce571b_0e82e17f","line":537,"in_reply_to":"5baff829_139564bf","updated":"2025-11-05 00:11:50.000000000","message":"Done","commit_id":"0e15f470b131a42204152c824132ce6ee74d179e"},{"author":{"_account_id":1000003,"name":"plaisthos","display_name":"Arne Schwabe","email":"arne-openvpn@rfc2549.org","username":"plaisthos"},"change_message_id":"b84aa2d2c3a0fd91954fe24d99bc50c38319065f","unresolved":true,"context_lines":[{"line_number":538,"context_line":"        return false;"},{"line_number":539,"context_line":"    }"},{"line_number":540,"context_line":"    int64_t timestamp;"},{"line_number":541,"context_line":"    memcpy(\u0026timestamp, metadata + 1, sizeof(int64_t));"},{"line_number":542,"context_line":"    timestamp \u003d (int64_t)ntohll((uint64_t)timestamp);"},{"line_number":543,"context_line":"    int64_t max_age_in_seconds \u003d max_days * 24 * 60 * 60;"},{"line_number":544,"context_line":"    if (now - timestamp \u003e max_age_in_seconds)"}],"source_content_type":"text/x-csrc","patch_set":4,"id":"7d9d8afb_144c9475","line":541,"updated":"2025-10-27 16:19:32.000000000","message":"I think we should add a length check here to ensure that the metadata is long enough.","commit_id":"0e15f470b131a42204152c824132ce6ee74d179e"},{"author":{"_account_id":1000030,"name":"MaxF","email":"max@max-fillinger.net","username":"MaxF"},"change_message_id":"e0eb0b3c8d291e92649e6ae31668a9566fd41743","unresolved":false,"context_lines":[{"line_number":538,"context_line":"        return false;"},{"line_number":539,"context_line":"    }"},{"line_number":540,"context_line":"    int64_t timestamp;"},{"line_number":541,"context_line":"    memcpy(\u0026timestamp, metadata + 1, sizeof(int64_t));"},{"line_number":542,"context_line":"    timestamp \u003d (int64_t)ntohll((uint64_t)timestamp);"},{"line_number":543,"context_line":"    int64_t max_age_in_seconds \u003d max_days * 24 * 60 * 60;"},{"line_number":544,"context_line":"    if (now - timestamp \u003e max_age_in_seconds)"}],"source_content_type":"text/x-csrc","patch_set":4,"id":"eb1c0953_574a54a0","line":541,"in_reply_to":"7d9d8afb_144c9475","updated":"2025-11-05 00:11:50.000000000","message":"Done","commit_id":"0e15f470b131a42204152c824132ce6ee74d179e"}]}