diff options
-rw-r--r-- | Changes.rst | 52 | ||||
-rw-r--r-- | doc/openvpn.8 | 30 | ||||
-rw-r--r-- | sample/sample-config-files/client.conf | 2 | ||||
-rw-r--r-- | sample/sample-config-files/server.conf | 4 | ||||
-rw-r--r-- | src/openvpn/options.c | 8 |
5 files changed, 49 insertions, 47 deletions
diff --git a/Changes.rst b/Changes.rst index 74d038a..53a1443 100644 --- a/Changes.rst +++ b/Changes.rst @@ -164,25 +164,26 @@ Deprecated features For an up-to-date list of all deprecated options, see this wiki page: https://community.openvpn.net/openvpn/wiki/DeprecatedOptions -- ``--key-method 1`` is deprecated in 2.4 and will be removed in 2.5. Migrate - away from ``--key-method 1`` as soon as possible. The recommended approach - is to remove the ``--key-method`` option from the configuration files, OpenVPN - will then use ``--key-method 2`` by default. Note that this requires changing - the option in both the client and server side configs. +- ``--key-method 1`` is deprecated in OpenVPN 2.4 and will be removed in v2.5. + Migrate away from ``--key-method 1`` as soon as possible. The recommended + approach is to remove the ``--key-method`` option from the configuration + files, OpenVPN will then use ``--key-method 2`` by default. Note that this + requires changing the option in both the client and server side configs. -- ``--tls-remote`` is removed in 2.4, as indicated in the 2.3 man-pages. Similar - functionality is provided via ``--verify-x509-name``, which does the same job in - a better way. +- ``--tls-remote`` is removed in OpenVPN 2.4, as indicated in the v2.3 + man-pages. Similar functionality is provided via ``--verify-x509-name``, + which does the same job in a better way. -- ``--compat-names`` and ``--no-name-remapping`` were deprecated in 2.3 and will - be removed in 2.5. All scripts and plug-ins depending on the old non-standard - X.509 subject formatting must be updated to the standardized formatting. See - the man page for more information. +- ``--compat-names`` and ``--no-name-remapping`` were deprecated in OpenVPN 2.3 + and will be removed in v2.5. All scripts and plug-ins depending on the old + non-standard X.509 subject formatting must be updated to the standardized + formatting. See the man page for more information. -- ``--no-iv`` is deprecated in 2.4 and will be removed in 2.5. +- ``--no-iv`` is deprecated in OpenVPN 2.4 and will be removed in v2.5. -- ``--keysize`` is deprecated and will be removed in v2.6 together - with the support of ciphers with cipher block size less than 128 bits. +- ``--keysize`` is deprecated in OpenVPN 2.4 and will be removed in v2.6 + together with the support of ciphers with cipher block size less than + 128-bits. - ``--comp-lzo`` is deprecated in OpenVPN 2.4. Use ``--compress`` instead. @@ -317,7 +318,7 @@ Maintainer-visible changes files instead of older ones, to provide a unified behaviour across systemd based Linux distributions. -- With OpenVPN v2.4, the project has moved over to depend on and actively use +- With OpenVPN 2.4, the project has moved over to depend on and actively use the official C99 standard (-std=c99). This may fail on some older compiler/libc header combinations. In most of these situations it is recommended to use -std=gnu99 in CFLAGS. This is known to be needed when doing @@ -339,7 +340,7 @@ New features Security -------- - CVE-2017-7522: Fix ``--x509-track`` post-authentication remote DoS - A client could crash a 2.4+ mbedtls server, if that server uses the + A client could crash a v2.4+ mbedtls server, if that server uses the ``--x509-track`` option and the client has a correct, signed and unrevoked certificate that contains an embedded NUL in the certificate subject. Discovered and reported to the OpenVPN security team by Guido Vranken. @@ -396,7 +397,7 @@ User-visible Changes Bugfixes -------- - Fix fingerprint calculation in mbed TLS builds. This means that mbed TLS users - of OpenVPN 2.4.0, 2.4.1 and 2.4.2 that rely on the values of the + of OpenVPN 2.4.0, v2.4.1 and v2.4.2 that rely on the values of the ``tls_digest_*`` env vars, or that use ``--verify-hash`` will have to change the fingerprint values they check against. The security impact of the incorrect calculation is very minimal; the last few bytes (max 4, typically @@ -425,17 +426,18 @@ Version 2.4.2 Bugfixes -------- -- Fix memory leak introduced in 2.4.1: if ``--remote-cert-tls`` is used, we leaked - some memory on each TLS (re)negotiation. +- Fix memory leak introduced in OpenVPN 2.4.1: if ``--remote-cert-tls`` is + used, we leaked some memory on each TLS (re)negotiation. Security -------- -- Fix a pre-authentication denial-of-service attack on both clients and servers. - By sending a too-large control packet, OpenVPN 2.4.0 or 2.4.1 can be forced - to hit an ASSERT() and stop the process. If ``--tls-auth`` or ``--tls-crypt`` - is used, only attackers that have the ``--tls-auth`` or ``--tls-crypt`` key - can mount an attack. (OSTIF/Quarkslab audit finding 5.1, CVE-2017-7478) +- Fix a pre-authentication denial-of-service attack on both clients and + servers. By sending a too-large control packet, OpenVPN 2.4.0 or v2.4.1 can + be forced to hit an ASSERT() and stop the process. If ``--tls-auth`` or + ``--tls-crypt`` is used, only attackers that have the ``--tls-auth`` or + ``--tls-crypt`` key can mount an attack. + (OSTIF/Quarkslab audit finding 5.1, CVE-2017-7478) - Fix an authenticated remote DoS vulnerability that could be triggered by causing a packet id roll over. An attack is rather inefficient; a peer diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 5da2930..04ff9cb 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -1995,7 +1995,7 @@ could be either .B execve or .B system. -As of OpenVPN v2.3, this flag is no longer accepted. In most *nix environments the execve() +As of OpenVPN 2.3, this flag is no longer accepted. In most *nix environments the execve() approach has been used without any issues. Some directives such as \-\-up allow options to be passed to the external @@ -2007,7 +2007,7 @@ To run scripts in Windows in earlier OpenVPN versions you needed to either add a full path to the script interpreter which can parse the script or use the .B system -flag to run these scripts. As of OpenVPN v2.3 it is now a strict requirement to have +flag to run these scripts. As of OpenVPN 2.3 it is now a strict requirement to have full path to the script interpreter when running non-executables files. This is not needed for executable files, such as .exe, .com, .bat or .cmd files. For example, if you have a Visual Basic script, you must use this syntax now: @@ -2202,7 +2202,7 @@ passwords, or key pass phrases anymore. This has certain consequences, namely that using a password-protected private key will fail unless the .B \-\-askpass option is used to tell OpenVPN to ask for the pass phrase (this -requirement is new in 2.3.7, and is a consequence of calling daemon() +requirement is new in v2.3.7, and is a consequence of calling daemon() before initializing the crypto layer). Further, using @@ -2475,7 +2475,7 @@ The parameter may be "lzo", "lz4", or empty. LZO and LZ4 are different compression algorithms, with LZ4 generally offering the best performance with least CPU usage. -For backwards compatibility with OpenVPN versions before 2.4, use "lzo" +For backwards compatibility with OpenVPN versions before v2.4, use "lzo" (which is identical to the older option "\-\-comp\-lzo yes"). If the @@ -3774,13 +3774,13 @@ option, this old formatting and remapping will be re-enabled again. This is purely implemented for compatibility reasons when using older plug-ins or scripts which does not handle the new formatting or UTF-8 characters. .IP -In OpenVPN v2.3 the formatting of these fields changed into a more +In OpenVPN 2.3 the formatting of these fields changed into a more standardised format. It now looks like: .IP .B C=US, L=Somewhere, CN=John Doe, emailAddress=john@example.com .IP -The new default format in OpenVPN v2.3 also does not do the character remapping +The new default format in OpenVPN 2.3 also does not do the character remapping which happened earlier. This new format enables proper support for UTF\-8 characters in the usernames, X.509 Subject fields and Common Name variables and it complies to the RFC 2253, UTF\-8 String Representation of Distinguished @@ -3800,7 +3800,7 @@ carriage-return. no-remapping is only available on the server side. .B Please note: This option is immediately deprecated. It is only implemented to make the transition to the new formatting less intrusive. It will be -removed in OpenVPN v2.5. So please update your scripts/plug-ins where necessary. +removed in OpenVPN 2.5. So please update your scripts/plug-ins where necessary. .\"********************************************************* .TP .B \-\-no\-name\-remapping @@ -3816,7 +3816,7 @@ It ensures compatibility with server configurations using the option. .B Please note: -This option is now deprecated. It will be removed in OpenVPN v2.5. +This option is now deprecated. It will be removed in OpenVPN 2.5. So please make sure you support the new X.509 name formatting described with the .B \-\-compat\-names @@ -4226,8 +4226,8 @@ will inherit the cipher of the peer if that cipher is different from the local .B \-\-cipher setting, but the peer cipher is one of the ciphers specified in .B \-\-ncp\-ciphers\fR. -E.g. a non-NCP client (<=2.3, or with \-\-ncp\-disabled set) connecting to a -NCP server (2.4+) with "\-\-cipher BF-CBC" and "\-\-ncp-ciphers +E.g. a non-NCP client (<=v2.3, or with \-\-ncp\-disabled set) connecting to a +NCP server (v2.4+) with "\-\-cipher BF-CBC" and "\-\-ncp-ciphers AES-256-GCM:AES-256-CBC" set can either specify "\-\-cipher BF-CBC" or "\-\-cipher AES-256-CBC" and both will work. @@ -5037,8 +5037,8 @@ response. (required) is a file in OpenVPN static key format which can be generated by .B \-\-genkey -Older versions (up to 2.3) supported a freeform passphrase file. -This is no longer supported in newer versions (2.4+). +Older versions (up to OpenVPN 2.3) supported a freeform passphrase file. +This is no longer supported in newer versions (v2.4+). See the .B \-\-secret @@ -5596,7 +5596,7 @@ Write key to .B file. .\"********************************************************* .SS TUN/TAP persistent tunnel config mode: -Available with linux 2.4.7+. These options comprise a standalone mode +Available with Linux 2.4.7+. These options comprise a standalone mode of OpenVPN which can be used to create and delete persistent tunnels. .\"********************************************************* .TP @@ -5923,7 +5923,7 @@ flag. .TP .B \-\-dhcp\-release Ask Windows to release the TAP adapter lease on shutdown. -This option has no effect now, as it is enabled by default starting with version 2.4.1. +This option has no effect now, as it is enabled by default starting with OpenVPN 2.4.1. .\"********************************************************* .TP .B \-\-register\-dns @@ -6206,7 +6206,7 @@ isprint() function to return true. .B \-\-client\-config\-dir filename as derived from common name or username: Alphanumeric, underbar ('_'), dash ('-'), and dot ('.') except for "." or -".." as standalone strings. As of 2.0.1-rc6, the at ('@') character has +".." as standalone strings. As of v2.0.1-rc6, the at ('@') character has been added as well for compatibility with the common name character class. .B Environmental variable names: diff --git a/sample/sample-config-files/client.conf b/sample/sample-config-files/client.conf index f5c69e3..5fd4a94 100644 --- a/sample/sample-config-files/client.conf +++ b/sample/sample-config-files/client.conf @@ -110,7 +110,7 @@ tls-auth ta.key 1 # Select a cryptographic cipher. # If the cipher option is used on the server # then you must also specify it here. -# Note that 2.4 client/server will automatically +# Note that v2.4 client/server will automatically # negotiate AES-256-GCM in TLS mode. # See also the ncp-cipher option in the manpage cipher AES-256-CBC diff --git a/sample/sample-config-files/server.conf b/sample/sample-config-files/server.conf index aa7d5b3..1dd477b 100644 --- a/sample/sample-config-files/server.conf +++ b/sample/sample-config-files/server.conf @@ -246,13 +246,13 @@ tls-auth ta.key 0 # This file is secret # Select a cryptographic cipher. # This config item must be copied to # the client config file as well. -# Note that 2.4 client/server will automatically +# Note that v2.4 client/server will automatically # negotiate AES-256-GCM in TLS mode. # See also the ncp-cipher option in the manpage cipher AES-256-CBC # Enable compression on the VPN link and push the -# option to the client (2.4+ only, for earlier +# option to the client (v2.4+ only, for earlier # versions see below) ;compress lz4-v2 ;push "compress lz4-v2" diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 860bc85..1bbda02 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -6187,7 +6187,7 @@ add_option(struct options *options, else if (streq(p[0], "max-routes") && !p[2]) { msg(M_WARN, "DEPRECATED OPTION: --max-routes option ignored." - "The number of routes is unlimited as of version 2.4. " + "The number of routes is unlimited as of OpenVPN 2.4. " "This option will be removed in a future version, " "please remove it from your configuration."); } @@ -7018,7 +7018,7 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_GENERAL); if (streq(p[1], "env")) { - msg(M_INFO, "NOTE: --win-sys env is default from OpenVPN v2.3. " + msg(M_INFO, "NOTE: --win-sys env is default from OpenVPN 2.3. " "This entry will now be ignored. " "Please remove this entry from your configuration file."); } @@ -7864,7 +7864,7 @@ add_option(struct options *options, msg(msglevel, "you cannot use --compat-names with --verify-x509-name"); goto err; } - msg(M_WARN, "DEPRECATED OPTION: --compat-names, please update your configuration. This will be removed in OpenVPN v2.5."); + msg(M_WARN, "DEPRECATED OPTION: --compat-names, please update your configuration. This will be removed in OpenVPN 2.5."); compat_flag(COMPAT_FLAG_SET | COMPAT_NAMES); #if P2MP_SERVER if (p[1] && streq(p[1], "no-remapping")) @@ -7880,7 +7880,7 @@ add_option(struct options *options, msg(msglevel, "you cannot use --no-name-remapping with --verify-x509-name"); goto err; } - msg(M_WARN, "DEPRECATED OPTION: --no-name-remapping, please update your configuration. This will be removed in OpenVPN v2.5."); + msg(M_WARN, "DEPRECATED OPTION: --no-name-remapping, please update your configuration. This will be removed in OpenVPN 2.5."); compat_flag(COMPAT_FLAG_SET | COMPAT_NAMES); compat_flag(COMPAT_FLAG_SET | COMPAT_NO_NAME_REMAPPING); #endif |