rpms
/
openvpn
21
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Change default cipher for server configurations to AES-GCM

Browse Source 
At the same time, utilize the Negotiable Crypto Parameters (NCP) feature
in OpenVPN v2.4, which allows clients using the old BF-CBC default cipher
to connect without any issues.

F-27 Change request: https://fedoraproject.org/wiki/Changes/New_default_cipher_in_OpenVPN

This change was approved in the FESCO meeting 2017-08-04.

Also fix a truncated changelog entry for openvpn-2.4.3-1
epel8
David Sommerseth 8 years ago
parent ab274d2f4f
commit b931012953
2 changed files with 39 additions and 2 deletions
Show Stats Download Patch File Download Diff File

32
0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch
Unescape View File

@ -0,0 +1,32 @@
From b56d52fa409c62720791e189e501efb86df0aff4 Mon Sep 17 00:00:00 2001
From: David Sommerseth <dazo@eurephia.org>
Date: Tue, 4 Jul 2017 16:06:24 +0200
Subject: [PATCH] Change the default cipher to AES-256-GCM for server
configurations
This change makes the server use AES-256-GCM instead of BF-CBC as the default
cipher for the VPN tunnel. To avoid breaking existing running configurations
defaulting to BF-CBC, the Negotiable Crypto Parameters (NCP) list contains
the BF-CBC in addition to AES-CBC. This makes it possible to migrate
existing older client configurations one-by-one to use at least AES-CBC unless
the client is updated to v2.4 (which defaults to upgrade to AES-GCM automatically)
---
distro/systemd/openvpn-server@.service.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/distro/systemd/openvpn-server@.service.in b/distro/systemd/openvpn-server@.service.in
index 9a8a2c7..0ecda08 100644
--- a/distro/systemd/openvpn-server@.service.in
+++ b/distro/systemd/openvpn-server@.service.in
@@ -10,7 +10,7 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
Type=notify
PrivateTmp=true
WorkingDirectory=/etc/openvpn/server
-ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf
+ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC --config %i.conf
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
LimitNPROC=10
DeviceAllow=/dev/null rw
--
2.11.0

9
openvpn.spec
Unescape View File

@ -7,7 +7,7 @@
Name: openvpn Name: openvpn
Version: 2.4.3 Version: 2.4.3
Release: 3%{?prerelease:.%{prerelease}}%{?dist} Release: 4%{?prerelease:.%{prerelease}}%{?dist}
Summary: A full-featured SSL VPN solution Summary: A full-featured SSL VPN solution
URL: https://community.openvpn.net/ URL: https://community.openvpn.net/
Source0: https://swupdate.openvpn.org/community/releases/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.xz Source0: https://swupdate.openvpn.org/community/releases/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.xz
@ -17,6 +17,7 @@ Source3: roadwarrior-client.conf
Source4: README.systemd Source4: README.systemd
# Upstream signing key # Upstream signing key
Source6: gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg Source6: gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg
Patch1: 0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch
License: GPLv2 License: GPLv2
Group: Applications/Internet Group: Applications/Internet
BuildRequires: systemd-devel BuildRequires: systemd-devel
@ -67,6 +68,7 @@ to similar features as the various script-hooks.
%prep %prep
gpgv2 --quiet --keyring %{SOURCE6} %{SOURCE1} %{SOURCE0} gpgv2 --quiet --keyring %{SOURCE6} %{SOURCE1} %{SOURCE0}
%setup -q -n %{name}-%{version}%{?prerelease:_%{prerelease}} %setup -q -n %{name}-%{version}%{?prerelease:_%{prerelease}}
%patch1 -p1 -b .ch_default_cipher
sed -i -e 's,%{_datadir}/openvpn/plugin,%{_libdir}/openvpn/plugin,' doc/openvpn.8 sed -i -e 's,%{_datadir}/openvpn/plugin,%{_libdir}/openvpn/plugin,' doc/openvpn.8
@ -184,6 +186,9 @@ getent passwd openvpn &>/dev/null || \
%changelog %changelog
* Fri Aug 4 2017 David Sommerseth <dazo@eurephia.org> - 2.4.3-4
- Change to AES-GCM as the default cipher for server configurations
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.3-3 * Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
@ -193,7 +198,7 @@ getent passwd openvpn &>/dev/null || \
* Wed Jun 21 2017 David Sommerseth <dazo@eurephia.org> - 2.4.3-1 * Wed Jun 21 2017 David Sommerseth <dazo@eurephia.org> - 2.4.3-1
- Updating to upstream openvpn-2.4.3 - Updating to upstream openvpn-2.4.3
- Fix remotely-triggerable ASSERT() on malformed IPv6 packet {CVE-2017-7508} - Fix remotely-triggerable ASSERT() on malformed IPv6 packet {CVE-2017-7508}
- Prevent two kinds of stack buffer OOB reads and a crash for invalid input data {CVE-2017-752 - Prevent two kinds of stack buffer OOB reads and a crash for invalid input data {CVE-2017-7520}
- Fix potential double-free in --x509-alt-username {CVE-2017-7521} - Fix potential double-free in --x509-alt-username {CVE-2017-7521}
- Fix remote-triggerable memory leaks {CVE-2017-7521} - Fix remote-triggerable memory leaks {CVE-2017-7521}
- Ensure OpenVPN systemd services are restarted upon upgrades - Ensure OpenVPN systemd services are restarted upon upgrades

Write Preview
Loading…
Cancel
Save