Change default cipher for server configurations to AES-GCM

At the same time, utilize the Negotiable Crypto Parameters (NCP) feature
in OpenVPN v2.4, which allows clients using the old BF-CBC default cipher
to connect without any issues.

F-27 Change request: https://fedoraproject.org/wiki/Changes/New_default_cipher_in_OpenVPN

This change was approved in the FESCO meeting 2017-08-04.

Also fix a truncated changelog entry for openvpn-2.4.3-1

0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch

@@ -0,0 +1,32 @@
+From b56d52fa409c62720791e189e501efb86df0aff4 Mon Sep 17 00:00:00 2001
+From: David Sommerseth <dazo@eurephia.org>
+Date: Tue, 4 Jul 2017 16:06:24 +0200
+Subject: [PATCH] Change the default cipher to AES-256-GCM for server
+ configurations
+
+This change makes the server use AES-256-GCM instead of BF-CBC as the default
+cipher for the VPN tunnel.  To avoid breaking existing running configurations
+defaulting to BF-CBC, the Negotiable Crypto Parameters (NCP) list contains
+the BF-CBC in addition to AES-CBC.  This makes it possible to migrate
+existing older client configurations one-by-one to use at least AES-CBC unless
+the client is updated to v2.4 (which defaults to upgrade to AES-GCM automatically)
+---
+ distro/systemd/openvpn-server@.service.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/distro/systemd/openvpn-server@.service.in b/distro/systemd/openvpn-server@.service.in
+index 9a8a2c7..0ecda08 100644
+--- a/distro/systemd/openvpn-server@.service.in
++++ b/distro/systemd/openvpn-server@.service.in
+@@ -10,7 +10,7 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
+ Type=notify
+ PrivateTmp=true
+ WorkingDirectory=/etc/openvpn/server
+-ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf
++ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC --config %i.conf
+ CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
+ LimitNPROC=10
+ DeviceAllow=/dev/null rw
+-- 
+2.11.0
+

openvpn.spec

@@ -7,7 +7,7 @@
 
 Name:              openvpn
 Version:           2.4.3
-Release:           3%{?prerelease:.%{prerelease}}%{?dist}
+Release:           4%{?prerelease:.%{prerelease}}%{?dist}
 Summary:           A full-featured SSL VPN solution
 URL:               https://community.openvpn.net/
 Source0:           https://swupdate.openvpn.org/community/releases/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.xz
@@ -17,6 +17,7 @@ Source3:           roadwarrior-client.conf
 Source4:           README.systemd
 # Upstream signing key
 Source6:           gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg
+Patch1:            0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch
 License:           GPLv2
 Group:             Applications/Internet
 BuildRequires:     systemd-devel
@@ -67,6 +68,7 @@ to similar features as the various script-hooks.
 %prep
 gpgv2 --quiet --keyring %{SOURCE6} %{SOURCE1} %{SOURCE0}
 %setup -q -n %{name}-%{version}%{?prerelease:_%{prerelease}}
+%patch1 -p1 -b .ch_default_cipher
 
 sed -i -e 's,%{_datadir}/openvpn/plugin,%{_libdir}/openvpn/plugin,' doc/openvpn.8
 
@@ -184,6 +186,9 @@ getent passwd openvpn &>/dev/null || \
 
 
 %changelog
+* Fri Aug  4 2017 David Sommerseth <dazo@eurephia.org> - 2.4.3-4
+- Change to AES-GCM as the default cipher for server configurations
+
 * Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.3-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
 
@@ -193,7 +198,7 @@ getent passwd openvpn &>/dev/null || \
 * Wed Jun 21 2017 David Sommerseth <dazo@eurephia.org> - 2.4.3-1
 - Updating to upstream openvpn-2.4.3
 - Fix remotely-triggerable ASSERT() on malformed IPv6 packet {CVE-2017-7508}
-- Prevent two kinds of stack buffer OOB reads and a crash for invalid input data {CVE-2017-752
+- Prevent two kinds of stack buffer OOB reads and a crash for invalid input data {CVE-2017-7520}
 - Fix potential double-free in --x509-alt-username {CVE-2017-7521}
 - Fix remote-triggerable memory leaks {CVE-2017-7521}
 - Ensure OpenVPN systemd services are restarted upon upgrades