Page MenuHomeSolus

Update openvpn to 2.4.7

Authored by der_eismann on Feb 20 2019, 12:31 PM.



New features:

  • ifconfig-ipv6(-push): allow using hostnames (in place of IPv6 addresses)
  • new option: --ciphersuites to select TLS 1.3 cipher suites (--cipher selects TLS 1.2 and earlier ciphers)
  • enable dhcp on tap adapter using interactive service
  • clarify and expand management interface documentation
  • add Interactive Service developer documentation

User visible changes:

  • add message explaining early TLS client hello failure (if TLS 1.0 only clients try to connect to TLS 1.3 capable servers)
  • --show-tls will now display TLS 1.3 and TLS 1.2 ciphers in separate lists (if built with OpenSSL 1.1.1+)
  • don't print OCC warnings about 'key-method', 'keydir' and 'tls-auth' (unnecessary warnings, and will cause spurious warnings with tls-crypt-v2)
  • bump version of openvpn plugin argument structs to 5
  • plugin: Export base64 encode and decode functions
  • man: add security considerations to --compress section

Bug fixes:

  • print port numbers (again) for incoming IPv4 connections received on a dual-stacked IPv6 socket. This got lost at some point during rewrite of the dual-stack code and proper printing of IPv4 addresses.
  • fallback to password authentication when auth-token fails
  • fix option handling in combination with NCP negotiation and OCC (--opt-verify failure on reconnect if NCP modified options and server verified "original" vs. "modified" options)
  • mbedtls: print warning if random personalisation fails
Test Plan

Test SSL/TLS negotiations:

  • sudo openvpn --config sample/sample-config-files/loopback-client (in terminal #1)
  • sudo openvpn --config sample/sample-config-files/loopback-server (simultaneously in terminal #2)

Diff Detail

R2261 openvpn
Automatic diff as part of commit; lint not applicable.
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

der_eismann created this revision.Feb 20 2019, 12:31 PM
der_eismann requested review of this revision.Feb 20 2019, 12:31 PM

Will this get some love soon?

DataDrake accepted this revision.Mar 22 2019, 9:22 PM
DataDrake added a subscriber: DataDrake.

LGTM. Sorry for the wait!

This revision is now accepted and ready to land.Mar 22 2019, 9:22 PM
This revision was automatically updated to reflect the committed changes.