Update openvpn to 2.4.7

Authored by der_eismann on Mar 22 2019, 9:23 PM.


Update openvpn to 2.4.7

New features:

  • ifconfig-ipv6(-push): allow using hostnames (in place of IPv6 addresses)
  • new option: --ciphersuites to select TLS 1.3 cipher suites (--cipher selects TLS 1.2 and earlier ciphers)
  • enable dhcp on tap adapter using interactive service
  • clarify and expand management interface documentation
  • add Interactive Service developer documentation

User visible changes:

  • add message explaining early TLS client hello failure (if TLS 1.0 only clients try to connect to TLS 1.3 capable servers)
  • --show-tls will now display TLS 1.3 and TLS 1.2 ciphers in separate lists (if built with OpenSSL 1.1.1+)
  • don't print OCC warnings about 'key-method', 'keydir' and 'tls-auth' (unnecessary warnings, and will cause spurious warnings with tls-crypt-v2)
  • bump version of openvpn plugin argument structs to 5
  • plugin: Export base64 encode and decode functions
  • man: add security considerations to --compress section

Bug fixes:

  • print port numbers (again) for incoming IPv4 connections received on a dual-stacked IPv6 socket. This got lost at some point during rewrite of the dual-stack code and proper printing of IPv4 addresses.
  • fallback to password authentication when auth-token fails
  • fix option handling in combination with NCP negotiation and OCC (--opt-verify failure on reconnect if NCP modified options and server verified "original" vs. "modified" options)
  • mbedtls: print warning if random personalisation fails

Test Plan:
Test SSL/TLS negotiations:

  • sudo openvpn --config sample/sample-config-files/loopback-client (in terminal #1)
  • sudo openvpn --config sample/sample-config-files/loopback-server (simultaneously in terminal #2)

Reviewers: Triage Team, DataDrake

Reviewed By: Triage Team, DataDrake

Subscribers: DataDrake

Differential Revision:


DataDrakeMar 22 2019, 9:49 PM
DataDrakeMar 22 2019, 9:49 PM
Triage Team
Differential Revision
D5484: Update openvpn to 2.4.7
R2261:9c1003140a2c: Update openvpn to 2.4.6
tag: openvpn-2.4.7-11