mirror/openvpn
0
0
Fork 0
mirror of https://github.com/OpenVPN/openvpn.git synced 2024-09-19 19:42:30 +02:00
Code
8353ae8075
openvpn/doc
History
Arne Schwabe 8353ae8075 Implement tls-groups option to specify eliptic curves/groups 
By default OpenSSL 1.1+ only allows signatures and ecdh/ecdhx from the
default list of X25519:secp256r1:X448:secp521r1:secp384r1. In
TLS1.3 key exchange is independent from the signature/key of the
certificates, so allowing all groups per default is not a sensible
choice anymore and instead a shorter list is reasonable.

However, when using certificates with exotic curves that are not on
the group list, the signatures of these certificates will no longer
be accepted.

The tls-groups option allows to modify the group list to account
for these corner cases.

Patch V2: Uses local gc_arena instead of malloc/free, reword commit
          message. Fix other typos/clarify messages

Patch V3: Style fixes, adjust code to changes from mbedTLS session
          fix

Patch V5: Fix compilation with OpenSSL 1.0.2

Patch V6: Redo the 'while((token = strsep(&tmp_groups, ":"))' change
          which accidentally got lost.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200721154922.17144-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20521.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2020-07-21 22:33:58 +02:00
..
doxygen Remove key-method 1 2020-07-21 20:58:13 +02:00
man-sections Implement tls-groups option to specify eliptic curves/groups 2020-07-21 22:33:58 +02:00
android.txt Handle DNS6 option on Android 2016-11-22 17:31:30 +01:00
interactive-service-notes.rst Add Interactive Service developer documentation 2018-06-09 20:14:26 +02:00
keying-material-exporter.txt Fix various spelling mistakes 2019-02-06 19:07:34 +01:00
Makefile.am doc/man: Do not install man *.rst files 2020-07-19 13:53:54 +02:00
management-notes.txt Implement forwarding client CR_RESPONSE messages to management 2020-06-20 12:38:45 +02:00
openvpn.8.rst doc/man: convert openvpn.8 to split-up .rst files 2020-07-17 11:23:18 +02:00
README.man doc/man: convert openvpn.8 to split-up .rst files 2020-07-17 11:23:18 +02:00
README.plugins build: integrate plugins build into core build 2012-06-26 11:29:02 +02:00
tls-crypt-v2.txt tls-crypt-v2: add specification to doc/ 2018-10-26 18:53:32 +02:00

README.plugins 

OpenVPN Plugins
---------------

Starting with OpenVPN 2.0-beta17, compiled plugin modules are
supported on any *nix OS which includes libdl or on Windows.
One or more modules may be loaded into OpenVPN using
the --plugin directive, and each plugin module is capable of
intercepting any of the script callbacks which OpenVPN supports:

(1) up
(2) down
(3) route-up
(4) ipchange
(5) tls-verify
(6) auth-user-pass-verify
(7) client-connect
(8) client-disconnect
(9) learn-address

See the openvpn-plugin.h file in the top-level directory of the
OpenVPN source distribution for more detailed information
on the plugin interface.

Included Plugins
----------------

auth-pam -- Authenticate using PAM and a split privilege
            execution model which functions even if
            root privileges or the execution environment
            have been altered with --user/--group/--chroot.
            Tested on Linux only.

down-root -- Enable the running of down scripts with root privileges
             even if --user/--group/--chroot have been used
             to drop root privileges or change the execution
             environment.  Not applicable on Windows.

examples -- A simple example that demonstrates a portable
            plugin, i.e. one which can be built for *nix
            or Windows from the same source.

Building Plugins
----------------

cd to the top-level directory of a plugin, and use the
"make" command to build it.  The examples plugin is
built using a build script, not a makefile.