mirror of
https://github.com/OpenVPN/openvpn.git
synced 2024-09-20 12:02:28 +02:00
OpenVPN is an open source VPN daemon
9e702a5d0f
Renegotiations have been troublesome in the past and also the recent OpenSSL security problem (CVE-2021-3449) is only exploitable if TLS renegotiation is enabled. mbed TLS disables it by default and says in the documentation: Warning: It is recommended to always disable renegotation unless you know you need it and you know what you're doing. In the past, there have been several issues associated with renegotiation or a poor understanding of its properties. TLS renegotiation can be used to restart a session with different parameters (e.g. now with client certs). This something that OpenVPN does not use. For OpenSSL 1.0.2 the workaround to disable renegotiation is rather cumbersome. So we keep this to 1.1.1 only since 1.0.2 is on its way to deprecation anyway. Furthermore because of all these problems, also TLS 1.3 completely drops support for renegotiations. Patch V2: Improve comments and commit message Patch V3: Only disable renegotiation where the SSL_OP_NO_RENEGOTIATION define is available. LibreSSL, wolfSSL and OpenSSL 1.0.2 are lacking this macro. Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20210401110003.19689-1-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21939.html Signed-off-by: Gert Doering <gert@greenie.muc.de> |
||
---|---|---|
.github | ||
.travis | ||
build | ||
contrib | ||
debug | ||
dev-tools | ||
distro | ||
doc | ||
include | ||
m4 | ||
sample | ||
src | ||
tests | ||
.git-blame-ignore-revs | ||
.gitattributes | ||
.gitignore | ||
.mailmap | ||
.svncommitters | ||
.travis.yml | ||
AUTHORS | ||
ChangeLog | ||
Changes.rst | ||
compat.m4 | ||
config-msvc-version.h.in | ||
config-msvc.h | ||
configure.ac | ||
CONTRIBUTING.rst | ||
COPYING | ||
COPYRIGHT.GPL | ||
INSTALL | ||
Makefile.am | ||
msvc-build.bat | ||
msvc-dev.bat | ||
msvc-env.bat | ||
NEWS | ||
openvpn.sln | ||
PORTS | ||
README | ||
README.ec | ||
README.IPv6 | ||
README.mbedtls | ||
README.wolfssl | ||
TODO.IPv6 | ||
version.m4 | ||
version.sh.in |
OpenVPN -- A Secure tunneling daemon Copyright (C) 2002-2018 OpenVPN Inc. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License version 2 as published by the Free Software Foundation. ************************************************************************* To get the latest release of OpenVPN, go to: https://openvpn.net/index.php/download/community-downloads.html To Build and Install, tar -zxf openvpn-<version>.tar.gz cd openvpn-<version> ./configure make make install or see the file INSTALL for more info. ************************************************************************* For detailed information on OpenVPN, including examples, see the man page http://openvpn.net/man.html For a sample VPN configuration, see http://openvpn.net/howto.html To report an issue, see https://community.openvpn.net/openvpn/report For a description of OpenVPN's underlying protocol, see the file ssl.h included in the source distribution. ************************************************************************* Other Files & Directories: * configure.ac -- script to rebuild our configure script and makefile. * sample/sample-scripts/verify-cn A sample perl script which can be used with OpenVPN's --tls-verify option to provide a customized authentication test on embedded X509 certificate fields. * sample/sample-keys/ Sample RSA keys and certificates. DON'T USE THESE FILES FOR ANYTHING OTHER THAN TESTING BECAUSE THEY ARE TOTALLY INSECURE. * sample/sample-config-files/ A collection of OpenVPN config files and scripts from the HOWTO at http://openvpn.net/howto.html ************************************************************************* Note that easy-rsa and tap-windows are now maintained in their own subprojects. Their source code is available here: https://github.com/OpenVPN/easy-rsa https://github.com/OpenVPN/tap-windows The old cross-compilation environment (domake-win) and the Python-based buildsystem have been replaced with openvpn-build: https://github.com/OpenVPN/openvpn-build See the INSTALL file for usage information.