mirror of
https://github.com/OpenVPN/openvpn.git
synced 2024-09-20 03:52:28 +02:00
b364711486
OpenVPN currently has a bit of a weakness in its early three way handshake
A single client reset packet (first packet of the handshake) will
- trigger creating a session on the server side leading to potential
ressource exhaustion
- make the server respond with 3 answers trying to get an ACK for its
P_CONTROL_HARD_RESET_SERVER_V2 answer making it an amplification
Instead of allocating a connection for each client on the initial packet
OpenVPN will now calculate a session id based on a HMAC that serves as
verifiable cookie that can be checked for authenticity when the client
responds with it. This eliminates the amplification attack and resource
exhaustion attacks.
For tls-crypt-v2 clients the HMAC based handshake is not used yet (will
be added in one of the next patches).
Patch v2: rebase on master
patch v3: fix unit tests, improve comment/style of code
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220502154310.836947-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24262.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
||
|---|---|---|
| .. | ||
| doxygen | ||
| man-sections | ||
| tests | ||
| android.txt | ||
| gui-notes.txt | ||
| interactive-service-notes.rst | ||
| keying-material-exporter.txt | ||
| Makefile.am | ||
| management-notes.txt | ||
| openvpn-examples.5.rst | ||
| openvpn.8.rst | ||
| README.man | ||
| README.plugins | ||
| tls-crypt-v2.txt | ||
OpenVPN Plugins
---------------
Starting with OpenVPN 2.0-beta17, compiled plugin modules are
supported on any *nix OS which includes libdl or on Windows.
One or more modules may be loaded into OpenVPN using
the --plugin directive, and each plugin module is capable of
intercepting any of the script callbacks which OpenVPN supports:
(1) up
(2) down
(3) route-up
(4) ipchange
(5) tls-verify
(6) auth-user-pass-verify
(7) client-connect
(8) client-disconnect
(9) learn-address
See the openvpn-plugin.h file in the top-level directory of the
OpenVPN source distribution for more detailed information
on the plugin interface.
Included Plugins
----------------
auth-pam -- Authenticate using PAM and a split privilege
execution model which functions even if
root privileges or the execution environment
have been altered with --user/--group/--chroot.
Tested on Linux only.
down-root -- Enable the running of down scripts with root privileges
even if --user/--group/--chroot have been used
to drop root privileges or change the execution
environment. Not applicable on Windows.
examples -- A simple example that demonstrates a portable
plugin, i.e. one which can be built for *nix
or Windows from the same source.
Building Plugins
----------------
cd to the top-level directory of a plugin, and use the
"make" command to build it. The examples plugin is
built using a build script, not a makefile.