mirror of
https://github.com/OpenVPN/openvpn.git
synced 2024-09-20 03:52:28 +02:00
b364711486
OpenVPN currently has a bit of a weakness in its early three way handshake A single client reset packet (first packet of the handshake) will - trigger creating a session on the server side leading to potential ressource exhaustion - make the server respond with 3 answers trying to get an ACK for its P_CONTROL_HARD_RESET_SERVER_V2 answer making it an amplification Instead of allocating a connection for each client on the initial packet OpenVPN will now calculate a session id based on a HMAC that serves as verifiable cookie that can be checked for authenticity when the client responds with it. This eliminates the amplification attack and resource exhaustion attacks. For tls-crypt-v2 clients the HMAC based handshake is not used yet (will be added in one of the next patches). Patch v2: rebase on master patch v3: fix unit tests, improve comment/style of code Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Message-Id: <20220502154310.836947-1-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24262.html Signed-off-by: Gert Doering <gert@greenie.muc.de> |
||
---|---|---|
.. | ||
doxygen | ||
man-sections | ||
tests | ||
android.txt | ||
gui-notes.txt | ||
interactive-service-notes.rst | ||
keying-material-exporter.txt | ||
Makefile.am | ||
management-notes.txt | ||
openvpn-examples.5.rst | ||
openvpn.8.rst | ||
README.man | ||
README.plugins | ||
tls-crypt-v2.txt |
OpenVPN Plugins --------------- Starting with OpenVPN 2.0-beta17, compiled plugin modules are supported on any *nix OS which includes libdl or on Windows. One or more modules may be loaded into OpenVPN using the --plugin directive, and each plugin module is capable of intercepting any of the script callbacks which OpenVPN supports: (1) up (2) down (3) route-up (4) ipchange (5) tls-verify (6) auth-user-pass-verify (7) client-connect (8) client-disconnect (9) learn-address See the openvpn-plugin.h file in the top-level directory of the OpenVPN source distribution for more detailed information on the plugin interface. Included Plugins ---------------- auth-pam -- Authenticate using PAM and a split privilege execution model which functions even if root privileges or the execution environment have been altered with --user/--group/--chroot. Tested on Linux only. down-root -- Enable the running of down scripts with root privileges even if --user/--group/--chroot have been used to drop root privileges or change the execution environment. Not applicable on Windows. examples -- A simple example that demonstrates a portable plugin, i.e. one which can be built for *nix or Windows from the same source. Building Plugins ---------------- cd to the top-level directory of a plugin, and use the "make" command to build it. The examples plugin is built using a build script, not a makefile.