This branch is targeted for consumers of the library, where we will do
release handling. This branch should contain reasonably well tested and
stable code only. Features under development and testing should only be
worked on outside of this branch until it is ready and can be merged
into stable.
Since it has been quite some time since the version.hpp file was
updated, this change will now set version to 3.2 - to start this new
versioning regime.
The version numbering and release process is further described in
VersionNumbering.rst
Signed-off-by: David Sommerseth <davids@openvpn.net>
Triple DES, and other 64-bit block-size ciphers vulnerable
to "Sweet32" birthday attack (CVE-2016-6329). Limit such
cipher keys to no more than 64 MB of data
encrypted/decrypted. While our overall goal is to limit
data-limited keys to 64 MB, we trigger a renegotiation
at 48 MB to compensate for possible delays in renegotiation
and rollover to the new key.
This client-side implementation extends data limit
protection to the entire session, even when the server
doesn't implement data limits.
This capability is advertised to servers via the a
peer info setting:
IV_BS64DL=1
meaning "Block-Size 64-bit Data Limit". The "1" indicates
the implementation version.
The implementation currently has some limitations:
* Keys are renegotiated at a maximum rate of once per
5 seconds to reduce the likelihood of loss of
synchronization between peers.
* The maximum renegotiation rate may be further extended
if the peer delays rollover from the old to new key
after renegotiation.
Added N_KEY_LIMIT_RENEG stats counter to count the number
of data-limit-triggered renegotiations.
Added new stats counter KEY_STATE_ERROR which roughly
corresponds to the OpenVPN 2.x error "TLS Error:
local/remote TLS keys are out of sync".
Prevously, the TLS ack/retransmit timeout was hardcoded to
2 seconds. Now we lower the default to 1 second and make
it variable using the (pushable) "tls-timeout" directive.
Additionally, the tls-timeout directive can be specified
in milliseconds instead of seconds by using the
"tls-timeout-ms" form of the directive.
Made the "become primary" time duration configurable via
the (pushable) "become-primary" directive which accepts
a number-of-seconds parameter. become-primary indicates
the time delay between renegotiation and rollover to the
new key for encryption/transmission. become-primary
defaults to the handshake-window which in turn defaults
to 60 seconds.
Incremented core version to 3.0.20.
data to the OpenVPN handshake (peer-info is a client -> server
key/value list that is part of the OpenVPN protocol). To
add peer-info key/value pairs, use ClientAPI::Config::peerInfo.
Incremented core OPENVPN_VERSION to "3.0.6".
tls-version-min directive:
setenv opt tls-version-min 1.2 or-highest
In 3.0 core, properly set OPENVPN_VERSION to 3.0.
Updated make-community to automatically push at
end of build.
