diff mbox series

[Openvpn-devel,8/8] Deprecate NTLMv1 proxy auth method.

Message ID 20221215190143.2107896-9-arne@rfc2549.org
State Accepted
Headers show
Series Improvement/fixes based on Trail of Bits audit | expand

Commit Message

Arne Schwabe Dec. 15, 2022, 7:01 p.m. UTC 
NTLMv1 is ancient and not considered secure anymore and we are not
aware of any users or software still requiring this feature.

Additionally it currently depends on our "doing single DES using
3DES" workaround for OpenSSL (cipher_des_encrypt_ecb). So removing
NTLMv1 will also allow us to remove that workaround.

Reported-By: Trial of Bits (TOB-OVPN-7)
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
 src/openvpn/proxy.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Gert Doering Dec. 16, 2022, 5:42 p.m. UTC | #1 
Acked-by: Gert Doering <gert@greenie.muc.de>

Have not tested beyond "we agreed on that, message looks good,
and it compiles".

Your patch has been applied to the master and release/2.6 branch.

commit e005b8d1fda1ad1e26fe0dbe7e09184a1f19b553 (master)
commit f4f92cc589b5fc473b83c9e9e109a414fa6102ca (release/2.6)
Author: Arne Schwabe
Date:   Thu Dec 15 20:01:43 2022 +0100

     Deprecate NTLMv1 proxy auth method.

     Signed-off-by: Arne Schwabe <arne@rfc2549.org>
     Acked-by: Gert Doering <gert@greenie.muc.de>
     Message-Id: <20221215190143.2107896-9-arne@rfc2549.org>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25731.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering
Frank Lichtenheld Dec. 19, 2022, 12:13 p.m. UTC | #2 
On Fri, Dec 16, 2022 at 06:42:25PM +0100, Gert Doering wrote:
> Acked-by: Gert Doering <gert@greenie.muc.de>
> 
> Have not tested beyond "we agreed on that, message looks good,
> and it compiles".
> 
> Your patch has been applied to the master and release/2.6 branch.

Just noticed that this is missing a corresponding Changes.rst change.
Should I send a patch for that?

Regards,
Gert Doering Dec. 19, 2022, 12:18 p.m. UTC | #3 
Hi,

On Mon, Dec 19, 2022 at 01:13:20PM +0100, Frank Lichtenheld wrote:
> On Fri, Dec 16, 2022 at 06:42:25PM +0100, Gert Doering wrote:
> > Acked-by: Gert Doering <gert@greenie.muc.de>
> > 
> > Have not tested beyond "we agreed on that, message looks good,
> > and it compiles".
> > 
> > Your patch has been applied to the master and release/2.6 branch.
> 
> Just noticed that this is missing a corresponding Changes.rst change.
> Should I send a patch for that?

Our handling of Changes.rst is not always consistent - somtimes patches
bring that along, for the rest I try to make sense of "git log" when
preparing the next release and add what is missing to Changes.rst.

So, I don't think we need an extra patch for this, will cover when
preparing _beta3 / _rc1, whatever and whenever it will be... :-)

gert
diff mbox series

Patch

diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c
index ed7201616..633caee09 100644
--- a/src/openvpn/proxy.c
+++ b/src/openvpn/proxy.c
@@ -519,6 +519,8 @@  http_proxy_new(const struct http_proxy_options *o)
 #if NTLM
         else if (!strcmp(o->auth_method_string, "ntlm"))
         {
+            msg(M_INFO, "NTLM v1 authentication is deprecated and will be removed in "
+                "OpenVPN 2.7");
             p->auth_method = HTTP_AUTH_NTLM;
         }
         else if (!strcmp(o->auth_method_string, "ntlm2"))