From patchwork Thu Dec 15 19:01:43 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2921 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:c95:b0:82:e4b3:40a0 with SMTP id p21csp632042dyk; Thu, 15 Dec 2022 11:02:43 -0800 (PST) X-Google-Smtp-Source: AMrXdXu7ou9A37XXT5WnaVo7YckuCHmd2Hs6IZWIqkkvqrASJK2OaK8ANiSbaNt+YBtq8vZbMvZS X-Received: by 2002:a05:7508:5411:b0:48:ad14:d0e9 with SMTP id ed17-20020a057508541100b00048ad14d0e9mr585524gbb.0.1671130963576; Thu, 15 Dec 2022 11:02:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1671130963; cv=none; d=google.com; s=arc-20160816; b=eKWJo293DkAA4AZTmjiX5JA5OYiyb/rD/GR3tc2ojOFCuJGcsk9kOs21p1OhOAdlSY CIlFdrHsbIlWCGg+b1MaQpZkmWqkrwZqnZqpbkzn09AtL59lw2KqPs6LgEtgIx/uFB4j fNwK5uf7YVsX2bH/kGa77DZycHOTMi5jjAyJh5v5Mux+xg52kVtxf999wr8dcyvfPYZz Xy99Yn1W4YvHq9/fan5Njle7f/kZEb7olJ7R8+to64qQzRf3IOK9PBwcnQQ3UYw7x6ih +gMNs+S1WqE4slzxITswIJUd9/AOD4qe+QYz16WZFcTMuNVudWgwTLwKeHhMUjKOHZUg 8hsA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=Xkr29BMNLPYrNSvWr1sHivnds/ZOD/zzgNgWv5kRp3I=; b=HqA2qdSeL+Esr7nm/vMg0M7M97AHLNqLd3VFDjahyb5hOh1INuiklu1Akm1w+QsrUc 5p6tZT4KsfsEGPENm6Uhlh8kwt509YCGaEFNLGW+LCSTsjvpJ528DyAZzxH8rSep8jVy 3Ny8rOjWC7TI7wmOPrpev/Yg3eZT+Z/2eilEzEc1RYa0D+OeI5aNfCHCntwKRoPX7xBg pQEGo6VOOPuIutbPxgLiAX7ygSNAuJ87mAHahXR/fWitnhDGHT3jzOp0aQvztANeioJ5 c3PDRNK6x+dB+TqFiwOnAJhbEZxuGR1EhPK0gCXTBN78JlN5+sU2bQMiXV4vAlEGvNt2 l15A== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=nLzm5YGS; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=XF+uVrWe; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id f43-20020ab049ee000000b004183c5db8besi2000345uad.158.2022.12.15.11.02.43 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 15 Dec 2022 11:02:43 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=nLzm5YGS; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=XF+uVrWe; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1p5tUX-00011Q-NS; Thu, 15 Dec 2022 19:02:01 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1p5tUS-000110-W2 for openvpn-devel@lists.sourceforge.net; Thu, 15 Dec 2022 19:01:56 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=RFB8ouURpxG9/2dJW2nYiCQaJu4ecRucP93ZywvtgS4=; b=nLzm5YGSSXvNxkarCHErzyr81T 736zxIPWTnju2FGbB14y0OVbDa0zsnp6NAdtHqBpyEEnsGHLaELTKNHP4b0JJtf2nd1+ulfu7aP3R UG3NDFcDLritdTVOrGa1sFzYISO2dFAcFlRWGkM4+ZcJUHpxxTpVnPqKkoDrbqgQpz+Y=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=RFB8ouURpxG9/2dJW2nYiCQaJu4ecRucP93ZywvtgS4=; b=XF+uVrWeIYMJCcmw59fV5mOPGR yS8+raWEykr96U9A0MQhl+xKiP99Vcie9hMC2OY/CNimRIN/M5mTi7q8kl3CmaCOr2uFukigkeR4U ZOcA0MD7F+5Feo5qAfOh6DcKcrH26ldA/InuCHglZnGEx98YWgBKVH18e5L4F5lMG98E=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1p5tUR-000hyn-UR for openvpn-devel@lists.sourceforge.net; Thu, 15 Dec 2022 19:01:56 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1p5tUF-000KwC-DI for openvpn-devel@lists.sourceforge.net; Thu, 15 Dec 2022 20:01:43 +0100 Received: (nullmailer pid 2107964 invoked by uid 10006); Thu, 15 Dec 2022 19:01:43 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 15 Dec 2022 20:01:43 +0100 Message-Id: <20221215190143.2107896-9-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20221215190143.2107896-1-arne@rfc2549.org> References: <20221215190143.2107896-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Score: 0.3 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: NTLMv1 is ancient and not considered secure anymore and we are not aware of any users or software still requiring this feature. Additionally it currently depends on our "doing single DES using 3DES" workaround for OpenSSL (cipher_des_encrypt_ecb). So removing NTLMv1 will also allow us to remove that workaround. Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1p5tUR-000hyn-UR Subject: [Openvpn-devel] [PATCH 8/8] Deprecate NTLMv1 proxy auth method. X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1752307821597457555?= X-GMAIL-MSGID: =?utf-8?q?1752307821597457555?= NTLMv1 is ancient and not considered secure anymore and we are not aware of any users or software still requiring this feature. Additionally it currently depends on our "doing single DES using 3DES" workaround for OpenSSL (cipher_des_encrypt_ecb). So removing NTLMv1 will also allow us to remove that workaround. Reported-By: Trial of Bits (TOB-OVPN-7) Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/proxy.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c index ed7201616..633caee09 100644 --- a/src/openvpn/proxy.c +++ b/src/openvpn/proxy.c @@ -519,6 +519,8 @@ http_proxy_new(const struct http_proxy_options *o) #if NTLM else if (!strcmp(o->auth_method_string, "ntlm")) { + msg(M_INFO, "NTLM v1 authentication is deprecated and will be removed in " + "OpenVPN 2.7"); p->auth_method = HTTP_AUTH_NTLM; } else if (!strcmp(o->auth_method_string, "ntlm2"))