From patchwork Fri Sep 3 23:56:23 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 1937 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director14.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id kHFvAiBDM2FLLwAAIUCqbw (envelope-from ) for ; Sat, 04 Sep 2021 05:57:52 -0400 Received: from proxy14.mail.ord1d.rsapps.net ([172.30.191.6]) by director14.mail.ord1d.rsapps.net with LMTP id GMURAiBDM2GAQwAAeJ7fFg (envelope-from ) for ; Sat, 04 Sep 2021 05:57:52 -0400 Received: from smtp27.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy14.mail.ord1d.rsapps.net with LMTPS id oWuPDSFDM2GZWAAAtEH5vw (envelope-from ) for ; Sat, 04 Sep 2021 05:57:53 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp27.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=unstable.cc X-Suspicious-Flag: YES X-Classification-ID: 91264a74-0d66-11ec-9e95-b8ca3a655ab8-1-1 Received: from [216.105.38.7] ([216.105.38.7:51600] helo=lists.sourceforge.net) by smtp27.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 66/7B-23229-F1343316; Sat, 04 Sep 2021 05:57:51 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.92.3) (envelope-from ) id 1mMSPh-0000dl-TP; Sat, 04 Sep 2021 09:56:41 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) (envelope-from ) id 1mMSPg-0000de-Gv for openvpn-devel@lists.sourceforge.net; Sat, 04 Sep 2021 09:56:40 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=gWWnPzeJDv9uqo5dAkN8V9q1Ew41jJnpceLFP5LqwFY=; b=Qiq5DkV/snRuUrgF8p3UdcC4GP Sx9H1CjI7/YUMrpDLD+zZ2wUPFtnCJiR3bZM1K72bio/PHI/3WfkaXMwH3onlPm6L/8qG2prjJCV7 4QILu9n5q83Y1zQ1tsx58m+4h9K63rkuT5OMOMxjmudIwC3wBRdXqX9HSOVbnD9gDWBQ=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=gWWnPzeJDv9uqo5dAkN8V9q1Ew41jJnpceLFP5LqwFY=; b=mlq7srn4eDiiIk4TimEfWaNxZT A3kxp9bHqfA0IKK+OQHocGFa3qUMCL6AzbyeXuIuPccYUoKfuxqitvCcPjDr1N+v8toLbG2mVBoJP 5YXOSPCUi0eWt/ARnpCfbEcKZUiGXGI1iMTSutzh81s1Mu3Tss3Cws1EMFNcbiqA8G4U=; Received: from s2.neomailbox.net ([5.148.176.60]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mMSPf-00EOLi-HI for openvpn-devel@lists.sourceforge.net; Sat, 04 Sep 2021 09:56:40 +0000 From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Sat, 4 Sep 2021 11:56:23 +0200 Message-Id: <20210904095629.6273-2-a@unstable.cc> In-Reply-To: <20210904095629.6273-1-a@unstable.cc> References: <20210904095629.6273-1-a@unstable.cc> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: The new condition is equivalent to the old one, but easier to grasp. Also add message to inform uset that cipher negotiation, in this case, it indeed disabled. Signed-off-by: Arne Schwabe Signed-off-by: Antonio Quartulli --- src/openvpn/options.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) Content analysis details: (0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1mMSPf-00EOLi-HI Subject: [Openvpn-devel] [PATCH 1/7] simplify condition detecting pure P2P mode X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The new condition is equivalent to the old one, but easier to grasp. Also add message to inform uset that cipher negotiation, in this case, it indeed disabled. Signed-off-by: Arne Schwabe Signed-off-by: Antonio Quartulli Acked-By: Arne Schwabe --- src/openvpn/options.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 00ba6044..0d6b85cf 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -3076,8 +3076,12 @@ options_postprocess_verify(const struct options *o) static void options_postprocess_cipher(struct options *o) { - if (!o->pull && !(o->mode == MODE_SERVER)) + if (!o->tls_server && !o->tls_client) { + /* we are in the classic P2P mode */ + msg(M_WARN, "Cipher negotiation is disabled since TLS " + "mode is not enabled"); + /* If the cipher is not set, use the old default of BF-CBC. We will * warn that this is deprecated on cipher initialisation, no need * to warn here as well */ From patchwork Fri Sep 3 23:56:24 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 1940 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id kLMKESBDM2ETLwAAIUCqbw (envelope-from ) for ; Sat, 04 Sep 2021 05:57:52 -0400 Received: from proxy20.mail.ord1d.rsapps.net ([172.30.191.6]) by director8.mail.ord1d.rsapps.net with LMTP id oLS9ECBDM2GZXAAAfY0hYg (envelope-from ) for ; Sat, 04 Sep 2021 05:57:52 -0400 Received: from smtp1.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy20.mail.ord1d.rsapps.net with LMTPS id yId3ECBDM2EQOwAAsk8m8w (envelope-from ) for ; Sat, 04 Sep 2021 05:57:52 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp1.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=unstable.cc X-Suspicious-Flag: YES X-Classification-ID: 91276ff8-0d66-11ec-8481-842b2b47c027-1-1 Received: from [216.105.38.7] ([216.105.38.7:40808] helo=lists.sourceforge.net) by smtp1.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id C1/53-03284-F1343316; Sat, 04 Sep 2021 05:57:52 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1mMSQ1-0002I6-6x; Sat, 04 Sep 2021 09:57:01 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMSPr-0002Ey-6m for openvpn-devel@lists.sourceforge.net; Sat, 04 Sep 2021 09:56:51 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Qkf4I9hBucZbB4I/nTx9lPUsornsVv3/dmD/aTSiyI4=; b=hi3Qf30WsM+qUi+QrtlVc4S2Gj 7Tt1eF2M56PkLj+kiTKDFBt+dfKH2DSEzZ8JtCKrYKN+u1TZzmjNGjdtGl1ifDw7QB1uGnKQdFCAT 9OcpvAJ2F/3qfzFQk05UJNzadY6C519K9t4alEMFP1xcMQ/1IJU00oH++i/7suOZ1QPM=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Qkf4I9hBucZbB4I/nTx9lPUsornsVv3/dmD/aTSiyI4=; b=MbEN7KI+xKPSdkKACR1D2hWFbB Kbm3BLYNaQncvcXxYCTOEsoXeQEqHm3RWYuqY4MsHMg4QVxE5x+nFnPk0dmWUM9xU44e5Bv/XCtUz aqegHzQ0NJDUf+6itFMF7/lRZhla6+VoSsT/SEqECWjn3zVhFx2k6VMSXR4BosKjH1Kk=; Received: from s2.neomailbox.net ([5.148.176.60]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mMSPn-0006Hw-Ar for openvpn-devel@lists.sourceforge.net; Sat, 04 Sep 2021 09:56:51 +0000 From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Sat, 4 Sep 2021 11:56:24 +0200 Message-Id: <20210904095629.6273-3-a@unstable.cc> In-Reply-To: <20210904095629.6273-1-a@unstable.cc> References: <20210904095629.6273-1-a@unstable.cc> MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.1 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1mMSPn-0006Hw-Ar Subject: [Openvpn-devel] [PATCH 2/7] compat-mode: allow user to specify version to be compatible with X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This changes introduces the basic inbfrastructure required to allow the user to specify a specific OpenVPN version to be compatible with. Following changes will modify defaults to more modern and safer values, while allowing backwards-compatible behaviour on demand. The backwards-compatible behaviour is intructed via the config knob '--compat-mode' implemented in this patch. Signed-off-by: Arne Schwabe Signed-off-by: Antonio Quartulli Acked-By: Arne Schwabe --- Changes.rst | 6 +++++ doc/man-sections/generic-options.rst | 9 +++++++ src/openvpn/options.c | 37 ++++++++++++++++++++++++++++ src/openvpn/options.h | 4 +++ 4 files changed, 56 insertions(+) diff --git a/Changes.rst b/Changes.rst index 0323a7f7..f55b0e3e 100644 --- a/Changes.rst +++ b/Changes.rst @@ -45,6 +45,12 @@ Pending auth support for plugins and scripts See ``sample/sample-scripts/totpauth.py`` for an example. +Compatibility mode (``--compat-mode``) + The modernisation of defaults can impact the compatibility of OpenVPN 2.6.0 + with older peers. The options ``--compat-mode`` allows UIs to provide users + with an easy way to still connect to older servers. + + Deprecated features ------------------- ``inetd`` has been removed diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index db39f6e2..63c6227c 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -52,6 +52,15 @@ which mode OpenVPN is configured as. BSDs implement a getrandom() or getentropy() syscall that removes the need for /dev/urandom to be available. +--compat-mode version + This option provides a way to alter the default of OpenVPN to be more + compatible with the version ``version`` specified. All of the changes + this option does can also be achieved using individual configuration + options. + + Note: Using this option reverts defaults to no longer recommended + values and should be avoided if possible. + --config file Load additional config options from ``file`` where each line corresponds to one command line option, but with the leading '--' removed. diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 0d6b85cf..4d971a56 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -3125,6 +3125,29 @@ options_postprocess_cipher(struct options *o) } } +/** + * Returns if we want 'backwards-compatibility' up to (but not included) a + * certain version + * + * @param version the oldest version that does not compatibility + * e.g. 20400 for all versions < 2.4.0 + * @return whether compatibility should be enabled + */ +static bool +need_compatibility_before(const struct options *o, int version) +{ + return o->backwards_compatible != 0 && o->backwards_compatible < version; +} + +/** + * Changes default values so that OpenVPN can be compatible with the user + * specified version + */ +static void +options_set_backwards_compatible_options(struct options *o) +{ +} + static void options_postprocess_mutate(struct options *o) { @@ -3137,6 +3160,8 @@ options_postprocess_mutate(struct options *o) helper_keepalive(o); helper_tcp_nodelay(o); + options_set_backwards_compatible_options(o); + options_postprocess_cipher(o); options_postprocess_mutate_invariant(o); @@ -6698,6 +6723,18 @@ add_option(struct options *options, setenv_str(es, p[1], p[2] ? p[2] : ""); } } + else if (streq(p[0], "compat-mode") && p[1] && !p[3]) + { + unsigned int major, minor, patch; + if (!(sscanf(p[1], "%u.%u.%u", &major, &minor, &patch) == 3)) + { + msg(msglevel, "cannot parse version number for --compat-mode: %s", + p[1]); + goto err; + } + + options->backwards_compatible = major * 10000 + minor * 100 + patch; + } else if (streq(p[0], "setenv-safe") && p[1] && !p[3]) { VERIFY_PERMISSION(OPT_P_SETENV); diff --git a/src/openvpn/options.h b/src/openvpn/options.h index b0e40cb7..98c21a2a 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -225,6 +225,10 @@ struct options /* enable forward compatibility for post-2.1 features */ bool forward_compatible; + /** What version we should try to be compatible with as major * 10000 + + * minor * 100 + patch, e.g. 2.4.7 => 20407 */ + unsigned int backwards_compatible; + /* list of options that should be ignored even if unknown */ const char **ignore_unknown_option; From patchwork Fri Sep 3 23:56:25 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 1941 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director14.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id iA7xE5hDM2GzMAAAIUCqbw (envelope-from ) for ; Sat, 04 Sep 2021 05:59:52 -0400 Received: from proxy11.mail.ord1d.rsapps.net ([172.30.191.6]) by director14.mail.ord1d.rsapps.net with LMTP id +DWbE5hDM2GfQwAAeJ7fFg (envelope-from ) for ; Sat, 04 Sep 2021 05:59:52 -0400 Received: from smtp8.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy11.mail.ord1d.rsapps.net with LMTPS id MO/8H4hDM2GQMwAAgKDEHA (envelope-from ) for ; Sat, 04 Sep 2021 05:59:36 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp8.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=unstable.cc X-Suspicious-Flag: YES X-Classification-ID: 9121d1a6-0d66-11ec-aa4a-782bcb03304b-1-1 Received: from [216.105.38.7] ([216.105.38.7:57468] helo=lists.sourceforge.net) by smtp8.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id D1/1D-08627-F1343316; Sat, 04 Sep 2021 05:57:52 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1mMSPp-0007eR-5R; Sat, 04 Sep 2021 09:56:49 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMSPn-0007eL-4i for openvpn-devel@lists.sourceforge.net; Sat, 04 Sep 2021 09:56:47 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Isq6oofArp2sF97zIaWVDstVSy+pOyeNtI582g4NyM0=; b=WMXNk9KRD/QGk7k76j9F38UGui QicgPBgpJJISbzmCejNC/2KpYQyRiyUXZXFonwxGvyx+UqmpVXcgBqQP2O/D33L71rA6+fBPhPg5O GjTXIrwuUvKbsI4QEIAFo12zc/mavAuSxDl9fUK/nZcKMhi81x9o5rqJr9xpupcq3KiY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Isq6oofArp2sF97zIaWVDstVSy+pOyeNtI582g4NyM0=; b=lymSWIM2brFWdd3RVLJkhtIC8s byzxQgUA9DJFB+HQLIp6wtzuKa0D5KIOIljT+2CFs7agTWXrzvQhP8CANsLbJPhHyOVcSt46kkQ7G K8+rh8OgCiY0NhckYucKzx6m7LiUhlWWtgbqSmZBFe0R285wM/67HXba1G6wGHDdc7Ug=; Received: from s2.neomailbox.net ([5.148.176.60]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mMSPm-00EOM8-F3 for openvpn-devel@lists.sourceforge.net; Sat, 04 Sep 2021 09:56:47 +0000 From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Sat, 4 Sep 2021 11:56:25 +0200 Message-Id: <20210904095629.6273-4-a@unstable.cc> In-Reply-To: <20210904095629.6273-1-a@unstable.cc> References: <20210904095629.6273-1-a@unstable.cc> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: With this change the value of '--allow-compression- is set to 'no'. Therefore compression is not enabled by default and cannot be enabled by the server either. This change is in line with the current rend of not recommending compression over VPN tunnels for security reasons (check Voracle). Content analysis details: (0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1mMSPm-00EOM8-F3 Subject: [Openvpn-devel] [PATCH 3/7] reject compression by default X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox With this change the value of '--allow-compression- is set to 'no'. Therefore compression is not enabled by default and cannot be enabled by the server either. This change is in line with the current rend of not recommending compression over VPN tunnels for security reasons (check Voracle). Of top of that compression is mostly useless nowadays, therefore there is not real reason to enable it. Signed-off-by: Arne Schwabe Signed-off-by: Antonio Quartulli Acked-By: Arne Schwabe --- Changes.rst | 7 +++++++ doc/man-sections/generic-options.rst | 6 ++++++ src/openvpn/comp.h | 1 + src/openvpn/options.c | 11 +++++++++++ 4 files changed, 25 insertions(+) diff --git a/Changes.rst b/Changes.rst index f55b0e3e..65b838b9 100644 --- a/Changes.rst +++ b/Changes.rst @@ -71,6 +71,13 @@ Deprecated features This option mainly served a role as debug option when NCP was first introduced. It should now no longer be necessary. +Compression no longer enabled by default + Unless an explicit compression option is specified in the configuration, + ``--allow-compression`` defaults to ``no`` in OpeNVPN 2.6.0. + By default, OpenVPN 2.5 still allowed a server to enable compression by + pushing compression related options. + + Overview of changes in 2.5 ========================== diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index 63c6227c..a8d24572 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -61,6 +61,12 @@ which mode OpenVPN is configured as. Note: Using this option reverts defaults to no longer recommended values and should be avoided if possible. + The following table details what defaults are changed depending on the + version specified. + + - 2.5.x or lower: ``--allow-compression asym`` is automatically added + to the configuration if no other compression options are present. + --config file Load additional config options from ``file`` where each line corresponds to one command line option, but with the leading '--' removed. diff --git a/src/openvpn/comp.h b/src/openvpn/comp.h index cd4f0e1a..619a574e 100644 --- a/src/openvpn/comp.h +++ b/src/openvpn/comp.h @@ -59,6 +59,7 @@ #define COMP_F_ALLOW_STUB_ONLY (1<<4) /* Only accept stub compression, even with COMP_F_ADVERTISE_STUBS_ONLY * we still accept other compressions to be pushed */ #define COMP_F_MIGRATE (1<<5) /* push stub-v2 or comp-lzo no when we see a client with comp-lzo in occ */ +#define COMP_F_ALLOW_ASYM (1<<6) /* Compression was explicitly set to allow assymetric compression */ /* diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 4d971a56..21c76a69 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -3146,6 +3146,16 @@ need_compatibility_before(const struct options *o, int version) static void options_set_backwards_compatible_options(struct options *o) { + /* Compression is deprecated and we do not want to announce support for it + * by default anymore, additionally DCO breaks with compression. + * + * Disable compression by default starting with 2.6.0 if no other + * compression related option has been explicitly set */ + if (!comp_non_stub_enabled(&o->comp) && !need_compatibility_before(o, 20600) + && (o->comp.flags == 0)) + { + o->comp.flags = COMP_F_ALLOW_STUB_ONLY|COMP_F_ADVERTISE_STUBS_ONLY; + } } static void @@ -7732,6 +7742,7 @@ add_option(struct options *options, else if (streq(p[1], "asym")) { options->comp.flags &= ~COMP_F_ALLOW_COMPRESS; + options->comp.flags |= COMP_F_ALLOW_ASYM; } else if (streq(p[1], "yes")) { From patchwork Fri Sep 3 23:56:26 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 1936 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id eLZbBxdDM2EFLwAAIUCqbw (envelope-from ) for ; Sat, 04 Sep 2021 05:57:43 -0400 Received: from proxy6.mail.ord1d.rsapps.net ([172.30.191.6]) by director11.mail.ord1d.rsapps.net with LMTP id EFoMBxdDM2GRDwAAvGGmqA (envelope-from ) for ; Sat, 04 Sep 2021 05:57:43 -0400 Received: from smtp22.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy6.mail.ord1d.rsapps.net with LMTPS id IDfFBhdDM2GuVwAAQyIf0w (envelope-from ) for ; Sat, 04 Sep 2021 05:57:43 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp22.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=unstable.cc X-Suspicious-Flag: YES X-Classification-ID: 8bbd7f44-0d66-11ec-b706-a0369f0d84d2-1-1 Received: from [216.105.38.7] ([216.105.38.7:51538] helo=lists.sourceforge.net) by smtp22.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 45/39-32712-61343316; Sat, 04 Sep 2021 05:57:42 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.92.3) (envelope-from ) id 1mMSQ2-0000fS-7T; Sat, 04 Sep 2021 09:57:02 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) (envelope-from ) id 1mMSPq-0000eS-KT for openvpn-devel@lists.sourceforge.net; Sat, 04 Sep 2021 09:56:50 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=2E8rdM7FRHBID/qNC3Apmos3icu17oT+u2FYXmG/7Mk=; b=LbMo8G6SOyO9Q5TBv8fR497/WD 7tF/u92syGNPWIRWEY3Wl0HegXVIc25hVNCIyqB+ti27D3nZUBug4uwr9JkT/9UZrl/hXPLhMXLt4 VTqJv0oleT3GTfOPEFPSsBWyJpWl8ndwRisX604EatvwcKJWQcmdnQTmH6J/zjKlpNUs=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=2E8rdM7FRHBID/qNC3Apmos3icu17oT+u2FYXmG/7Mk=; b=VpkkOX2vL/Kvtz5YGiXmwJgFsS QUl4R6s3qkhzbI91+KS+cbld11fWeLC1td8S0GJnNiKCLls6doIr745B2Brs6Ymu/lVoORrz9v7S6 y1Wi/u6FpfgtBThxsVwTrzYuhurQGylTP/xR+BNTDU5jonUbL57+C+r9PAw8et4ykNME=; Received: from s2.neomailbox.net ([5.148.176.60]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mMSPm-0006IS-LC for openvpn-devel@lists.sourceforge.net; Sat, 04 Sep 2021 09:56:50 +0000 From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Sat, 4 Sep 2021 11:56:26 +0200 Message-Id: <20210904095629.6273-5-a@unstable.cc> In-Reply-To: <20210904095629.6273-1-a@unstable.cc> References: <20210904095629.6273-1-a@unstable.cc> MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: unstable.cc] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1mMSPm-0006IS-LC Subject: [Openvpn-devel] [PATCH 4/7] do not include --cipher value in data-ciphers X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The --cipher option has been there since a while, but it became more and more confusing since the introduction of NCP (data cipher negotiation). The fallback cipher can now be specified via --data-cipher-fallback, while the list of accepted ciphers is specified via --data-ciphers. --cipher can still be used for compatibility reasons, but won't affect the cipher negotiation. Signed-off-by: Arne Schwabe Signed-off-by: Antonio Quartulli Acked-By: Arne Schwabe --- Changes.rst | 5 ++++ doc/man-sections/generic-options.rst | 2 ++ src/openvpn/options.c | 38 ++++++++++++++++------------ src/openvpn/ssl_ncp.c | 13 ++++++++++ src/openvpn/ssl_ncp.h | 8 ++++++ 5 files changed, 50 insertions(+), 16 deletions(-) diff --git a/Changes.rst b/Changes.rst index 65b838b9..f803b760 100644 --- a/Changes.rst +++ b/Changes.rst @@ -71,6 +71,11 @@ Deprecated features This option mainly served a role as debug option when NCP was first introduced. It should now no longer be necessary. +``--cipher`` argument is no longer included in ``--data-ciphers`` by default + Data cipher negotiation has been introduced in 2.4.0 and been significantly + improved in 2.5.0. The implicit fallback to the cipher specified in + ``--cipher`` has been removed. + Compression no longer enabled by default Unless an explicit compression option is specified in the configuration, ``--allow-compression`` defaults to ``no`` in OpeNVPN 2.6.0. diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index a8d24572..8b26cd1a 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -66,6 +66,8 @@ which mode OpenVPN is configured as. - 2.5.x or lower: ``--allow-compression asym`` is automatically added to the configuration if no other compression options are present. + - 2.4.x or lower: The cipher in ``--cipher`` is appended to + ``--data-ciphers`` --config file Load additional config options from ``file`` where each line corresponds diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 21c76a69..88ac5bed 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -3102,26 +3102,20 @@ options_postprocess_cipher(struct options *o) /* We still need to set the ciphername to BF-CBC since various other * parts of OpenVPN assert that the ciphername is set */ o->ciphername = "BF-CBC"; + + msg(M_INFO, "Note: --cipher is not set. OpenVPN versions before 2.6 " + "defaulted to BF-CBC as fallback when cipher negotiation " + "failed in this case. If you need this fallback please add " + "'--data-ciphers-fallback 'BF-CBC' to your configuration " + "and/or add BF-CBC to --data-ciphers."); } else if (!o->enable_ncp_fallback && !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers)) { - msg(M_WARN, "DEPRECATED OPTION: --cipher set to '%s' but missing in" - " --data-ciphers (%s). Future OpenVPN version will " - "ignore --cipher for cipher negotiations. " - "Add '%s' to --data-ciphers or change --cipher '%s' to " - "--data-ciphers-fallback '%s' to silence this warning.", - o->ciphername, o->ncp_ciphers, o->ciphername, - o->ciphername, o->ciphername); - o->enable_ncp_fallback = true; - - /* Append the --cipher to ncp_ciphers to allow it in NCP */ - size_t newlen = strlen(o->ncp_ciphers) + 1 + strlen(o->ciphername) + 1; - char *ncp_ciphers = gc_malloc(newlen, false, &o->gc); - - ASSERT(openvpn_snprintf(ncp_ciphers, newlen, "%s:%s", o->ncp_ciphers, - o->ciphername)); - o->ncp_ciphers = ncp_ciphers; + msg(M_WARN, "DEPRECATED OPTION: --cipher set to '%s' but missing in " + "--data-ciphers (%s). OpenVPN ignores --cipher for cipher " + "negotiations. ", + o->ciphername, o->ncp_ciphers); } } @@ -3146,6 +3140,18 @@ need_compatibility_before(const struct options *o, int version) static void options_set_backwards_compatible_options(struct options *o) { + /* Versions < 2.5.0 do need --cipher in the list of accepted ciphers. + * Version 2.4 might probably does not need it but NCP was not so + * good with 2.4 and ncp-disable might be more common on 2.4 peers. + * Only do this iif --cipher is not explicitly (BF-CBC). This is not + * 100% correct backwards compatible behaviour but 2.5 already behaved like + * this */ + if (o->ciphername && need_compatibility_before(o, 20500) + && !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers)) + { + append_cipher_to_ncp_list(o, o->ciphername); + } + /* Compression is deprecated and we do not want to announce support for it * by default anymore, additionally DCO breaks with compression. * diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c index 6967e2bb..022a9dc3 100644 --- a/src/openvpn/ssl_ncp.c +++ b/src/openvpn/ssl_ncp.c @@ -172,6 +172,19 @@ mutate_ncp_cipher_list(const char *list, struct gc_arena *gc) return ret; } + +void +append_cipher_to_ncp_list(struct options *o, const char *ciphername) +{ + /* Append the --cipher to ncp_ciphers to allow it in NCP */ + size_t newlen = strlen(o->ncp_ciphers) + 1 + strlen(ciphername) + 1; + char *ncp_ciphers = gc_malloc(newlen, false, &o->gc); + + ASSERT(openvpn_snprintf(ncp_ciphers, newlen, "%s:%s", o->ncp_ciphers, + ciphername)); + o->ncp_ciphers = ncp_ciphers; +} + bool tls_item_in_cipher_list(const char *item, const char *list) { diff --git a/src/openvpn/ssl_ncp.h b/src/openvpn/ssl_ncp.h index 4a2601a2..09ddeb28 100644 --- a/src/openvpn/ssl_ncp.h +++ b/src/openvpn/ssl_ncp.h @@ -102,6 +102,14 @@ tls_peer_ncp_list(const char *peer_info, struct gc_arena *gc); char * mutate_ncp_cipher_list(const char *list, struct gc_arena *gc); +/** + * Appends the cipher specified by the ciphernamer parameter to to + * the o->ncp_ciphers list. + * @param o options struct to modify. Its gc is also used + * @param ciphername the ciphername to add + */ +void append_cipher_to_ncp_list(struct options *o, const char *ciphername); + /** * Return true iff item is present in the colon-separated zero-terminated * cipher list. From patchwork Fri Sep 3 23:56:27 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 1938 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director14.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id +NgqCSBDM2FLLwAAIUCqbw (envelope-from ) for ; Sat, 04 Sep 2021 05:57:52 -0400 Received: from proxy8.mail.ord1c.rsapps.net ([172.28.255.1]) by director14.mail.ord1d.rsapps.net with LMTP id 2B6/CCBDM2HOQwAAeJ7fFg (envelope-from ) for ; Sat, 04 Sep 2021 05:57:52 -0400 Received: from smtp26.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy8.mail.ord1c.rsapps.net with LMTPS id WEiECCBDM2GABQAAHz/atg (envelope-from ) for ; Sat, 04 Sep 2021 05:57:52 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp26.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=unstable.cc X-Suspicious-Flag: YES X-Classification-ID: 91223830-0d66-11ec-ae0b-b8ca3a5bd12c-1-1 Received: from [216.105.38.7] ([216.105.38.7:40804] helo=lists.sourceforge.net) by smtp26.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 33/40-25532-F1343316; Sat, 04 Sep 2021 05:57:52 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1mMSPq-0002ED-Ly; Sat, 04 Sep 2021 09:56:50 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMSPp-0002DG-8y for openvpn-devel@lists.sourceforge.net; Sat, 04 Sep 2021 09:56:49 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=l3Js4iuIvQlHbz3NPtgFNGlg8wNz+Xoohyu9rKru0R8=; b=ZUCzXMOolnhkijeHteGS0M8l2V iBG/ofgPPxyg8jxlnd3urZb5Dq8U3sEggJ7gYR6QEPrEsvlrcIoGACMM/SVDz/ufnkeBRGolV4Pa6 dmAS2yPfptJh8joTHJ+QBugjxRI5D7Yl7HOc7GT5PCzthSiKFFZryVi8GX5IW4+0p0+g=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=l3Js4iuIvQlHbz3NPtgFNGlg8wNz+Xoohyu9rKru0R8=; b=A4hG0NXpc83ago+eNklRmvhN+D C9vCAU7q+BZYfxtLHuX7sRYUzzLzBHEED0a8p+gS5sD9jQ1krXXc+sBTs7z0+HSt0YwcU57a5mf+H xrWQZ958DV9BVpvMyjLMKelaRM7MfEQCLjvqmoINOePvY5xIdWWnL+tqTtJ0dLPQUFXg=; Received: from s2.neomailbox.net ([5.148.176.60]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mMSPo-00EOMT-HP for openvpn-devel@lists.sourceforge.net; Sat, 04 Sep 2021 09:56:49 +0000 From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Sat, 4 Sep 2021 11:56:27 +0200 Message-Id: <20210904095629.6273-6-a@unstable.cc> In-Reply-To: <20210904095629.6273-1-a@unstable.cc> References: <20210904095629.6273-1-a@unstable.cc> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: For compatibility with OpenVPN older than 2.4.0, the '--data-cipher-fallback' argument is automatically added with the same value as specified by '--cipher'. This happens only when the user specifies compat-mode with a version older than 2.4.0. Content analysis details: (0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1mMSPo-00EOMT-HP Subject: [Openvpn-devel] [PATCH 5/7] compat-mode: add --data-cipher-fallback auomatically if requested X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox For compatibility with OpenVPN older than 2.4.0, the '--data-cipher-fallback' argument is automatically added with the same value as specified by '--cipher'. This happens only when the user specifies compat-mode with a version older than 2.4.0. Signed-off-by: Arne Schwabe Signed-off-by: Antonio Quartulli Acked-By: Arne Schwabe --- doc/man-sections/generic-options.rst | 2 ++ src/openvpn/options.c | 7 +++++++ 2 files changed, 9 insertions(+) diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index 8b26cd1a..3e099e12 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -68,6 +68,8 @@ which mode OpenVPN is configured as. to the configuration if no other compression options are present. - 2.4.x or lower: The cipher in ``--cipher`` is appended to ``--data-ciphers`` + - 2.3.x or lower: ``--data-cipher-fallback`` is automatically added with + the same cipher as ``--cipher`` --config file Load additional config options from ``file`` where each line corresponds diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 88ac5bed..f2fb6d64 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -3152,6 +3152,13 @@ options_set_backwards_compatible_options(struct options *o) append_cipher_to_ncp_list(o, o->ciphername); } + /* Versions < 2.4.0 additionally might be compiled with --enable-small and + * not have OCC strings required for "poor man's NCP" */ + if (o->ciphername && need_compatibility_before(o, 20400)) + { + o->enable_ncp_fallback = true; + } + /* Compression is deprecated and we do not want to announce support for it * by default anymore, additionally DCO breaks with compression. * From patchwork Fri Sep 3 23:56:28 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 1934 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id kHm5LRJDM2EFLwAAIUCqbw (envelope-from ) for ; Sat, 04 Sep 2021 05:57:38 -0400 Received: from proxy17.mail.ord1d.rsapps.net ([172.30.191.6]) by director8.mail.ord1d.rsapps.net with LMTP id 2KxwLRJDM2FeWwAAfY0hYg (envelope-from ) for ; Sat, 04 Sep 2021 05:57:38 -0400 Received: from smtp27.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy17.mail.ord1d.rsapps.net with LMTPS id KKg+LRJDM2GjIQAAWC7mWg (envelope-from ) for ; Sat, 04 Sep 2021 05:57:38 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp27.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=unstable.cc X-Suspicious-Flag: YES X-Classification-ID: 890bd53e-0d66-11ec-9e95-b8ca3a655ab8-1-1 Received: from [216.105.38.7] ([216.105.38.7:40310] helo=lists.sourceforge.net) by smtp27.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 4E/6B-23229-21343316; Sat, 04 Sep 2021 05:57:38 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1mMSPq-0002ET-Qv; Sat, 04 Sep 2021 09:56:50 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMSPq-0002Di-9r for openvpn-devel@lists.sourceforge.net; Sat, 04 Sep 2021 09:56:50 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=aThpvUBl61yElji6zwXpcpu+2WBT+o91hX+aZbhwacU=; b=kv9yX0cpRDSkKwKMOYQqlSxI54 LKgaQ1RRwRrenXGhTkbActydXbqTMuesIs2zoM8pfuVT5VXNZcXi6/sRoi9lpoqN8EMkm1wnqSzqo gF6ShjabjjBejxn0uFUlsaOSuA/7RX+USCxXcJKNl+Y+Sa/IrWJNuqrsl5NIDpQwb/pY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=aThpvUBl61yElji6zwXpcpu+2WBT+o91hX+aZbhwacU=; b=COsNe+4+Cb5b07r5WcaiEn3cat swjVUxXTUypBozlGE/2DnTAgd4yV8c8audEpZgl8U8EDQx4JVAOEL/Qs0j2AdUFws88IKMvDqnBdK 7sBl35yNQFsbXJ3WxSXsTSMRYHzCfDUEQGNWyUhrcvtvhyRsGwwl2Llz1/6vYKru2stU=; Received: from s2.neomailbox.net ([5.148.176.60]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mMSPp-00EOMU-BT for openvpn-devel@lists.sourceforge.net; Sat, 04 Sep 2021 09:56:49 +0000 From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Sat, 4 Sep 2021 11:56:28 +0200 Message-Id: <20210904095629.6273-7-a@unstable.cc> In-Reply-To: <20210904095629.6273-1-a@unstable.cc> References: <20210904095629.6273-1-a@unstable.cc> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Do not accept handshakes with peers trying to negotiate TLS lower than 1.2. TLS 1.1 and 1.0 are not recommended and therefore will, by default, allow TLS 1.2 as minimum version. The minimum allowed version can still be controlled via '--tls-version-min'. Content analysis details: (0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1mMSPp-00EOMU-BT Subject: [Openvpn-devel] [PATCH 6/7] set TLS 1.2 as minimum by default X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Do not accept handshakes with peers trying to negotiate TLS lower than 1.2. TLS 1.1 and 1.0 are not recommended and therefore will, by default, allow TLS 1.2 as minimum version. The minimum allowed version can still be controlled via '--tls-version-min'. At the same time automatically set '--tls-version-min' to 1.0 if the user requires compatibility with versions onlder than 2.3.7, as that was the only version supported back then. Signed-off-by: Arne Schwabe Signed-off-by: Antonio Quartulli Acked-By: Arne Schwabe --- Changes.rst | 5 +++++ doc/man-sections/generic-options.rst | 2 ++ src/openvpn/options.c | 16 ++++++++++++++++ 3 files changed, 23 insertions(+) diff --git a/Changes.rst b/Changes.rst index f803b760..472421c8 100644 --- a/Changes.rst +++ b/Changes.rst @@ -71,6 +71,11 @@ Deprecated features This option mainly served a role as debug option when NCP was first introduced. It should now no longer be necessary. +TLS 1.0 and 1.1 are deprecated + ``tls-version-min`` is set to 1.2 by default. OpenVPN 2.6.0 defaults + to a minimum TLS version of 1.2 as TLS 1.0 and 1.1 should be generally + avoided. Note that OpenVPN versions older than 2.3.7 use TLS 1.0 only. + ``--cipher`` argument is no longer included in ``--data-ciphers`` by default Data cipher negotiation has been introduced in 2.4.0 and been significantly improved in 2.5.0. The implicit fallback to the cipher specified in diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index 3e099e12..e6c1fe45 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -70,6 +70,8 @@ which mode OpenVPN is configured as. ``--data-ciphers`` - 2.3.x or lower: ``--data-cipher-fallback`` is automatically added with the same cipher as ``--cipher`` + - 2.3.6 or lower: ``--tls-version-min 1.0`` is added to the configuration + when ``--tls-version-min`` is not explicitly set. --config file Load additional config options from ``file`` where each line corresponds diff --git a/src/openvpn/options.c b/src/openvpn/options.c index f2fb6d64..6f6eb73d 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -850,6 +850,7 @@ init_options(struct options *o, const bool init_gc) o->use_prediction_resistance = false; #endif o->tls_timeout = 2; + o->ssl_flags = (TLS_VER_1_2 << SSLF_TLS_VERSION_MIN_SHIFT); o->renegotiate_bytes = -1; o->renegotiate_seconds = 3600; o->renegotiate_seconds_min = -1; @@ -3140,6 +3141,21 @@ need_compatibility_before(const struct options *o, int version) static void options_set_backwards_compatible_options(struct options *o) { + /* TLS min version is not set */ + if ((o->ssl_flags & SSLF_TLS_VERSION_MIN_MASK) == 0) + { + if (need_compatibility_before(o, 20307)) + { + /* 2.3.6 and earlier have TLS 1.0 only, set minimum to TLS 1.0 */ + o->ssl_flags = (TLS_VER_1_0 << SSLF_TLS_VERSION_MIN_SHIFT); + } + else + { + /* Use TLS 1.2 as proper default */ + o->ssl_flags = (TLS_VER_1_2 << SSLF_TLS_VERSION_MIN_SHIFT); + } + } + /* Versions < 2.5.0 do need --cipher in the list of accepted ciphers. * Version 2.4 might probably does not need it but NCP was not so * good with 2.4 and ncp-disable might be more common on 2.4 peers. From patchwork Fri Sep 3 23:56:29 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 1935 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id +PQCARVDM2EZLwAAIUCqbw (envelope-from ) for ; Sat, 04 Sep 2021 05:57:41 -0400 Received: from proxy6.mail.ord1c.rsapps.net ([172.28.255.1]) by director11.mail.ord1d.rsapps.net with LMTP id +C27ABVDM2GHDwAAvGGmqA (envelope-from ) for ; Sat, 04 Sep 2021 05:57:41 -0400 Received: from smtp35.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy6.mail.ord1c.rsapps.net with LMTPS id QJ1oABVDM2GGZAAA9sKXow (envelope-from ) for ; Sat, 04 Sep 2021 05:57:41 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp35.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=unstable.cc X-Suspicious-Flag: YES X-Classification-ID: 8a468be2-0d66-11ec-84e5-5452002f485d-1-1 Received: from [216.105.38.7] ([216.105.38.7:57350] helo=lists.sourceforge.net) by smtp35.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 48/69-17519-41343316; Sat, 04 Sep 2021 05:57:40 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1mMSQ3-0007fs-Gw; Sat, 04 Sep 2021 09:57:03 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMSPr-0007ew-2U for openvpn-devel@lists.sourceforge.net; Sat, 04 Sep 2021 09:56:51 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=uf+oM0CRAQym5IqGEbNqkUwthi3IMIlR9AgwE0fFh+Y=; b=cCSEJfJ4Vy0v7WhXmAKwtZFXSt Dw79fBvsbs1s3HZyq6THUQz9OG6eRdh2o0JssAZeJJ7fY22xy2evCj2vGGNuNPS+ULL5UtzrlPuPM vpZYv2tpNu1q34Cfh6Nj0/ThlGW3HUHRl/QgGpNQ0DXgID3BGSsA5COOZVs4iJLrfbkY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=uf+oM0CRAQym5IqGEbNqkUwthi3IMIlR9AgwE0fFh+Y=; b=dACPtFkuLVTnHfLrAuChE0ZoHu U9vWC4EgCg2nyybR2CmkhSaL8/ihMuqGO8IDnuze04oeDdlzJMhafb41UqgSlsNsbQP2PvFdOL7ZO PXYT9fK2FKLWxEKVPRMp4Q2KvdZFEAe5unl2qeQ747EkAFh1Q1zJjozavNCPXQNyl1Sk=; Received: from s2.neomailbox.net ([5.148.176.60]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mMSPq-00EOMo-D4 for openvpn-devel@lists.sourceforge.net; Sat, 04 Sep 2021 09:56:50 +0000 From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Sat, 4 Sep 2021 11:56:29 +0200 Message-Id: <20210904095629.6273-8-a@unstable.cc> In-Reply-To: <20210904095629.6273-1-a@unstable.cc> References: <20210904095629.6273-1-a@unstable.cc> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: With OpenVPN 2.6 there are a number of default settings that are changing to more modern and safer values. Some users may not be aware of that and may experience problematic behaviours, especially when connecting to older peers. Content analysis details: (0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1mMSPq-00EOMo-D4 Subject: [Openvpn-devel] [PATCH 7/7] add message about changing default values X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox With OpenVPN 2.6 there are a number of default settings that are changing to more modern and safer values. Some users may not be aware of that and may experience problematic behaviours, especially when connecting to older peers. Add warning at startup to notify users about the change. Signed-off-by: Arne Schwabe Signed-off-by: Antonio Quartulli Acked-By: Arne Schwabe --- src/openvpn/options.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 6f6eb73d..26eac836 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -3278,6 +3278,12 @@ options_postprocess_mutate(struct options *o) * when using --pull */ pre_connect_save(o); + + /* Give a general warning at the end of initialisation that defaults + * have changed */ + msg(M_WARN, "Note that modernisation of defaults in OpenVPN 2.6 limits " + "compatibility with old versions. See Changes.rst and " + "--compat-mode in the manual for details."); } /*