- Update to 2.4.5
* New features
+ The new option --tls-cert-profile can be used to restrict the
set of allowed crypto algorithms in TLS certificates in mbed
TLS builds. The default profile is 'legacy' for now, which
allows SHA1+, RSA-1024+ and any elliptic curve certificates.
The default will be changed to the 'preferred' profile in the
future, which requires SHA2+, RSA-2048+ and any curve.
+ openvpnserv: Add support for multi-instances (to support
multiple parallel OpenVPN installations, like EduVPN and
regular OpenVPN)
+ Use P_DATA_V2 for server->client packets too (better packet
alignment)
+ improve management interface documentation
+ rework registry key handling for OpenVPN service, notably
making most registry values optional, falling back to
reasonable defaults
+ accept IPv6 address for pushed "dhcp-option DNS ..." (make
OpenVPN 2 option compatible with OpenVPN 3 iOS and Android
clients)
* Bug fixes
+ Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+
+ Fix lots of compiler warnings (format string, type casts, ...)
+ reload HTTP proxy credentials when moving to the next
connection profile
+ Fix build with LibreSSL (multiple times)
+ Remove non-useful warning on pushed tun-ipv6 option.
+ autoconf: Fix engine checks for openssl 1.1
+ lz4: Rebase compat-lz4 against upstream v1.7.5
+ lz4: Fix broken builds when pkg-config is not present but
system library is
+ Fix '--bind ipv6only'
+ Allow learning iroutes with network made up of all 0s
- Includes 2.4.4
* Bug fixes
+ Fix issues when a pushed cipher via the Negotiable Crypto
Parameters (NCP) is rejected by the remote side
+ Ignore --keysize when NCP have resulted in a changed cipher
+ Configurations using --auth-nocache and the management
interface to provide user credentials (like NetworkManager)
on client side with servers implementing authentication
tokens (for example, using --auth-gen-token) will now behave
correctly and not query the user for an, to them, unknown
authentication token on renegotiations of the tunnel.
+ Invalid or corrupt SOCKS port number when changing the proxy
via the management interface.
+ man page should now have proper escaping of hyphen/minus
characters and other minor corrections.
* User-visible Changes
+ Linux servers with systemd which use the openvpn-server@.service
unit file for server configurations will now utilize the
automatic restart feature in systemd. If the OpenVPN server
process dies unexpectedly, systemd will ensure the OpenVPN
configuration will be restarted automatically.
* Deprecated
+ --no-replay (will be removed in 2.5)
+ --keysize (will be removed in 2.6)
* Security
+ CVE-2017-12166: Fix bounds check for configurations using
--key-method 1. Before this fix, attackers could send a
malformed packet to trigger a stack overflow. This is
considered to be a low risk issue, as --key-method 2 has
been the default since 2.0 (released on 2005-04-17). This
option is already deprecated in v2.4 and will be completely
removed in v2.5.
- Rebase openvpn-fips140-2.3.2.patch
- Drop 0002-Fix-bounds-check-in-read_key.patch
* upstreamed in c7e259160b28e94e4ea7f0ef767f8134283af255
- Partial cleanup with spec-cleaner
OBS-URL: https://build.opensuse.org/request/show/586118
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=133
42c7e8bef4