2007-01-16 00:28:38 +01:00
|
|
|
#
|
2011-02-18 13:27:57 +01:00
|
|
|
# spec file for package openvpn
|
2007-01-16 00:28:38 +01:00
|
|
|
#
|
2021-01-08 09:45:09 +01:00
|
|
|
# Copyright (c) 2021 SUSE LLC
|
2007-01-16 00:28:38 +01:00
|
|
|
#
|
2008-10-28 18:09:40 +01:00
|
|
|
# All modifications and additions to the file contributed by third parties
|
|
|
|
|
# remain the property of their copyright owners, unless otherwise agreed
|
|
|
|
|
# upon. The license for this file, and modifications and additions to the
|
|
|
|
|
# file, is the same license as for the pristine package itself (unless the
|
|
|
|
|
# license for the pristine package is not an Open Source License, in which
|
|
|
|
|
# case the license is the MIT License). An "Open Source License" is a
|
|
|
|
|
# license that conforms to the Open Source Definition (Version 1.9)
|
|
|
|
|
# published by the Open Source Initiative.
|
|
|
|
|
|
2019-03-04 10:06:34 +01:00
|
|
|
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
2007-01-16 00:28:38 +01:00
|
|
|
#
|
|
|
|
|
|
2013-03-25 16:15:47 +01:00
|
|
|
|
2017-11-24 11:37:04 +01:00
|
|
|
#Compat macro for new _fillupdir macro introduced in Nov 2017
|
|
|
|
|
%if ! %{defined _fillupdir}
|
Accepting request 586118 from home:avindra
- Update to 2.4.5
* New features
+ The new option --tls-cert-profile can be used to restrict the
set of allowed crypto algorithms in TLS certificates in mbed
TLS builds. The default profile is 'legacy' for now, which
allows SHA1+, RSA-1024+ and any elliptic curve certificates.
The default will be changed to the 'preferred' profile in the
future, which requires SHA2+, RSA-2048+ and any curve.
+ openvpnserv: Add support for multi-instances (to support
multiple parallel OpenVPN installations, like EduVPN and
regular OpenVPN)
+ Use P_DATA_V2 for server->client packets too (better packet
alignment)
+ improve management interface documentation
+ rework registry key handling for OpenVPN service, notably
making most registry values optional, falling back to
reasonable defaults
+ accept IPv6 address for pushed "dhcp-option DNS ..." (make
OpenVPN 2 option compatible with OpenVPN 3 iOS and Android
clients)
* Bug fixes
+ Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+
+ Fix lots of compiler warnings (format string, type casts, ...)
+ reload HTTP proxy credentials when moving to the next
connection profile
+ Fix build with LibreSSL (multiple times)
+ Remove non-useful warning on pushed tun-ipv6 option.
+ autoconf: Fix engine checks for openssl 1.1
+ lz4: Rebase compat-lz4 against upstream v1.7.5
+ lz4: Fix broken builds when pkg-config is not present but
system library is
+ Fix '--bind ipv6only'
+ Allow learning iroutes with network made up of all 0s
- Includes 2.4.4
* Bug fixes
+ Fix issues when a pushed cipher via the Negotiable Crypto
Parameters (NCP) is rejected by the remote side
+ Ignore --keysize when NCP have resulted in a changed cipher
+ Configurations using --auth-nocache and the management
interface to provide user credentials (like NetworkManager)
on client side with servers implementing authentication
tokens (for example, using --auth-gen-token) will now behave
correctly and not query the user for an, to them, unknown
authentication token on renegotiations of the tunnel.
+ Invalid or corrupt SOCKS port number when changing the proxy
via the management interface.
+ man page should now have proper escaping of hyphen/minus
characters and other minor corrections.
* User-visible Changes
+ Linux servers with systemd which use the openvpn-server@.service
unit file for server configurations will now utilize the
automatic restart feature in systemd. If the OpenVPN server
process dies unexpectedly, systemd will ensure the OpenVPN
configuration will be restarted automatically.
* Deprecated
+ --no-replay (will be removed in 2.5)
+ --keysize (will be removed in 2.6)
* Security
+ CVE-2017-12166: Fix bounds check for configurations using
--key-method 1. Before this fix, attackers could send a
malformed packet to trigger a stack overflow. This is
considered to be a low risk issue, as --key-method 2 has
been the default since 2.0 (released on 2005-04-17). This
option is already deprecated in v2.4 and will be completely
removed in v2.5.
- Rebase openvpn-fips140-2.3.2.patch
- Drop 0002-Fix-bounds-check-in-read_key.patch
* upstreamed in c7e259160b28e94e4ea7f0ef767f8134283af255
- Partial cleanup with spec-cleaner
OBS-URL: https://build.opensuse.org/request/show/586118
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=133
2018-04-10 16:14:26 +02:00
|
|
|
%define _fillupdir %{_localstatedir}/adm/fillup-templates
|
2017-11-24 11:37:04 +01:00
|
|
|
%endif
|
2013-03-25 16:08:09 +01:00
|
|
|
%if 0%{?suse_version} > 1210
|
|
|
|
|
%define with_systemd 1
|
|
|
|
|
%else
|
|
|
|
|
%define with_systemd 0
|
|
|
|
|
%endif
|
2014-05-19 13:56:09 +02:00
|
|
|
%if ! %{defined _rundir}
|
|
|
|
|
%define _rundir %{_localstatedir}/run
|
|
|
|
|
%endif
|
2007-01-16 00:28:38 +01:00
|
|
|
Name: openvpn
|
2021-01-08 09:45:09 +01:00
|
|
|
Version: 2.4.10
|
2011-12-07 13:53:07 +01:00
|
|
|
Release: 0
|
2008-01-18 00:04:41 +01:00
|
|
|
Summary: Full-featured SSL VPN solution using a TUN/TAP Interface
|
2021-04-26 09:00:42 +02:00
|
|
|
License: LGPL-2.1-only AND SUSE-GPL-2.0-with-openssl-exception
|
2011-12-07 13:53:07 +01:00
|
|
|
Group: Productivity/Networking/Security
|
2020-01-16 14:37:53 +01:00
|
|
|
URL: http://openvpn.net/
|
2016-06-06 09:52:26 +02:00
|
|
|
Source: https://swupdate.openvpn.org/community/releases/openvpn-%{version}.tar.xz
|
|
|
|
|
Source1: https://swupdate.openvpn.org/community/releases/openvpn-%{version}.tar.xz.asc
|
2013-03-25 16:08:09 +01:00
|
|
|
Source2: %{name}.init
|
|
|
|
|
Source3: %{name}.README.SUSE
|
2010-06-21 19:25:12 +02:00
|
|
|
Source4: client-netconfig.up
|
|
|
|
|
Source5: client-netconfig.down
|
Accepting request 586118 from home:avindra
- Update to 2.4.5
* New features
+ The new option --tls-cert-profile can be used to restrict the
set of allowed crypto algorithms in TLS certificates in mbed
TLS builds. The default profile is 'legacy' for now, which
allows SHA1+, RSA-1024+ and any elliptic curve certificates.
The default will be changed to the 'preferred' profile in the
future, which requires SHA2+, RSA-2048+ and any curve.
+ openvpnserv: Add support for multi-instances (to support
multiple parallel OpenVPN installations, like EduVPN and
regular OpenVPN)
+ Use P_DATA_V2 for server->client packets too (better packet
alignment)
+ improve management interface documentation
+ rework registry key handling for OpenVPN service, notably
making most registry values optional, falling back to
reasonable defaults
+ accept IPv6 address for pushed "dhcp-option DNS ..." (make
OpenVPN 2 option compatible with OpenVPN 3 iOS and Android
clients)
* Bug fixes
+ Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+
+ Fix lots of compiler warnings (format string, type casts, ...)
+ reload HTTP proxy credentials when moving to the next
connection profile
+ Fix build with LibreSSL (multiple times)
+ Remove non-useful warning on pushed tun-ipv6 option.
+ autoconf: Fix engine checks for openssl 1.1
+ lz4: Rebase compat-lz4 against upstream v1.7.5
+ lz4: Fix broken builds when pkg-config is not present but
system library is
+ Fix '--bind ipv6only'
+ Allow learning iroutes with network made up of all 0s
- Includes 2.4.4
* Bug fixes
+ Fix issues when a pushed cipher via the Negotiable Crypto
Parameters (NCP) is rejected by the remote side
+ Ignore --keysize when NCP have resulted in a changed cipher
+ Configurations using --auth-nocache and the management
interface to provide user credentials (like NetworkManager)
on client side with servers implementing authentication
tokens (for example, using --auth-gen-token) will now behave
correctly and not query the user for an, to them, unknown
authentication token on renegotiations of the tunnel.
+ Invalid or corrupt SOCKS port number when changing the proxy
via the management interface.
+ man page should now have proper escaping of hyphen/minus
characters and other minor corrections.
* User-visible Changes
+ Linux servers with systemd which use the openvpn-server@.service
unit file for server configurations will now utilize the
automatic restart feature in systemd. If the OpenVPN server
process dies unexpectedly, systemd will ensure the OpenVPN
configuration will be restarted automatically.
* Deprecated
+ --no-replay (will be removed in 2.5)
+ --keysize (will be removed in 2.6)
* Security
+ CVE-2017-12166: Fix bounds check for configurations using
--key-method 1. Before this fix, attackers could send a
malformed packet to trigger a stack overflow. This is
considered to be a low risk issue, as --key-method 2 has
been the default since 2.0 (released on 2005-04-17). This
option is already deprecated in v2.4 and will be completely
removed in v2.5.
- Rebase openvpn-fips140-2.3.2.patch
- Drop 0002-Fix-bounds-check-in-read_key.patch
* upstreamed in c7e259160b28e94e4ea7f0ef767f8134283af255
- Partial cleanup with spec-cleaner
OBS-URL: https://build.opensuse.org/request/show/586118
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=133
2018-04-10 16:14:26 +02:00
|
|
|
Source6: %{name}.sysconfig
|
2012-12-04 11:08:57 +01:00
|
|
|
Source7: %{name}.keyring
|
2013-03-25 16:15:47 +01:00
|
|
|
Source8: %{name}.service
|
2013-04-23 15:22:31 +02:00
|
|
|
Source9: %{name}.target
|
|
|
|
|
Source10: %{name}-tmpfile.conf
|
2013-12-22 16:48:48 +01:00
|
|
|
Source11: rc%{name}
|
2013-03-25 16:08:09 +01:00
|
|
|
Patch1: %{name}-2.3-plugin-man.dif
|
2014-01-20 13:12:10 +01:00
|
|
|
Patch6: %{name}-fips140-2.3.2.patch
|
2017-04-27 11:50:39 +02:00
|
|
|
Patch7: openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch
|
|
|
|
|
Patch8: openvpn-2.3.x-fixed-multiple-low-severity-issues.patch
|
|
|
|
|
Patch9: 0001-preform-deferred-authentication-in-the-background.patch
|
2011-12-07 13:53:07 +01:00
|
|
|
BuildRequires: iproute2
|
Accepting request 586118 from home:avindra
- Update to 2.4.5
* New features
+ The new option --tls-cert-profile can be used to restrict the
set of allowed crypto algorithms in TLS certificates in mbed
TLS builds. The default profile is 'legacy' for now, which
allows SHA1+, RSA-1024+ and any elliptic curve certificates.
The default will be changed to the 'preferred' profile in the
future, which requires SHA2+, RSA-2048+ and any curve.
+ openvpnserv: Add support for multi-instances (to support
multiple parallel OpenVPN installations, like EduVPN and
regular OpenVPN)
+ Use P_DATA_V2 for server->client packets too (better packet
alignment)
+ improve management interface documentation
+ rework registry key handling for OpenVPN service, notably
making most registry values optional, falling back to
reasonable defaults
+ accept IPv6 address for pushed "dhcp-option DNS ..." (make
OpenVPN 2 option compatible with OpenVPN 3 iOS and Android
clients)
* Bug fixes
+ Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+
+ Fix lots of compiler warnings (format string, type casts, ...)
+ reload HTTP proxy credentials when moving to the next
connection profile
+ Fix build with LibreSSL (multiple times)
+ Remove non-useful warning on pushed tun-ipv6 option.
+ autoconf: Fix engine checks for openssl 1.1
+ lz4: Rebase compat-lz4 against upstream v1.7.5
+ lz4: Fix broken builds when pkg-config is not present but
system library is
+ Fix '--bind ipv6only'
+ Allow learning iroutes with network made up of all 0s
- Includes 2.4.4
* Bug fixes
+ Fix issues when a pushed cipher via the Negotiable Crypto
Parameters (NCP) is rejected by the remote side
+ Ignore --keysize when NCP have resulted in a changed cipher
+ Configurations using --auth-nocache and the management
interface to provide user credentials (like NetworkManager)
on client side with servers implementing authentication
tokens (for example, using --auth-gen-token) will now behave
correctly and not query the user for an, to them, unknown
authentication token on renegotiations of the tunnel.
+ Invalid or corrupt SOCKS port number when changing the proxy
via the management interface.
+ man page should now have proper escaping of hyphen/minus
characters and other minor corrections.
* User-visible Changes
+ Linux servers with systemd which use the openvpn-server@.service
unit file for server configurations will now utilize the
automatic restart feature in systemd. If the OpenVPN server
process dies unexpectedly, systemd will ensure the OpenVPN
configuration will be restarted automatically.
* Deprecated
+ --no-replay (will be removed in 2.5)
+ --keysize (will be removed in 2.6)
* Security
+ CVE-2017-12166: Fix bounds check for configurations using
--key-method 1. Before this fix, attackers could send a
malformed packet to trigger a stack overflow. This is
considered to be a low risk issue, as --key-method 2 has
been the default since 2.0 (released on 2005-04-17). This
option is already deprecated in v2.4 and will be completely
removed in v2.5.
- Rebase openvpn-fips140-2.3.2.patch
- Drop 0002-Fix-bounds-check-in-read_key.patch
* upstreamed in c7e259160b28e94e4ea7f0ef767f8134283af255
- Partial cleanup with spec-cleaner
OBS-URL: https://build.opensuse.org/request/show/586118
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=133
2018-04-10 16:14:26 +02:00
|
|
|
BuildRequires: libselinux-devel
|
2011-12-07 13:53:07 +01:00
|
|
|
BuildRequires: lzo-devel
|
|
|
|
|
BuildRequires: openssl-devel
|
2019-10-22 15:56:16 +02:00
|
|
|
BuildRequires: p11-kit-devel
|
2011-12-07 13:53:07 +01:00
|
|
|
BuildRequires: pam-devel
|
Accepting request 586118 from home:avindra
- Update to 2.4.5
* New features
+ The new option --tls-cert-profile can be used to restrict the
set of allowed crypto algorithms in TLS certificates in mbed
TLS builds. The default profile is 'legacy' for now, which
allows SHA1+, RSA-1024+ and any elliptic curve certificates.
The default will be changed to the 'preferred' profile in the
future, which requires SHA2+, RSA-2048+ and any curve.
+ openvpnserv: Add support for multi-instances (to support
multiple parallel OpenVPN installations, like EduVPN and
regular OpenVPN)
+ Use P_DATA_V2 for server->client packets too (better packet
alignment)
+ improve management interface documentation
+ rework registry key handling for OpenVPN service, notably
making most registry values optional, falling back to
reasonable defaults
+ accept IPv6 address for pushed "dhcp-option DNS ..." (make
OpenVPN 2 option compatible with OpenVPN 3 iOS and Android
clients)
* Bug fixes
+ Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+
+ Fix lots of compiler warnings (format string, type casts, ...)
+ reload HTTP proxy credentials when moving to the next
connection profile
+ Fix build with LibreSSL (multiple times)
+ Remove non-useful warning on pushed tun-ipv6 option.
+ autoconf: Fix engine checks for openssl 1.1
+ lz4: Rebase compat-lz4 against upstream v1.7.5
+ lz4: Fix broken builds when pkg-config is not present but
system library is
+ Fix '--bind ipv6only'
+ Allow learning iroutes with network made up of all 0s
- Includes 2.4.4
* Bug fixes
+ Fix issues when a pushed cipher via the Negotiable Crypto
Parameters (NCP) is rejected by the remote side
+ Ignore --keysize when NCP have resulted in a changed cipher
+ Configurations using --auth-nocache and the management
interface to provide user credentials (like NetworkManager)
on client side with servers implementing authentication
tokens (for example, using --auth-gen-token) will now behave
correctly and not query the user for an, to them, unknown
authentication token on renegotiations of the tunnel.
+ Invalid or corrupt SOCKS port number when changing the proxy
via the management interface.
+ man page should now have proper escaping of hyphen/minus
characters and other minor corrections.
* User-visible Changes
+ Linux servers with systemd which use the openvpn-server@.service
unit file for server configurations will now utilize the
automatic restart feature in systemd. If the OpenVPN server
process dies unexpectedly, systemd will ensure the OpenVPN
configuration will be restarted automatically.
* Deprecated
+ --no-replay (will be removed in 2.5)
+ --keysize (will be removed in 2.6)
* Security
+ CVE-2017-12166: Fix bounds check for configurations using
--key-method 1. Before this fix, attackers could send a
malformed packet to trigger a stack overflow. This is
considered to be a low risk issue, as --key-method 2 has
been the default since 2.0 (released on 2005-04-17). This
option is already deprecated in v2.4 and will be completely
removed in v2.5.
- Rebase openvpn-fips140-2.3.2.patch
- Drop 0002-Fix-bounds-check-in-read_key.patch
* upstreamed in c7e259160b28e94e4ea7f0ef767f8134283af255
- Partial cleanup with spec-cleaner
OBS-URL: https://build.opensuse.org/request/show/586118
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=133
2018-04-10 16:14:26 +02:00
|
|
|
BuildRequires: pkcs11-helper-devel >= 1.11
|
|
|
|
|
BuildRequires: xz
|
|
|
|
|
Requires: iproute2
|
|
|
|
|
Requires: pkcs11-helper >= 1.11
|
2020-08-28 12:05:24 +02:00
|
|
|
Requires: sysvinit-tools
|
Accepting request 586118 from home:avindra
- Update to 2.4.5
* New features
+ The new option --tls-cert-profile can be used to restrict the
set of allowed crypto algorithms in TLS certificates in mbed
TLS builds. The default profile is 'legacy' for now, which
allows SHA1+, RSA-1024+ and any elliptic curve certificates.
The default will be changed to the 'preferred' profile in the
future, which requires SHA2+, RSA-2048+ and any curve.
+ openvpnserv: Add support for multi-instances (to support
multiple parallel OpenVPN installations, like EduVPN and
regular OpenVPN)
+ Use P_DATA_V2 for server->client packets too (better packet
alignment)
+ improve management interface documentation
+ rework registry key handling for OpenVPN service, notably
making most registry values optional, falling back to
reasonable defaults
+ accept IPv6 address for pushed "dhcp-option DNS ..." (make
OpenVPN 2 option compatible with OpenVPN 3 iOS and Android
clients)
* Bug fixes
+ Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+
+ Fix lots of compiler warnings (format string, type casts, ...)
+ reload HTTP proxy credentials when moving to the next
connection profile
+ Fix build with LibreSSL (multiple times)
+ Remove non-useful warning on pushed tun-ipv6 option.
+ autoconf: Fix engine checks for openssl 1.1
+ lz4: Rebase compat-lz4 against upstream v1.7.5
+ lz4: Fix broken builds when pkg-config is not present but
system library is
+ Fix '--bind ipv6only'
+ Allow learning iroutes with network made up of all 0s
- Includes 2.4.4
* Bug fixes
+ Fix issues when a pushed cipher via the Negotiable Crypto
Parameters (NCP) is rejected by the remote side
+ Ignore --keysize when NCP have resulted in a changed cipher
+ Configurations using --auth-nocache and the management
interface to provide user credentials (like NetworkManager)
on client side with servers implementing authentication
tokens (for example, using --auth-gen-token) will now behave
correctly and not query the user for an, to them, unknown
authentication token on renegotiations of the tunnel.
+ Invalid or corrupt SOCKS port number when changing the proxy
via the management interface.
+ man page should now have proper escaping of hyphen/minus
characters and other minor corrections.
* User-visible Changes
+ Linux servers with systemd which use the openvpn-server@.service
unit file for server configurations will now utilize the
automatic restart feature in systemd. If the OpenVPN server
process dies unexpectedly, systemd will ensure the OpenVPN
configuration will be restarted automatically.
* Deprecated
+ --no-replay (will be removed in 2.5)
+ --keysize (will be removed in 2.6)
* Security
+ CVE-2017-12166: Fix bounds check for configurations using
--key-method 1. Before this fix, attackers could send a
malformed packet to trigger a stack overflow. This is
considered to be a low risk issue, as --key-method 2 has
been the default since 2.0 (released on 2005-04-17). This
option is already deprecated in v2.4 and will be completely
removed in v2.5.
- Rebase openvpn-fips140-2.3.2.patch
- Drop 0002-Fix-bounds-check-in-read_key.patch
* upstreamed in c7e259160b28e94e4ea7f0ef767f8134283af255
- Partial cleanup with spec-cleaner
OBS-URL: https://build.opensuse.org/request/show/586118
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=133
2018-04-10 16:14:26 +02:00
|
|
|
%if %{with_systemd}
|
2020-01-29 15:48:36 +01:00
|
|
|
BuildRequires: pkgconfig(libsystemd)
|
|
|
|
|
BuildRequires: pkgconfig(systemd)
|
|
|
|
|
%systemd_ordering
|
Accepting request 586118 from home:avindra
- Update to 2.4.5
* New features
+ The new option --tls-cert-profile can be used to restrict the
set of allowed crypto algorithms in TLS certificates in mbed
TLS builds. The default profile is 'legacy' for now, which
allows SHA1+, RSA-1024+ and any elliptic curve certificates.
The default will be changed to the 'preferred' profile in the
future, which requires SHA2+, RSA-2048+ and any curve.
+ openvpnserv: Add support for multi-instances (to support
multiple parallel OpenVPN installations, like EduVPN and
regular OpenVPN)
+ Use P_DATA_V2 for server->client packets too (better packet
alignment)
+ improve management interface documentation
+ rework registry key handling for OpenVPN service, notably
making most registry values optional, falling back to
reasonable defaults
+ accept IPv6 address for pushed "dhcp-option DNS ..." (make
OpenVPN 2 option compatible with OpenVPN 3 iOS and Android
clients)
* Bug fixes
+ Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+
+ Fix lots of compiler warnings (format string, type casts, ...)
+ reload HTTP proxy credentials when moving to the next
connection profile
+ Fix build with LibreSSL (multiple times)
+ Remove non-useful warning on pushed tun-ipv6 option.
+ autoconf: Fix engine checks for openssl 1.1
+ lz4: Rebase compat-lz4 against upstream v1.7.5
+ lz4: Fix broken builds when pkg-config is not present but
system library is
+ Fix '--bind ipv6only'
+ Allow learning iroutes with network made up of all 0s
- Includes 2.4.4
* Bug fixes
+ Fix issues when a pushed cipher via the Negotiable Crypto
Parameters (NCP) is rejected by the remote side
+ Ignore --keysize when NCP have resulted in a changed cipher
+ Configurations using --auth-nocache and the management
interface to provide user credentials (like NetworkManager)
on client side with servers implementing authentication
tokens (for example, using --auth-gen-token) will now behave
correctly and not query the user for an, to them, unknown
authentication token on renegotiations of the tunnel.
+ Invalid or corrupt SOCKS port number when changing the proxy
via the management interface.
+ man page should now have proper escaping of hyphen/minus
characters and other minor corrections.
* User-visible Changes
+ Linux servers with systemd which use the openvpn-server@.service
unit file for server configurations will now utilize the
automatic restart feature in systemd. If the OpenVPN server
process dies unexpectedly, systemd will ensure the OpenVPN
configuration will be restarted automatically.
* Deprecated
+ --no-replay (will be removed in 2.5)
+ --keysize (will be removed in 2.6)
* Security
+ CVE-2017-12166: Fix bounds check for configurations using
--key-method 1. Before this fix, attackers could send a
malformed packet to trigger a stack overflow. This is
considered to be a low risk issue, as --key-method 2 has
been the default since 2.0 (released on 2005-04-17). This
option is already deprecated in v2.4 and will be completely
removed in v2.5.
- Rebase openvpn-fips140-2.3.2.patch
- Drop 0002-Fix-bounds-check-in-read_key.patch
* upstreamed in c7e259160b28e94e4ea7f0ef767f8134283af255
- Partial cleanup with spec-cleaner
OBS-URL: https://build.opensuse.org/request/show/586118
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=133
2018-04-10 16:14:26 +02:00
|
|
|
%else
|
|
|
|
|
PreReq: %fillup_prereq
|
|
|
|
|
PreReq: %insserv_prereq
|
|
|
|
|
%endif
|
2007-01-16 00:28:38 +01:00
|
|
|
|
|
|
|
|
%description
|
2010-03-12 01:52:28 +01:00
|
|
|
OpenVPN is a full-featured SSL VPN solution which can accommodate a wide
|
2008-01-18 00:04:41 +01:00
|
|
|
range of configurations, including remote access, site-to-site VPNs,
|
|
|
|
|
WiFi security, and enterprise-scale remote access solutions with load
|
|
|
|
|
balancing, failover, and fine-grained access-controls.
|
|
|
|
|
|
|
|
|
|
OpenVPN implements OSI layer 2 or 3 secure network extension using the
|
|
|
|
|
industry standard SSL/TLS protocol, supports flexible client
|
|
|
|
|
authentication methods based on certificates, smart cards, and/or
|
|
|
|
|
2-factor authentication, and allows user or group-specific access
|
|
|
|
|
control policies using firewall rules applied to the VPN virtual
|
|
|
|
|
interface.
|
|
|
|
|
|
|
|
|
|
OpenVPN runs on: Linux, Windows 2000/XP and higher, OpenBSD, FreeBSD,
|
|
|
|
|
NetBSD, Mac OS X, and Solaris.
|
|
|
|
|
|
|
|
|
|
OpenVPN is not a web application proxy and does not operate through a
|
|
|
|
|
web browser.
|
|
|
|
|
|
|
|
|
|
%package down-root-plugin
|
|
|
|
|
Summary: OpenVPN down-root plugin
|
2012-03-29 11:17:09 +02:00
|
|
|
Group: Productivity/Networking/Security
|
2008-01-18 00:04:41 +01:00
|
|
|
Requires: %{name} = %{version}
|
|
|
|
|
|
|
|
|
|
%description down-root-plugin
|
|
|
|
|
The OpenVPN down-root plugin allows an OpenVPN configuration to call a
|
|
|
|
|
down script with root privileges, even when privileges have been
|
|
|
|
|
dropped using --user/--group/--chroot.
|
|
|
|
|
|
|
|
|
|
This module uses a split privilege execution model which will fork()
|
|
|
|
|
before OpenVPN drops root privileges, at the point where the --up
|
|
|
|
|
script is usually called. The plugin will then remain in a wait state
|
|
|
|
|
until it receives a message from OpenVPN via pipe to execute the down
|
|
|
|
|
script. Thus, the down script will be run in the same execution
|
|
|
|
|
environment as the up script.
|
|
|
|
|
|
|
|
|
|
%package auth-pam-plugin
|
|
|
|
|
Summary: OpenVPN auth-pam plugin
|
2012-03-29 11:17:09 +02:00
|
|
|
Group: Productivity/Networking/Security
|
2008-01-18 00:04:41 +01:00
|
|
|
Requires: %{name} = %{version}
|
|
|
|
|
|
|
|
|
|
%description auth-pam-plugin
|
|
|
|
|
The OpenVPN auth-pam plugin implements username/password authentication
|
|
|
|
|
via PAM, and essentially allows any authentication method supported by
|
|
|
|
|
PAM (such as LDAP, RADIUS, or Linux Shadow passwords) to be used with
|
|
|
|
|
OpenVPN.
|
|
|
|
|
|
|
|
|
|
While PAM supports username/password authentication, this can be
|
|
|
|
|
combined with X509 certificates to provide two indepedent levels of
|
|
|
|
|
authentication.
|
|
|
|
|
|
|
|
|
|
This plugin uses a split privilege execution model which will function
|
|
|
|
|
even if you drop openvpn daemon privileges using the user, group, or
|
|
|
|
|
chroot directives.
|
2007-01-16 00:28:38 +01:00
|
|
|
|
2015-08-20 11:46:01 +02:00
|
|
|
%package devel
|
|
|
|
|
Summary: OpenVPN plugin header
|
|
|
|
|
Group: Development/Libraries/C and C++
|
|
|
|
|
Requires: %{name} = %{version}
|
|
|
|
|
|
|
|
|
|
%description devel
|
|
|
|
|
This package provides the header file to build external plugins.
|
|
|
|
|
|
2007-01-16 00:28:38 +01:00
|
|
|
%prep
|
Accepting request 586118 from home:avindra
- Update to 2.4.5
* New features
+ The new option --tls-cert-profile can be used to restrict the
set of allowed crypto algorithms in TLS certificates in mbed
TLS builds. The default profile is 'legacy' for now, which
allows SHA1+, RSA-1024+ and any elliptic curve certificates.
The default will be changed to the 'preferred' profile in the
future, which requires SHA2+, RSA-2048+ and any curve.
+ openvpnserv: Add support for multi-instances (to support
multiple parallel OpenVPN installations, like EduVPN and
regular OpenVPN)
+ Use P_DATA_V2 for server->client packets too (better packet
alignment)
+ improve management interface documentation
+ rework registry key handling for OpenVPN service, notably
making most registry values optional, falling back to
reasonable defaults
+ accept IPv6 address for pushed "dhcp-option DNS ..." (make
OpenVPN 2 option compatible with OpenVPN 3 iOS and Android
clients)
* Bug fixes
+ Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+
+ Fix lots of compiler warnings (format string, type casts, ...)
+ reload HTTP proxy credentials when moving to the next
connection profile
+ Fix build with LibreSSL (multiple times)
+ Remove non-useful warning on pushed tun-ipv6 option.
+ autoconf: Fix engine checks for openssl 1.1
+ lz4: Rebase compat-lz4 against upstream v1.7.5
+ lz4: Fix broken builds when pkg-config is not present but
system library is
+ Fix '--bind ipv6only'
+ Allow learning iroutes with network made up of all 0s
- Includes 2.4.4
* Bug fixes
+ Fix issues when a pushed cipher via the Negotiable Crypto
Parameters (NCP) is rejected by the remote side
+ Ignore --keysize when NCP have resulted in a changed cipher
+ Configurations using --auth-nocache and the management
interface to provide user credentials (like NetworkManager)
on client side with servers implementing authentication
tokens (for example, using --auth-gen-token) will now behave
correctly and not query the user for an, to them, unknown
authentication token on renegotiations of the tunnel.
+ Invalid or corrupt SOCKS port number when changing the proxy
via the management interface.
+ man page should now have proper escaping of hyphen/minus
characters and other minor corrections.
* User-visible Changes
+ Linux servers with systemd which use the openvpn-server@.service
unit file for server configurations will now utilize the
automatic restart feature in systemd. If the OpenVPN server
process dies unexpectedly, systemd will ensure the OpenVPN
configuration will be restarted automatically.
* Deprecated
+ --no-replay (will be removed in 2.5)
+ --keysize (will be removed in 2.6)
* Security
+ CVE-2017-12166: Fix bounds check for configurations using
--key-method 1. Before this fix, attackers could send a
malformed packet to trigger a stack overflow. This is
considered to be a low risk issue, as --key-method 2 has
been the default since 2.0 (released on 2005-04-17). This
option is already deprecated in v2.4 and will be completely
removed in v2.5.
- Rebase openvpn-fips140-2.3.2.patch
- Drop 0002-Fix-bounds-check-in-read_key.patch
* upstreamed in c7e259160b28e94e4ea7f0ef767f8134283af255
- Partial cleanup with spec-cleaner
OBS-URL: https://build.opensuse.org/request/show/586118
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=133
2018-04-10 16:14:26 +02:00
|
|
|
%setup -q
|
|
|
|
|
%patch1
|
2014-01-20 13:12:10 +01:00
|
|
|
%patch6 -p1
|
2017-04-27 11:50:39 +02:00
|
|
|
%patch7 -p1
|
|
|
|
|
%patch8 -p1
|
|
|
|
|
%patch9 -p1
|
2016-01-06 10:47:33 +01:00
|
|
|
|
2015-03-02 11:06:37 +01:00
|
|
|
sed -e "s|\" __DATE__|$(date '+%b %e %Y' -r version.m4)\"|g" \
|
|
|
|
|
-i src/openvpn/options.c
|
|
|
|
|
sed -e "s|@PLUGIN_LIBDIR@|%{_libdir}/openvpn/plugins|g" \
|
|
|
|
|
-e "s|@PLUGIN_DOCDIR@|%{_defaultdocdir}/%{name}|g" \
|
|
|
|
|
-i doc/openvpn.8
|
2017-06-06 17:27:51 +02:00
|
|
|
sed -e "s|%{_localstatedir}/run|%{_rundir}|g" < \
|
2015-12-04 09:02:06 +01:00
|
|
|
$RPM_SOURCE_DIR/%{name}.service > %{name}.service
|
2013-03-25 16:08:09 +01:00
|
|
|
|
|
|
|
|
# %%doc items shouldn't be executable.
|
2013-10-31 19:47:58 +01:00
|
|
|
find contrib sample -type f -exec chmod a-x \{\} \;
|
2007-01-16 00:28:38 +01:00
|
|
|
|
|
|
|
|
%build
|
2017-06-06 17:27:51 +02:00
|
|
|
export CFLAGS="%{optflags} $(getconf LFS_CFLAGS) -W -Wall -fno-strict-aliasing"
|
2008-05-23 01:58:33 +02:00
|
|
|
export LDFLAGS
|
2007-06-05 01:11:57 +02:00
|
|
|
%configure \
|
2013-04-23 14:40:53 +02:00
|
|
|
--enable-iproute2 \
|
|
|
|
|
--enable-x509-alt-username \
|
2018-04-10 16:40:39 +02:00
|
|
|
--enable-pkcs11 \
|
2013-04-23 15:22:31 +02:00
|
|
|
%if %{with_systemd}
|
2013-04-23 14:40:53 +02:00
|
|
|
--enable-systemd \
|
2013-04-23 15:22:31 +02:00
|
|
|
%endif
|
2013-04-23 14:40:53 +02:00
|
|
|
--enable-plugins \
|
|
|
|
|
--enable-plugin-down-root \
|
|
|
|
|
--enable-plugin-auth-pam \
|
2015-08-20 11:00:14 +02:00
|
|
|
CFLAGS="$CFLAGS $(getconf LFS_CFLAGS) -fPIE $PLUGIN_DEFS" \
|
2015-03-02 10:45:03 +01:00
|
|
|
LDFLAGS="$LDFLAGS -pie -lpam -rdynamic -Wl,-rpath,%{_libdir}/%{name}/plugins"
|
Accepting request 586118 from home:avindra
- Update to 2.4.5
* New features
+ The new option --tls-cert-profile can be used to restrict the
set of allowed crypto algorithms in TLS certificates in mbed
TLS builds. The default profile is 'legacy' for now, which
allows SHA1+, RSA-1024+ and any elliptic curve certificates.
The default will be changed to the 'preferred' profile in the
future, which requires SHA2+, RSA-2048+ and any curve.
+ openvpnserv: Add support for multi-instances (to support
multiple parallel OpenVPN installations, like EduVPN and
regular OpenVPN)
+ Use P_DATA_V2 for server->client packets too (better packet
alignment)
+ improve management interface documentation
+ rework registry key handling for OpenVPN service, notably
making most registry values optional, falling back to
reasonable defaults
+ accept IPv6 address for pushed "dhcp-option DNS ..." (make
OpenVPN 2 option compatible with OpenVPN 3 iOS and Android
clients)
* Bug fixes
+ Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+
+ Fix lots of compiler warnings (format string, type casts, ...)
+ reload HTTP proxy credentials when moving to the next
connection profile
+ Fix build with LibreSSL (multiple times)
+ Remove non-useful warning on pushed tun-ipv6 option.
+ autoconf: Fix engine checks for openssl 1.1
+ lz4: Rebase compat-lz4 against upstream v1.7.5
+ lz4: Fix broken builds when pkg-config is not present but
system library is
+ Fix '--bind ipv6only'
+ Allow learning iroutes with network made up of all 0s
- Includes 2.4.4
* Bug fixes
+ Fix issues when a pushed cipher via the Negotiable Crypto
Parameters (NCP) is rejected by the remote side
+ Ignore --keysize when NCP have resulted in a changed cipher
+ Configurations using --auth-nocache and the management
interface to provide user credentials (like NetworkManager)
on client side with servers implementing authentication
tokens (for example, using --auth-gen-token) will now behave
correctly and not query the user for an, to them, unknown
authentication token on renegotiations of the tunnel.
+ Invalid or corrupt SOCKS port number when changing the proxy
via the management interface.
+ man page should now have proper escaping of hyphen/minus
characters and other minor corrections.
* User-visible Changes
+ Linux servers with systemd which use the openvpn-server@.service
unit file for server configurations will now utilize the
automatic restart feature in systemd. If the OpenVPN server
process dies unexpectedly, systemd will ensure the OpenVPN
configuration will be restarted automatically.
* Deprecated
+ --no-replay (will be removed in 2.5)
+ --keysize (will be removed in 2.6)
* Security
+ CVE-2017-12166: Fix bounds check for configurations using
--key-method 1. Before this fix, attackers could send a
malformed packet to trigger a stack overflow. This is
considered to be a low risk issue, as --key-method 2 has
been the default since 2.0 (released on 2005-04-17). This
option is already deprecated in v2.4 and will be completely
removed in v2.5.
- Rebase openvpn-fips140-2.3.2.patch
- Drop 0002-Fix-bounds-check-in-read_key.patch
* upstreamed in c7e259160b28e94e4ea7f0ef767f8134283af255
- Partial cleanup with spec-cleaner
OBS-URL: https://build.opensuse.org/request/show/586118
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=133
2018-04-10 16:14:26 +02:00
|
|
|
make %{?_smp_mflags}
|
2007-01-16 00:28:38 +01:00
|
|
|
|
|
|
|
|
%install
|
Accepting request 586118 from home:avindra
- Update to 2.4.5
* New features
+ The new option --tls-cert-profile can be used to restrict the
set of allowed crypto algorithms in TLS certificates in mbed
TLS builds. The default profile is 'legacy' for now, which
allows SHA1+, RSA-1024+ and any elliptic curve certificates.
The default will be changed to the 'preferred' profile in the
future, which requires SHA2+, RSA-2048+ and any curve.
+ openvpnserv: Add support for multi-instances (to support
multiple parallel OpenVPN installations, like EduVPN and
regular OpenVPN)
+ Use P_DATA_V2 for server->client packets too (better packet
alignment)
+ improve management interface documentation
+ rework registry key handling for OpenVPN service, notably
making most registry values optional, falling back to
reasonable defaults
+ accept IPv6 address for pushed "dhcp-option DNS ..." (make
OpenVPN 2 option compatible with OpenVPN 3 iOS and Android
clients)
* Bug fixes
+ Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+
+ Fix lots of compiler warnings (format string, type casts, ...)
+ reload HTTP proxy credentials when moving to the next
connection profile
+ Fix build with LibreSSL (multiple times)
+ Remove non-useful warning on pushed tun-ipv6 option.
+ autoconf: Fix engine checks for openssl 1.1
+ lz4: Rebase compat-lz4 against upstream v1.7.5
+ lz4: Fix broken builds when pkg-config is not present but
system library is
+ Fix '--bind ipv6only'
+ Allow learning iroutes with network made up of all 0s
- Includes 2.4.4
* Bug fixes
+ Fix issues when a pushed cipher via the Negotiable Crypto
Parameters (NCP) is rejected by the remote side
+ Ignore --keysize when NCP have resulted in a changed cipher
+ Configurations using --auth-nocache and the management
interface to provide user credentials (like NetworkManager)
on client side with servers implementing authentication
tokens (for example, using --auth-gen-token) will now behave
correctly and not query the user for an, to them, unknown
authentication token on renegotiations of the tunnel.
+ Invalid or corrupt SOCKS port number when changing the proxy
via the management interface.
+ man page should now have proper escaping of hyphen/minus
characters and other minor corrections.
* User-visible Changes
+ Linux servers with systemd which use the openvpn-server@.service
unit file for server configurations will now utilize the
automatic restart feature in systemd. If the OpenVPN server
process dies unexpectedly, systemd will ensure the OpenVPN
configuration will be restarted automatically.
* Deprecated
+ --no-replay (will be removed in 2.5)
+ --keysize (will be removed in 2.6)
* Security
+ CVE-2017-12166: Fix bounds check for configurations using
--key-method 1. Before this fix, attackers could send a
malformed packet to trigger a stack overflow. This is
considered to be a low risk issue, as --key-method 2 has
been the default since 2.0 (released on 2005-04-17). This
option is already deprecated in v2.4 and will be completely
removed in v2.5.
- Rebase openvpn-fips140-2.3.2.patch
- Drop 0002-Fix-bounds-check-in-read_key.patch
* upstreamed in c7e259160b28e94e4ea7f0ef767f8134283af255
- Partial cleanup with spec-cleaner
OBS-URL: https://build.opensuse.org/request/show/586118
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=133
2018-04-10 16:14:26 +02:00
|
|
|
%make_install
|
2017-06-06 17:27:51 +02:00
|
|
|
find %{buildroot} -type f -name "*.la" -delete -print
|
|
|
|
|
mkdir -p %{buildroot}/%{_sysconfdir}/openvpn
|
|
|
|
|
mkdir -p %{buildroot}/%{_rundir}/openvpn
|
|
|
|
|
mkdir -p %{buildroot}/%{_datadir}/openvpn
|
2013-03-25 16:08:09 +01:00
|
|
|
%if %{with_systemd}
|
2017-06-06 17:17:18 +02:00
|
|
|
rm %{buildroot}%{_libdir}/systemd/system/openvpn-client@.service
|
|
|
|
|
rm %{buildroot}%{_libdir}/systemd/system/openvpn-server@.service
|
2017-06-19 16:48:58 +02:00
|
|
|
#use one proveded by suse
|
|
|
|
|
rm %{buildroot}%{_libdir}/tmpfiles.d/openvpn.conf
|
2015-12-04 09:02:06 +01:00
|
|
|
install -D -m 644 %{name}.service %{buildroot}/%{_unitdir}/%{name}@.service
|
2013-04-23 15:22:31 +02:00
|
|
|
install -D -m 644 $RPM_SOURCE_DIR/%{name}.target %{buildroot}/%{_unitdir}/%{name}.target
|
2013-12-22 16:48:48 +01:00
|
|
|
install -D -m 755 $RPM_SOURCE_DIR/rc%{name} %{buildroot}%{_sbindir}/rc%{name}
|
2013-03-25 16:08:09 +01:00
|
|
|
# tmpfiles.d
|
2017-06-19 16:48:58 +02:00
|
|
|
mkdir -p %{buildroot}%{_tmpfilesdir}
|
|
|
|
|
install -m 0644 $RPM_SOURCE_DIR/%{name}-tmpfile.conf %{buildroot}%{_tmpfilesdir}/%{name}.conf
|
2013-03-25 16:08:09 +01:00
|
|
|
%else
|
2017-06-06 17:27:51 +02:00
|
|
|
install -D -m 755 $RPM_SOURCE_DIR/openvpn.init %{buildroot}/%{_sysconfdir}/init.d/openvpn
|
|
|
|
|
ln -sv %{_sysconfdir}/init.d/openvpn %{buildroot}/%{_sbindir}/rcopenvpn
|
2013-03-25 16:08:09 +01:00
|
|
|
# the /etc/sysconfig/openvpn template only with sysvinit, no needed with systemd
|
2017-11-24 11:37:04 +01:00
|
|
|
install -d -m0755 %{buildroot}%{_fillupdir}
|
2012-09-20 12:52:54 +02:00
|
|
|
install -m0600 $RPM_SOURCE_DIR/openvpn.sysconfig \
|
2017-11-24 11:37:04 +01:00
|
|
|
%{buildroot}%{_fillupdir}/sysconfig.openvpn
|
2013-03-25 16:08:09 +01:00
|
|
|
%endif
|
|
|
|
|
cp -p $RPM_SOURCE_DIR/openvpn.README.SUSE README.SUSE
|
|
|
|
|
install -m 755 $RPM_SOURCE_DIR/client-netconfig.up sample/sample-scripts/client-netconfig.up
|
|
|
|
|
install -m 755 $RPM_SOURCE_DIR/client-netconfig.down sample/sample-scripts/client-netconfig.down
|
2007-01-16 00:28:38 +01:00
|
|
|
|
2013-03-25 16:08:09 +01:00
|
|
|
# we install docs via spec into _defaultdocdir/name/management-notes.txt
|
2017-06-06 17:27:51 +02:00
|
|
|
rm -rf %{buildroot}%{_datadir}/doc/{OpenVPN,%{name}}
|
2015-08-20 11:46:01 +02:00
|
|
|
find sample -name .gitignore | xargs rm -f
|
2007-01-16 00:28:38 +01:00
|
|
|
|
2018-02-13 19:21:21 +01:00
|
|
|
%pre
|
2018-04-10 16:40:39 +02:00
|
|
|
%if %{with_systemd}
|
2018-02-13 19:21:21 +01:00
|
|
|
%service_add_pre %{name}.target
|
2018-04-10 16:40:39 +02:00
|
|
|
%endif
|
2018-02-13 19:21:21 +01:00
|
|
|
|
2007-01-16 00:28:38 +01:00
|
|
|
%post
|
2013-04-23 15:22:31 +02:00
|
|
|
%if %{with_systemd}
|
2018-04-27 14:35:13 +02:00
|
|
|
%tmpfiles_create %{_tmpfilesdir}/%{name}.conf
|
2013-04-23 15:22:31 +02:00
|
|
|
%service_add_post %{name}.target
|
2013-05-06 13:17:06 +02:00
|
|
|
# try to migrate openvpn.service autostart to openvpn@<CONF>.service
|
2019-03-04 10:06:34 +01:00
|
|
|
if test $1 -ge 1 -a \
|
2013-05-06 13:17:06 +02:00
|
|
|
-x /bin/systemctl -a \
|
2017-06-06 17:27:51 +02:00
|
|
|
-f %{_sysconfdir}/sysconfig/openvpn -a \
|
2017-11-24 11:37:04 +01:00
|
|
|
-f %{_fillupdir}/sysconfig.openvpn && \
|
2013-05-06 13:17:06 +02:00
|
|
|
/bin/systemctl --quiet is-enabled openvpn.service &>/dev/null ;
|
|
|
|
|
then
|
2017-06-06 17:27:51 +02:00
|
|
|
. %{_sysconfdir}/sysconfig/openvpn
|
2013-05-06 13:17:06 +02:00
|
|
|
try_service_cgroup_join()
|
|
|
|
|
{
|
2017-06-06 17:27:51 +02:00
|
|
|
local p="%{_localstatedir}/run/openvpn/${1}.pid"
|
2013-05-06 13:17:06 +02:00
|
|
|
local t="/sys/fs/cgroup/systemd/system/openvpn@.service/${1}"
|
|
|
|
|
/sbin/checkproc -p "$p" "%{_sbindir}/openvpn" &>/dev/null || return 0
|
|
|
|
|
test -d "$t" || mkdir -p "$t" 2>/dev/null || return 1
|
|
|
|
|
cat "$p" > "$t/tasks" 2>/dev/null || return 1
|
|
|
|
|
}
|
|
|
|
|
if test "X$OPENVPN_AUTOSTART" != "X" ; then
|
|
|
|
|
for conf in $OPENVPN_AUTOSTART ; do
|
2017-06-06 17:27:51 +02:00
|
|
|
test -f "%{_sysconfdir}/openvpn/${conf}.conf" && \
|
2013-05-06 13:17:06 +02:00
|
|
|
/bin/systemctl enable "openvpn@${conf}.service" && \
|
|
|
|
|
try_service_cgroup_join "$conf" || continue
|
|
|
|
|
done
|
|
|
|
|
else
|
|
|
|
|
shopt -s nullglob || :
|
2017-06-06 17:27:51 +02:00
|
|
|
for conf in %{_sysconfdir}/openvpn/*.conf ; do
|
2013-05-06 13:17:06 +02:00
|
|
|
conf=${conf##*/}
|
|
|
|
|
conf=${conf%.conf}
|
2017-06-06 17:27:51 +02:00
|
|
|
test -f "%{_sysconfdir}/openvpn/${conf}.conf" && \
|
2013-05-06 13:17:06 +02:00
|
|
|
/bin/systemctl enable "openvpn@${conf}.service" && \
|
|
|
|
|
try_service_cgroup_join "$conf" || continue
|
|
|
|
|
done
|
|
|
|
|
fi
|
|
|
|
|
fi
|
2017-06-06 17:27:51 +02:00
|
|
|
rm -f %{_sysconfdir}/sysconfig/openvpn || :
|
2013-04-23 15:22:31 +02:00
|
|
|
%else
|
2012-09-20 12:52:54 +02:00
|
|
|
%{?fillup_and_insserv:%fillup_and_insserv}
|
2013-03-25 16:08:09 +01:00
|
|
|
%endif
|
2007-01-16 00:28:38 +01:00
|
|
|
|
|
|
|
|
%preun
|
2013-04-23 15:22:31 +02:00
|
|
|
%if %{with_systemd}
|
|
|
|
|
%service_del_preun %{name}.target
|
2013-03-25 16:08:09 +01:00
|
|
|
%else
|
2007-06-05 01:11:57 +02:00
|
|
|
%{?stop_on_removal:%stop_on_removal openvpn}
|
2013-03-25 16:08:09 +01:00
|
|
|
%endif
|
2007-01-16 00:28:38 +01:00
|
|
|
|
|
|
|
|
%postun
|
2013-04-23 15:22:31 +02:00
|
|
|
%if %{with_systemd}
|
2018-02-13 19:21:21 +01:00
|
|
|
%service_del_postun %{name}.target
|
2013-04-23 15:22:31 +02:00
|
|
|
%else
|
2007-06-05 01:11:57 +02:00
|
|
|
%{?insserv_cleanup:%insserv_cleanup}
|
2013-03-25 16:08:09 +01:00
|
|
|
%endif
|
2007-01-16 00:28:38 +01:00
|
|
|
|
|
|
|
|
%files
|
Accepting request 586118 from home:avindra
- Update to 2.4.5
* New features
+ The new option --tls-cert-profile can be used to restrict the
set of allowed crypto algorithms in TLS certificates in mbed
TLS builds. The default profile is 'legacy' for now, which
allows SHA1+, RSA-1024+ and any elliptic curve certificates.
The default will be changed to the 'preferred' profile in the
future, which requires SHA2+, RSA-2048+ and any curve.
+ openvpnserv: Add support for multi-instances (to support
multiple parallel OpenVPN installations, like EduVPN and
regular OpenVPN)
+ Use P_DATA_V2 for server->client packets too (better packet
alignment)
+ improve management interface documentation
+ rework registry key handling for OpenVPN service, notably
making most registry values optional, falling back to
reasonable defaults
+ accept IPv6 address for pushed "dhcp-option DNS ..." (make
OpenVPN 2 option compatible with OpenVPN 3 iOS and Android
clients)
* Bug fixes
+ Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+
+ Fix lots of compiler warnings (format string, type casts, ...)
+ reload HTTP proxy credentials when moving to the next
connection profile
+ Fix build with LibreSSL (multiple times)
+ Remove non-useful warning on pushed tun-ipv6 option.
+ autoconf: Fix engine checks for openssl 1.1
+ lz4: Rebase compat-lz4 against upstream v1.7.5
+ lz4: Fix broken builds when pkg-config is not present but
system library is
+ Fix '--bind ipv6only'
+ Allow learning iroutes with network made up of all 0s
- Includes 2.4.4
* Bug fixes
+ Fix issues when a pushed cipher via the Negotiable Crypto
Parameters (NCP) is rejected by the remote side
+ Ignore --keysize when NCP have resulted in a changed cipher
+ Configurations using --auth-nocache and the management
interface to provide user credentials (like NetworkManager)
on client side with servers implementing authentication
tokens (for example, using --auth-gen-token) will now behave
correctly and not query the user for an, to them, unknown
authentication token on renegotiations of the tunnel.
+ Invalid or corrupt SOCKS port number when changing the proxy
via the management interface.
+ man page should now have proper escaping of hyphen/minus
characters and other minor corrections.
* User-visible Changes
+ Linux servers with systemd which use the openvpn-server@.service
unit file for server configurations will now utilize the
automatic restart feature in systemd. If the OpenVPN server
process dies unexpectedly, systemd will ensure the OpenVPN
configuration will be restarted automatically.
* Deprecated
+ --no-replay (will be removed in 2.5)
+ --keysize (will be removed in 2.6)
* Security
+ CVE-2017-12166: Fix bounds check for configurations using
--key-method 1. Before this fix, attackers could send a
malformed packet to trigger a stack overflow. This is
considered to be a low risk issue, as --key-method 2 has
been the default since 2.0 (released on 2005-04-17). This
option is already deprecated in v2.4 and will be completely
removed in v2.5.
- Rebase openvpn-fips140-2.3.2.patch
- Drop 0002-Fix-bounds-check-in-read_key.patch
* upstreamed in c7e259160b28e94e4ea7f0ef767f8134283af255
- Partial cleanup with spec-cleaner
OBS-URL: https://build.opensuse.org/request/show/586118
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=133
2018-04-10 16:14:26 +02:00
|
|
|
%license COPYING
|
|
|
|
|
%doc AUTHORS COPYRIGHT.GPL ChangeLog PORTS README
|
2013-03-25 16:08:09 +01:00
|
|
|
%doc src/plugins/{auth-pam/README.auth-pam,down-root/README.down-root}
|
2008-01-18 00:04:41 +01:00
|
|
|
%doc README.*
|
2007-01-16 00:28:38 +01:00
|
|
|
%doc contrib
|
2013-03-25 16:08:09 +01:00
|
|
|
%doc sample/sample-config-files
|
|
|
|
|
%doc sample/sample-keys
|
|
|
|
|
%doc sample/sample-scripts
|
|
|
|
|
%doc doc/management-notes.txt
|
Accepting request 586118 from home:avindra
- Update to 2.4.5
* New features
+ The new option --tls-cert-profile can be used to restrict the
set of allowed crypto algorithms in TLS certificates in mbed
TLS builds. The default profile is 'legacy' for now, which
allows SHA1+, RSA-1024+ and any elliptic curve certificates.
The default will be changed to the 'preferred' profile in the
future, which requires SHA2+, RSA-2048+ and any curve.
+ openvpnserv: Add support for multi-instances (to support
multiple parallel OpenVPN installations, like EduVPN and
regular OpenVPN)
+ Use P_DATA_V2 for server->client packets too (better packet
alignment)
+ improve management interface documentation
+ rework registry key handling for OpenVPN service, notably
making most registry values optional, falling back to
reasonable defaults
+ accept IPv6 address for pushed "dhcp-option DNS ..." (make
OpenVPN 2 option compatible with OpenVPN 3 iOS and Android
clients)
* Bug fixes
+ Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+
+ Fix lots of compiler warnings (format string, type casts, ...)
+ reload HTTP proxy credentials when moving to the next
connection profile
+ Fix build with LibreSSL (multiple times)
+ Remove non-useful warning on pushed tun-ipv6 option.
+ autoconf: Fix engine checks for openssl 1.1
+ lz4: Rebase compat-lz4 against upstream v1.7.5
+ lz4: Fix broken builds when pkg-config is not present but
system library is
+ Fix '--bind ipv6only'
+ Allow learning iroutes with network made up of all 0s
- Includes 2.4.4
* Bug fixes
+ Fix issues when a pushed cipher via the Negotiable Crypto
Parameters (NCP) is rejected by the remote side
+ Ignore --keysize when NCP have resulted in a changed cipher
+ Configurations using --auth-nocache and the management
interface to provide user credentials (like NetworkManager)
on client side with servers implementing authentication
tokens (for example, using --auth-gen-token) will now behave
correctly and not query the user for an, to them, unknown
authentication token on renegotiations of the tunnel.
+ Invalid or corrupt SOCKS port number when changing the proxy
via the management interface.
+ man page should now have proper escaping of hyphen/minus
characters and other minor corrections.
* User-visible Changes
+ Linux servers with systemd which use the openvpn-server@.service
unit file for server configurations will now utilize the
automatic restart feature in systemd. If the OpenVPN server
process dies unexpectedly, systemd will ensure the OpenVPN
configuration will be restarted automatically.
* Deprecated
+ --no-replay (will be removed in 2.5)
+ --keysize (will be removed in 2.6)
* Security
+ CVE-2017-12166: Fix bounds check for configurations using
--key-method 1. Before this fix, attackers could send a
malformed packet to trigger a stack overflow. This is
considered to be a low risk issue, as --key-method 2 has
been the default since 2.0 (released on 2005-04-17). This
option is already deprecated in v2.4 and will be completely
removed in v2.5.
- Rebase openvpn-fips140-2.3.2.patch
- Drop 0002-Fix-bounds-check-in-read_key.patch
* upstreamed in c7e259160b28e94e4ea7f0ef767f8134283af255
- Partial cleanup with spec-cleaner
OBS-URL: https://build.opensuse.org/request/show/586118
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=133
2018-04-10 16:14:26 +02:00
|
|
|
%{_mandir}/man8/openvpn.8%{?ext_man}
|
2007-06-05 01:11:57 +02:00
|
|
|
%config(noreplace) %{_sysconfdir}/openvpn/
|
2013-03-25 16:08:09 +01:00
|
|
|
%if %{with_systemd}
|
2017-10-04 12:52:41 +02:00
|
|
|
%dir %{_tmpfilesdir}
|
2013-04-23 14:40:53 +02:00
|
|
|
%{_unitdir}/%{name}@.service
|
2013-04-23 15:22:31 +02:00
|
|
|
%{_unitdir}/%{name}.target
|
2017-06-19 16:48:58 +02:00
|
|
|
%{_tmpfilesdir}/%{name}.conf
|
2017-01-24 11:31:30 +01:00
|
|
|
%dir %attr(0750,root,root) %ghost %{_rundir}/openvpn/
|
2013-03-25 16:08:09 +01:00
|
|
|
%else
|
2007-06-05 01:11:57 +02:00
|
|
|
%config %{_sysconfdir}/init.d/openvpn
|
2017-11-24 11:37:04 +01:00
|
|
|
%{_fillupdir}/sysconfig.openvpn
|
2017-01-24 11:31:30 +01:00
|
|
|
%dir %attr(750,root,root) %{_rundir}/openvpn/
|
2013-03-25 16:08:09 +01:00
|
|
|
%endif
|
2013-12-22 16:48:48 +01:00
|
|
|
%{_sbindir}/rcopenvpn
|
2013-03-25 16:08:09 +01:00
|
|
|
%{_sbindir}/openvpn
|
2008-01-18 00:04:41 +01:00
|
|
|
|
|
|
|
|
%files down-root-plugin
|
2013-03-25 16:08:09 +01:00
|
|
|
%dir %{_libdir}/%{name}
|
|
|
|
|
%dir %{_libdir}/%{name}/plugins
|
|
|
|
|
%{_libdir}/%{name}/plugins/%{name}-plugin-down-root.so
|
2008-01-18 00:04:41 +01:00
|
|
|
|
|
|
|
|
%files auth-pam-plugin
|
2013-03-25 16:08:09 +01:00
|
|
|
%dir %{_libdir}/%{name}
|
|
|
|
|
%dir %{_libdir}/%{name}/plugins
|
|
|
|
|
%{_libdir}/%{name}/plugins/%{name}-plugin-auth-pam.so
|
2007-01-16 00:28:38 +01:00
|
|
|
|
2015-08-20 11:46:01 +02:00
|
|
|
%files devel
|
|
|
|
|
%{_includedir}/%{name}-plugin.h
|
2017-06-06 14:54:53 +02:00
|
|
|
%{_includedir}/%{name}-msg.h
|
2015-08-20 11:46:01 +02:00
|
|
|
|
2007-06-05 01:11:57 +02:00
|
|
|
%changelog
|
