rpms / openvpn

Clone
Source Code
GIT

Blame 0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch

dev/f25 dev/f26-managment-auth-token-fix el4 el5 el6 epel7 epel8 epel8-playground epel9 f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f26-fix/mbedtls-md5 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f7 f8 f9 fc6 main rawhide
  1.   rawhide
  2.   0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch
Blob History Raw
David Sommerseth ce20bc1 
From d045acbbdd0c4683903f84eb866087511a69c687 Mon Sep 17 00:00:00 2001
b931012 
From: David Sommerseth <dazo@eurephia.org>
David Sommerseth ce20bc1 
Date: Mon, 5 Dec 2022 20:51:25 +0100
b931012 
Subject: [PATCH] Change the default cipher to AES-256-GCM for server
b931012 
 configurations
b931012
b931012 
This change makes the server use AES-256-GCM instead of BF-CBC as the default
b931012 
cipher for the VPN tunnel.  To avoid breaking existing running configurations
b931012 
defaulting to BF-CBC, the Negotiable Crypto Parameters (NCP) list contains
b931012 
the BF-CBC in addition to AES-CBC.  This makes it possible to migrate
b931012 
existing older client configurations one-by-one to use at least AES-CBC unless
b931012 
the client is updated to v2.4 (which defaults to upgrade to AES-GCM automatically)
2bfe48c
2bfe48c 
[Update 2022-06-10]
2bfe48c 
The BF-CBC reference is now removed as of Fedora 36 and newer.  The Blowfish
2bfe48c 
cipher is no longer available by default in OpenSSL 3.0.  It can be enabled
2bfe48c 
via the legacy provider in OpenSSL 3.0, but BF-CBC is deprecated and should
2bfe48c 
not be used any more.  OpenVPN 2.4 and newer will always negotiate a stronger
2bfe48c 
cipher by default and older OpenVPN releases are no longer supported upstream.
2bfe48c
b931012 
---
b931012 
 distro/systemd/openvpn-server@.service.in | 2 +-
b931012 
 1 file changed, 1 insertion(+), 1 deletion(-)
b931012
b931012 
diff --git a/distro/systemd/openvpn-server@.service.in b/distro/systemd/openvpn-server@.service.in
David Sommerseth ce20bc1 
index 6e8e7d9..6acbc8e 100644
b931012 
--- a/distro/systemd/openvpn-server@.service.in
b931012 
+++ b/distro/systemd/openvpn-server@.service.in
9386b34 
@@ -10,7 +10,7 @@
b931012 
 Type=notify
b931012 
 PrivateTmp=true
b931012 
 WorkingDirectory=/etc/openvpn/server
b931012 
-ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf
9386b34 
+ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --cipher AES-256-GCM --data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC --config %i.conf
David Sommerseth ce20bc1 
 CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
b931012 
 LimitNPROC=10
b931012 
 DeviceAllow=/dev/null rw
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.