diff options
author | Jörg Frings-Fürst <debian@jff-webhosting.net> | 2017-06-27 13:56:16 +0200 |
---|---|---|
committer | Jörg Frings-Fürst <debian@jff-webhosting.net> | 2017-06-27 13:56:16 +0200 |
commit | 749384a154025e268b53cf3cc79eaeddde2b3ceb (patch) | |
tree | 27baa9e6aec76635d750405d90cd461440a656d1 /doc | |
parent | db4f04c584f7d4e828b5d317cf40962b9d854ac5 (diff) |
initial stretch branch release 2.4.0-6
Diffstat (limited to 'doc')
-rw-r--r-- | doc/Makefile.in | 30 | ||||
-rw-r--r-- | doc/openvpn.8 | 128 |
2 files changed, 34 insertions, 124 deletions
diff --git a/doc/Makefile.in b/doc/Makefile.in index fad3a11..b0998a0 100644 --- a/doc/Makefile.in +++ b/doc/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. +# Makefile.in generated by automake 1.13.4 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2014 Free Software Foundation, Inc. +# Copyright (C) 1994-2013 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -26,17 +26,7 @@ # VPATH = @srcdir@ -am__is_gnu_make = { \ - if test -z '$(MAKELEVEL)'; then \ - false; \ - elif test -n '$(MAKE_HOST)'; then \ - true; \ - elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ - true; \ - else \ - false; \ - fi; \ -} +am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -101,6 +91,8 @@ build_triplet = @build@ host_triplet = @host@ @WIN32_TRUE@am__append_1 = openvpn.8 subdir = doc +DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ + $(dist_man_MANS) $(dist_doc_DATA) $(am__dist_noinst_DATA_DIST) ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ $(top_srcdir)/m4/ax_socklen_t.m4 \ @@ -111,8 +103,6 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ $(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) -DIST_COMMON = $(srcdir)/Makefile.am $(dist_doc_DATA) \ - $(am__dist_noinst_DATA_DIST) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h \ $(top_builddir)/include/openvpn-plugin.h @@ -172,7 +162,6 @@ MANS = $(dist_man_MANS) am__dist_noinst_DATA_DIST = README.plugins openvpn.8 DATA = $(dist_doc_DATA) $(dist_noinst_DATA) $(nodist_html_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) -am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -221,7 +210,6 @@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ -LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ LZ4_CFLAGS = @LZ4_CFLAGS@ LZ4_LIBS = @LZ4_LIBS@ LZO_CFLAGS = @LZO_CFLAGS@ @@ -270,7 +258,6 @@ PKCS11_HELPER_LIBS = @PKCS11_HELPER_LIBS@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ -PLUGINDIR = @PLUGINDIR@ PLUGIN_AUTH_PAM_CFLAGS = @PLUGIN_AUTH_PAM_CFLAGS@ PLUGIN_AUTH_PAM_LIBS = @PLUGIN_AUTH_PAM_LIBS@ RANLIB = @RANLIB@ @@ -283,14 +270,12 @@ SHELL = @SHELL@ SOCKETS_LIBS = @SOCKETS_LIBS@ STRIP = @STRIP@ SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@ -SYSTEMD_UNIT_DIR = @SYSTEMD_UNIT_DIR@ TAP_CFLAGS = @TAP_CFLAGS@ TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@ TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ -TMPFILES_DIR = @TMPFILES_DIR@ VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ @@ -347,9 +332,7 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ -systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ -tmpfilesdir = @tmpfilesdir@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ @@ -378,6 +361,7 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign doc/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign doc/Makefile +.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ @@ -648,8 +632,6 @@ uninstall-man: uninstall-man8 ps ps-am tags-am uninstall uninstall-am uninstall-dist_docDATA \ uninstall-man uninstall-man8 uninstall-nodist_htmlDATA -.PRECIOUS: Makefile - @WIN32_TRUE@openvpn.8.html: $(srcdir)/openvpn.8 @WIN32_TRUE@ $(MAN2HTML) < $(srcdir)/openvpn.8 > openvpn.8.html diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 56c0f7a..7bd6d9d 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -15,9 +15,10 @@ .\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the .\" GNU General Public License for more details. .\" -.\" You should have received a copy of the GNU General Public License along -.\" with this program; if not, write to the Free Software Foundation, Inc., -.\" 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +.\" You should have received a copy of the GNU General Public License +.\" along with this program (see the file COPYING included with this +.\" distribution); if not, write to the Free Software Foundation, Inc., +.\" 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA .\" .\" Manual page for openvpn .\" @@ -326,7 +327,7 @@ http\-proxy 192.168.0.8 8080 persist\-key persist\-tun pkcs12 client.p12 -remote\-cert\-tls server +ns\-cert\-type server verb 3 .in -4 .ft @@ -2711,34 +2712,6 @@ to the module initialization function. Multiple plugin modules may be loaded into one OpenVPN process. -The -.B module-pathname -argument can be just a filename or a filename with a relative -or absolute path. The format of the filename and path defines -if the plug-in will be loaded from a default plug-in directory -or outside this directory. - -.nf -.ft 3 -.in +4 -.B \-\-plugin path\ \ \ \ \ \ \ \ Effective directory used -==================================================== - myplug.so DEFAULT_DIR/myplug.so - subdir/myplug.so DEFAULT_DIR/subdir/myplug.so - ./subdir/myplug.so CWD/subdir/myplug.so - /usr/lib/my/plug.so /usr/lib/my/plug.so -.in -4 -.fi - -DEFAULT_DIR is replaced by the default plug-in directory, -which is configured at the build time of OpenVPN. CWD is the -current directory where OpenVPN was started or the directory -OpenVPN have swithed into via the -.B \-\-cd -option before the -.B \-\-plugin -option. - For more information and examples on how to build OpenVPN plug-in modules, see the README file in the .B plugin @@ -3996,8 +3969,9 @@ See management\-notes.txt in the OpenVPN distribution for a description of the OpenVPN challenge/response protocol. .\"********************************************************* .TP -\fB\-\-server\-poll\-timeout n\fR, \fB\-\-connect\-timeout n\fR -When connecting to a remote server do not wait for more than +.B \-\-server\-poll\-timeout n +.B \-\-connect\-timeout n +when connecting to a remote server do not wait for more than .B n seconds waiting for a response before trying the next server. The default value is 120s. This timeout includes proxy and TCP @@ -4694,27 +4668,15 @@ and Not available with PolarSSL. .\"********************************************************* .TP -.B \-\-verify\-hash hash [algo] -Specify SHA1 or SHA256 fingerprint for level-1 cert. The level-1 cert is the +.B \-\-verify\-hash hash +Specify SHA1 fingerprint for level-1 cert. The level-1 cert is the CA (or intermediate cert) that signs the leaf certificate, and is one removed from the leaf certificate in the direction of the root. When accepting a connection from a peer, the level-1 cert fingerprint must match .B hash or certificate verification will fail. Hash is specified -as XX:XX:... For example: - -.nf -.ft 3 -.in +4 -AD:B0:95:D8:09:C8:36:45:12:A9:89:C8:90:09:CB:13:72:A6:AD:16 -.in -4 -.ft -.fi - -The -.B algo -flag can be either SHA1 or SHA256. If not provided, it defaults to SHA1. +as XX:XX:... For example: AD:B0:95:D8:09:C8:36:45:12:A9:89:C8:90:09:CB:13:72:A6:AD:16 .\"********************************************************* .TP .B \-\-pkcs11\-cert\-private [0|1]... @@ -5102,29 +5064,6 @@ In contrast to .B \-\-tls\-crypt does *not* require the user to set .B \-\-key\-direction\fR. - -.B Security Considerations - -All peers use the same -.B \-\-tls-crypt -pre-shared group key to authenticate and encrypt control channel messages. To -ensure that IV collisions remain unlikely, this key should not be used to -encrypt more than 2^48 client-to-server or 2^48 server-to-client control -channel messages. A typical initial negotiation is about 10 packets in each -direction. Assuming both initial negotiation and renegotiations are at most -2^16 (65536) packets (to be conservative), and (re)negotiations happen each -minute for each user (24/7), this limits the tls\-crypt key lifetime to 8171 -years divided by the number of users. So a setup with 1000 users should rotate -the key at least once each eight years. (And a setup with 8000 users each -year.) - -If IV collisions were to occur, this could result in the security of -.B \-\-tls\-crypt -degrading to the same security as using -.B \-\-tls\-auth\fR. -That is, the control channel still benefits from the extra protection against -active man-in-the-middle-attacks and DoS attacks, but may no longer offer -extra privacy and post-quantum security on top of what TLS itself offers. .\"********************************************************* .TP .B \-\-askpass [file] @@ -5308,8 +5247,6 @@ option will match against the chosen .B fieldname instead of the Common Name. -Only the subjectAltName and issuerAltName X.509 extensions are supported. - .B Please note: This option has a feature which will convert an all-lowercase .B fieldname @@ -5377,11 +5314,7 @@ as X509_<depth>_<attribute>=<value>. Multiple options can be defined to track multiple attributes. .\"********************************************************* .TP -.B \-\-ns\-cert\-type client|server (DEPRECATED) -This option is deprecated. Use the more modern equivalent -.B \-\-remote\-cert\-tls -instead. This option will be removed in OpenVPN 2.5. - +.B \-\-ns\-cert\-type client|server Require that peer certificate was signed with an explicit .B nsCertType designation of "client" or "server". @@ -5408,25 +5341,15 @@ or .B \-\-tls\-verify. .\"********************************************************* .TP -.B \-\-remote\-cert\-ku [v...] +.B \-\-remote\-cert\-ku v... Require that peer certificate was signed with an explicit .B key usage. -If present in the certificate, the keyUsage value is validated by the TLS -library during the TLS handshake. Specifying this option without arguments -requires this extension to be present (so the TLS library will verify it). - -If the list -.B v... -is also supplied, the keyUsage field must have -.B at least -the same bits set as the bits in -.B one of -the values supplied in the list -.B v... +This is a useful security option for clients, to ensure that +the host they connect to is a designated server. -The key usage values in the list must be encoded in hex, e.g. -"\-\-remote\-cert\-ku a0" +The key usage should be encoded in hex, more than one key +usage can be specified. .\"********************************************************* .TP .B \-\-remote\-cert\-eku oid @@ -5447,21 +5370,24 @@ and .B extended key usage based on RFC3280 TLS rules. -This is a useful security option for clients, to ensure that the host they -connect to is a designated server. Or the other way around; for a server to -verify that only hosts with a client certificate can connect. +This is a useful security option for clients, to ensure that +the host they connect to is a designated server. The .B \-\-remote\-cert\-tls client option is equivalent to .B -\-\-remote\-cert\-ku \-\-remote\-cert\-eku "TLS Web Client Authentication" +\-\-remote\-cert\-ku 80 08 88 \-\-remote\-cert\-eku "TLS Web Client Authentication" + +The key usage is digitalSignature and/or keyAgreement. The .B \-\-remote\-cert\-tls server option is equivalent to .B -\-\-remote\-cert\-ku \-\-remote\-cert\-eku "TLS Web Server Authentication" +\-\-remote\-cert\-ku a0 88 \-\-remote\-cert\-eku "TLS Web Server Authentication" + +The key usage is digitalSignature and ( keyEncipherment or keyAgreement ). This is an important security precaution to protect against a man-in-the-middle attack where an authorized client @@ -5893,7 +5819,9 @@ flag. .TP .B \-\-dhcp\-release Ask Windows to release the TAP adapter lease on shutdown. -This option has no effect now, as it is enabled by default starting with version 2.4.1. +This option has the same caveats as +.B \-\-dhcp\-renew +above. .\"********************************************************* .TP .B \-\-register\-dns |