From 3a2bbdb05ca6a6996e424c9fb225cb0d53804125 Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Iniesta Date: Tue, 27 Dec 2016 18:25:47 +0100 Subject: New upstream version 2.4.0 --- doc/Makefile.am | 2 +- doc/Makefile.in | 4 ++-- doc/management-notes.txt | 9 +++++---- doc/openvpn.8 | 38 ++++++++++++++++++++++++++------------ 4 files changed, 34 insertions(+), 19 deletions(-) (limited to 'doc') diff --git a/doc/Makefile.am b/doc/Makefile.am index d33e1ed..dedd1fa 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -5,7 +5,7 @@ # packet encryption, packet authentication, and # packet compression. # -# Copyright (C) 2002-2010 OpenVPN Technologies, Inc. +# Copyright (C) 2002-2017 OpenVPN Technologies, Inc. # Copyright (C) 2006-2012 Alon Bar-Lev # diff --git a/doc/Makefile.in b/doc/Makefile.in index 1282a54..b0998a0 100644 --- a/doc/Makefile.in +++ b/doc/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.14.1 from Makefile.am. +# Makefile.in generated by automake 1.13.4 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. @@ -21,7 +21,7 @@ # packet encryption, packet authentication, and # packet compression. # -# Copyright (C) 2002-2010 OpenVPN Technologies, Inc. +# Copyright (C) 2002-2017 OpenVPN Technologies, Inc. # Copyright (C) 2006-2012 Alon Bar-Lev # diff --git a/doc/management-notes.txt b/doc/management-notes.txt index dd870eb..29c3aad 100644 --- a/doc/management-notes.txt +++ b/doc/management-notes.txt @@ -773,8 +773,9 @@ via a notification as follows: >RSA_SIGN:[BASE64_DATA] -The management interface client should then sign BASE64_DATA -using the private key and return the SSL signature as follows: +The management interface client should then create a PKCS#1 v1.5 signature of +the (decoded) BASE64_DATA using the private key and return the SSL signature as +follows: rsa-sig [BASE64_SIG_LINE] @@ -783,8 +784,8 @@ rsa-sig . END -Base64 encoded output of RSA_sign(NID_md5_sha1,... will provide a -correct signature. +Base64 encoded output of RSA_private_encrypt() (OpenSSL) or mbedtls_pk_sign() +(mbed TLS) will provide a correct signature. This capability is intended to allow the use of arbitrary cryptographic service providers with OpenVPN via the management interface. diff --git a/doc/openvpn.8 b/doc/openvpn.8 index e61b6bb..7bd6d9d 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -4,7 +4,7 @@ .\" packet encryption, packet authentication, and .\" packet compression. .\" -.\" Copyright (C) 2002-2016 OpenVPN Technologies, Inc. +.\" Copyright (C) 2002-2017 OpenVPN Technologies, Inc. .\" .\" This program is free software; you can redistribute it and/or modify .\" it under the terms of the GNU General Public License version 2 @@ -2793,7 +2793,7 @@ expands as follows: if dev tap OR (dev tun AND topology == subnet): ifconfig 10.8.0.1 255.255.255.0 if !nopool: - ifconfig\-pool 10.8.0.2 10.8.0.254 255.255.255.0 + ifconfig\-pool 10.8.0.2 10.8.0.253 255.255.255.0 push "route\-gateway 10.8.0.1" if route\-gateway unset: route\-gateway 10.8.0.2 @@ -2989,10 +2989,6 @@ IV_LZO_STUB=1 -- if client was built with LZO stub capability IV_LZ4=1 -- if the client supports LZ4 compressions. -IV_RGI6=1 -- if the client supports -.B \-\-redirect\-gateway -for ipv6 - IV_PROTO=2 -- if the client supports peer-id floating mechansim IV_NCP=2 -- negotiable ciphers, client supports @@ -4399,6 +4395,10 @@ This option only makes sense when replay protection is enabled .\"********************************************************* .TP .B \-\-no\-iv + +.B DEPRECATED +This option will be removed in OpenVPN 2.5. + (Advanced) Disable OpenVPN's use of IV (cipher initialization vector). Don't use this option unless you are prepared to make a tradeoff of greater efficiency in exchange for less @@ -4571,8 +4571,10 @@ public. .B \-\-ecdh\-curve name Specify the curve to use for elliptic curve Diffie Hellman. Available curves can be listed with -.B \-\-show\-curves -. The specified curve will only be used for ECDH TLS-ciphers. +.BR \-\-show\-curves . +The specified curve will only be used for ECDH TLS-ciphers. + +This option is not supported in mbed TLS builds of OpenVPN. .\"********************************************************* .TP .B \-\-cert file @@ -4870,11 +4872,18 @@ such as TCP expect this role to be left to them. .B \-\-reneg\-bytes n Renegotiate data channel key after .B n -bytes sent or received (disabled by default). +bytes sent or received (disabled by default with an exception, see below). OpenVPN allows the lifetime of a key -to be expressed as a number of bytes encrypted/decrypted, a number of packets, or -a number of seconds. A key renegotiation will be forced +to be expressed as a number of bytes encrypted/decrypted, a number of packets, +or a number of seconds. A key renegotiation will be forced if any of these three criteria are met by either peer. + +If using ciphers with cipher block sizes less than 128-bits, \-\-reneg\-bytes is +set to 64MB by default, unless it is explicitly disabled by setting the value to +0, but this is +.B HIGHLY DISCOURAGED +as this is designed to add some protection against the SWEET32 attack vector. +For more information see the \-\-cipher option. .\"********************************************************* .TP .B \-\-reneg\-pkts n @@ -5023,6 +5032,11 @@ key file used with .B \-\-tls\-auth gives a peer nothing more than the power to initiate a TLS handshake. It is not used to encrypt or authenticate any tunnel data. + +Use +.B \-\-tls\-crypt +instead if you want to use the key file to not only authenticate, but also +encrypt the TLS control channel. .\"********************************************************* .TP .B \-\-tls\-crypt keyfile @@ -5594,7 +5608,7 @@ virtual DHCP server address. In .B \-\-dev tun mode, OpenVPN will cause the DHCP server to masquerade as if it were coming from the remote endpoint. The optional offset parameter is -an integer which is > \-256 and < 256 and which defaults to 0. +an integer which is > \-256 and < 256 and which defaults to -1. If offset is positive, the DHCP server will masquerade as the IP address at network address + offset. If offset is negative, the DHCP server will masquerade as the IP -- cgit v1.2.3