From 9683f890944ffb114f5f8214f694e0b339cf5a5a Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Iniesta Date: Thu, 22 Jun 2017 13:16:46 +0200 Subject: New upstream version 2.4.3 --- doc/Makefile.in | 30 ++++++++++--- doc/openvpn.8 | 128 +++++++++++++++++++++++++++++++++++++++++++------------- 2 files changed, 124 insertions(+), 34 deletions(-) (limited to 'doc') diff --git a/doc/Makefile.in b/doc/Makefile.in index b0998a0..fad3a11 100644 --- a/doc/Makefile.in +++ b/doc/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.15 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2014 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -26,7 +26,17 @@ # VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -91,8 +101,6 @@ build_triplet = @build@ host_triplet = @host@ @WIN32_TRUE@am__append_1 = openvpn.8 subdir = doc -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(dist_man_MANS) $(dist_doc_DATA) $(am__dist_noinst_DATA_DIST) ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ $(top_srcdir)/m4/ax_socklen_t.m4 \ @@ -103,6 +111,8 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ $(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_doc_DATA) \ + $(am__dist_noinst_DATA_DIST) $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h \ $(top_builddir)/include/openvpn-plugin.h @@ -162,6 +172,7 @@ MANS = $(dist_man_MANS) am__dist_noinst_DATA_DIST = README.plugins openvpn.8 DATA = $(dist_doc_DATA) $(dist_noinst_DATA) $(nodist_html_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -210,6 +221,7 @@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ LZ4_CFLAGS = @LZ4_CFLAGS@ LZ4_LIBS = @LZ4_LIBS@ LZO_CFLAGS = @LZO_CFLAGS@ @@ -258,6 +270,7 @@ PKCS11_HELPER_LIBS = @PKCS11_HELPER_LIBS@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PLUGINDIR = @PLUGINDIR@ PLUGIN_AUTH_PAM_CFLAGS = @PLUGIN_AUTH_PAM_CFLAGS@ PLUGIN_AUTH_PAM_LIBS = @PLUGIN_AUTH_PAM_LIBS@ RANLIB = @RANLIB@ @@ -270,12 +283,14 @@ SHELL = @SHELL@ SOCKETS_LIBS = @SOCKETS_LIBS@ STRIP = @STRIP@ SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@ +SYSTEMD_UNIT_DIR = @SYSTEMD_UNIT_DIR@ TAP_CFLAGS = @TAP_CFLAGS@ TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@ TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ +TMPFILES_DIR = @TMPFILES_DIR@ VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ @@ -332,7 +347,9 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ +tmpfilesdir = @tmpfilesdir@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ @@ -361,7 +378,6 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign doc/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign doc/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ @@ -632,6 +648,8 @@ uninstall-man: uninstall-man8 ps ps-am tags-am uninstall uninstall-am uninstall-dist_docDATA \ uninstall-man uninstall-man8 uninstall-nodist_htmlDATA +.PRECIOUS: Makefile + @WIN32_TRUE@openvpn.8.html: $(srcdir)/openvpn.8 @WIN32_TRUE@ $(MAN2HTML) < $(srcdir)/openvpn.8 > openvpn.8.html diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 7bd6d9d..56c0f7a 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -15,10 +15,9 @@ .\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the .\" GNU General Public License for more details. .\" -.\" You should have received a copy of the GNU General Public License -.\" along with this program (see the file COPYING included with this -.\" distribution); if not, write to the Free Software Foundation, Inc., -.\" 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +.\" You should have received a copy of the GNU General Public License along +.\" with this program; if not, write to the Free Software Foundation, Inc., +.\" 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. .\" .\" Manual page for openvpn .\" @@ -327,7 +326,7 @@ http\-proxy 192.168.0.8 8080 persist\-key persist\-tun pkcs12 client.p12 -ns\-cert\-type server +remote\-cert\-tls server verb 3 .in -4 .ft @@ -2712,6 +2711,34 @@ to the module initialization function. Multiple plugin modules may be loaded into one OpenVPN process. +The +.B module-pathname +argument can be just a filename or a filename with a relative +or absolute path. The format of the filename and path defines +if the plug-in will be loaded from a default plug-in directory +or outside this directory. + +.nf +.ft 3 +.in +4 +.B \-\-plugin path\ \ \ \ \ \ \ \ Effective directory used +==================================================== + myplug.so DEFAULT_DIR/myplug.so + subdir/myplug.so DEFAULT_DIR/subdir/myplug.so + ./subdir/myplug.so CWD/subdir/myplug.so + /usr/lib/my/plug.so /usr/lib/my/plug.so +.in -4 +.fi + +DEFAULT_DIR is replaced by the default plug-in directory, +which is configured at the build time of OpenVPN. CWD is the +current directory where OpenVPN was started or the directory +OpenVPN have swithed into via the +.B \-\-cd +option before the +.B \-\-plugin +option. + For more information and examples on how to build OpenVPN plug-in modules, see the README file in the .B plugin @@ -3969,9 +3996,8 @@ See management\-notes.txt in the OpenVPN distribution for a description of the OpenVPN challenge/response protocol. .\"********************************************************* .TP -.B \-\-server\-poll\-timeout n -.B \-\-connect\-timeout n -when connecting to a remote server do not wait for more than +\fB\-\-server\-poll\-timeout n\fR, \fB\-\-connect\-timeout n\fR +When connecting to a remote server do not wait for more than .B n seconds waiting for a response before trying the next server. The default value is 120s. This timeout includes proxy and TCP @@ -4668,15 +4694,27 @@ and Not available with PolarSSL. .\"********************************************************* .TP -.B \-\-verify\-hash hash -Specify SHA1 fingerprint for level-1 cert. The level-1 cert is the +.B \-\-verify\-hash hash [algo] +Specify SHA1 or SHA256 fingerprint for level-1 cert. The level-1 cert is the CA (or intermediate cert) that signs the leaf certificate, and is one removed from the leaf certificate in the direction of the root. When accepting a connection from a peer, the level-1 cert fingerprint must match .B hash or certificate verification will fail. Hash is specified -as XX:XX:... For example: AD:B0:95:D8:09:C8:36:45:12:A9:89:C8:90:09:CB:13:72:A6:AD:16 +as XX:XX:... For example: + +.nf +.ft 3 +.in +4 +AD:B0:95:D8:09:C8:36:45:12:A9:89:C8:90:09:CB:13:72:A6:AD:16 +.in -4 +.ft +.fi + +The +.B algo +flag can be either SHA1 or SHA256. If not provided, it defaults to SHA1. .\"********************************************************* .TP .B \-\-pkcs11\-cert\-private [0|1]... @@ -5064,6 +5102,29 @@ In contrast to .B \-\-tls\-crypt does *not* require the user to set .B \-\-key\-direction\fR. + +.B Security Considerations + +All peers use the same +.B \-\-tls-crypt +pre-shared group key to authenticate and encrypt control channel messages. To +ensure that IV collisions remain unlikely, this key should not be used to +encrypt more than 2^48 client-to-server or 2^48 server-to-client control +channel messages. A typical initial negotiation is about 10 packets in each +direction. Assuming both initial negotiation and renegotiations are at most +2^16 (65536) packets (to be conservative), and (re)negotiations happen each +minute for each user (24/7), this limits the tls\-crypt key lifetime to 8171 +years divided by the number of users. So a setup with 1000 users should rotate +the key at least once each eight years. (And a setup with 8000 users each +year.) + +If IV collisions were to occur, this could result in the security of +.B \-\-tls\-crypt +degrading to the same security as using +.B \-\-tls\-auth\fR. +That is, the control channel still benefits from the extra protection against +active man-in-the-middle-attacks and DoS attacks, but may no longer offer +extra privacy and post-quantum security on top of what TLS itself offers. .\"********************************************************* .TP .B \-\-askpass [file] @@ -5247,6 +5308,8 @@ option will match against the chosen .B fieldname instead of the Common Name. +Only the subjectAltName and issuerAltName X.509 extensions are supported. + .B Please note: This option has a feature which will convert an all-lowercase .B fieldname @@ -5314,7 +5377,11 @@ as X509__=. Multiple options can be defined to track multiple attributes. .\"********************************************************* .TP -.B \-\-ns\-cert\-type client|server +.B \-\-ns\-cert\-type client|server (DEPRECATED) +This option is deprecated. Use the more modern equivalent +.B \-\-remote\-cert\-tls +instead. This option will be removed in OpenVPN 2.5. + Require that peer certificate was signed with an explicit .B nsCertType designation of "client" or "server". @@ -5341,15 +5408,25 @@ or .B \-\-tls\-verify. .\"********************************************************* .TP -.B \-\-remote\-cert\-ku v... +.B \-\-remote\-cert\-ku [v...] Require that peer certificate was signed with an explicit .B key usage. -This is a useful security option for clients, to ensure that -the host they connect to is a designated server. +If present in the certificate, the keyUsage value is validated by the TLS +library during the TLS handshake. Specifying this option without arguments +requires this extension to be present (so the TLS library will verify it). -The key usage should be encoded in hex, more than one key -usage can be specified. +If the list +.B v... +is also supplied, the keyUsage field must have +.B at least +the same bits set as the bits in +.B one of +the values supplied in the list +.B v... + +The key usage values in the list must be encoded in hex, e.g. +"\-\-remote\-cert\-ku a0" .\"********************************************************* .TP .B \-\-remote\-cert\-eku oid @@ -5370,24 +5447,21 @@ and .B extended key usage based on RFC3280 TLS rules. -This is a useful security option for clients, to ensure that -the host they connect to is a designated server. +This is a useful security option for clients, to ensure that the host they +connect to is a designated server. Or the other way around; for a server to +verify that only hosts with a client certificate can connect. The .B \-\-remote\-cert\-tls client option is equivalent to .B -\-\-remote\-cert\-ku 80 08 88 \-\-remote\-cert\-eku "TLS Web Client Authentication" - -The key usage is digitalSignature and/or keyAgreement. +\-\-remote\-cert\-ku \-\-remote\-cert\-eku "TLS Web Client Authentication" The .B \-\-remote\-cert\-tls server option is equivalent to .B -\-\-remote\-cert\-ku a0 88 \-\-remote\-cert\-eku "TLS Web Server Authentication" - -The key usage is digitalSignature and ( keyEncipherment or keyAgreement ). +\-\-remote\-cert\-ku \-\-remote\-cert\-eku "TLS Web Server Authentication" This is an important security precaution to protect against a man-in-the-middle attack where an authorized client @@ -5819,9 +5893,7 @@ flag. .TP .B \-\-dhcp\-release Ask Windows to release the TAP adapter lease on shutdown. -This option has the same caveats as -.B \-\-dhcp\-renew -above. +This option has no effect now, as it is enabled by default starting with version 2.4.1. .\"********************************************************* .TP .B \-\-register\-dns -- cgit v1.2.3