diff --git a/0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch b/0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch new file mode 100644 index 0000000..14a16ac --- /dev/null +++ b/0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch @@ -0,0 +1,32 @@ +From b56d52fa409c62720791e189e501efb86df0aff4 Mon Sep 17 00:00:00 2001 +From: David Sommerseth +Date: Tue, 4 Jul 2017 16:06:24 +0200 +Subject: [PATCH] Change the default cipher to AES-256-GCM for server + configurations + +This change makes the server use AES-256-GCM instead of BF-CBC as the default +cipher for the VPN tunnel. To avoid breaking existing running configurations +defaulting to BF-CBC, the Negotiable Crypto Parameters (NCP) list contains +the BF-CBC in addition to AES-CBC. This makes it possible to migrate +existing older client configurations one-by-one to use at least AES-CBC unless +the client is updated to v2.4 (which defaults to upgrade to AES-GCM automatically) +--- + distro/systemd/openvpn-server@.service.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/distro/systemd/openvpn-server@.service.in b/distro/systemd/openvpn-server@.service.in +index 9a8a2c7..0ecda08 100644 +--- a/distro/systemd/openvpn-server@.service.in ++++ b/distro/systemd/openvpn-server@.service.in +@@ -10,7 +10,7 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO + Type=notify + PrivateTmp=true + WorkingDirectory=/etc/openvpn/server +-ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf ++ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC --config %i.conf + CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE + LimitNPROC=10 + DeviceAllow=/dev/null rw +-- +2.11.0 + diff --git a/openvpn.spec b/openvpn.spec index ae3e6fc..1f2f116 100644 --- a/openvpn.spec +++ b/openvpn.spec @@ -7,7 +7,7 @@ Name: openvpn Version: 2.4.3 -Release: 3%{?prerelease:.%{prerelease}}%{?dist} +Release: 4%{?prerelease:.%{prerelease}}%{?dist} Summary: A full-featured SSL VPN solution URL: https://community.openvpn.net/ Source0: https://swupdate.openvpn.org/community/releases/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.xz @@ -17,6 +17,7 @@ Source3: roadwarrior-client.conf Source4: README.systemd # Upstream signing key Source6: gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg +Patch1: 0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch License: GPLv2 Group: Applications/Internet BuildRequires: systemd-devel @@ -67,6 +68,7 @@ to similar features as the various script-hooks. %prep gpgv2 --quiet --keyring %{SOURCE6} %{SOURCE1} %{SOURCE0} %setup -q -n %{name}-%{version}%{?prerelease:_%{prerelease}} +%patch1 -p1 -b .ch_default_cipher sed -i -e 's,%{_datadir}/openvpn/plugin,%{_libdir}/openvpn/plugin,' doc/openvpn.8 @@ -184,6 +186,9 @@ getent passwd openvpn &>/dev/null || \ %changelog +* Fri Aug 4 2017 David Sommerseth - 2.4.3-4 +- Change to AES-GCM as the default cipher for server configurations + * Thu Aug 03 2017 Fedora Release Engineering - 2.4.3-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild @@ -193,7 +198,7 @@ getent passwd openvpn &>/dev/null || \ * Wed Jun 21 2017 David Sommerseth - 2.4.3-1 - Updating to upstream openvpn-2.4.3 - Fix remotely-triggerable ASSERT() on malformed IPv6 packet {CVE-2017-7508} -- Prevent two kinds of stack buffer OOB reads and a crash for invalid input data {CVE-2017-752 +- Prevent two kinds of stack buffer OOB reads and a crash for invalid input data {CVE-2017-7520} - Fix potential double-free in --x509-alt-username {CVE-2017-7521} - Fix remote-triggerable memory leaks {CVE-2017-7521} - Ensure OpenVPN systemd services are restarted upon upgrades