[Openvpn-devel] [PATCH] Del ipv6 addr on close of linux tun interface
When a linux tun interface is closed (e.g. on disconnect) an optional ipv6 addr that was previously set is deleted now. Without this patch a later reconnect would fail with 'Linux ip -6 addr add failed: external program exited with error status: 2' and openvpn would exit. --- src/openvpn/tun.c | 26 ++ 1 file changed, 26 insertions(+) diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c old mode 100644 new mode 100755 index ba4b15e..8a2bccc --- a/src/openvpn/tun.c +++ b/src/openvpn/tun.c @@ -1687,6 +1687,32 @@ close_tun (struct tuntap *tt) argv_msg (M_INFO, &argv); openvpn_execve_check (&argv, NULL, 0, "Linux ip addr del failed"); +if (tt->ipv6 && tt->did_ifconfig_ipv6_setup) + { +const char * ifconfig_ipv6_local = print_in6_addr (tt->local_ipv6, 0, &gc); + +#ifdef ENABLE_IPROUTE +argv_printf (&argv, "%s -6 addr del %s/%d dev %s", +iproute_path, +ifconfig_ipv6_local, +tt->netbits_ipv6, +tt->actual_name +); +argv_msg (M_INFO, &argv); +openvpn_execve_check (&argv, NULL, 0, "Linux ip -6 addr del failed"); +#else +argv_printf (&argv, +"%s %s del %s/%d", +IFCONFIG_PATH, +tt->actual_name, +ifconfig_ipv6_local, +tt->netbits_ipv6 +); +argv_msg (M_INFO, &argv); +openvpn_execve_check (&argv, NULL, 0, "Linux ifconfig inet6 del failed"); +#endif + } + argv_reset (&argv); gc_free (&gc); } -- tg: (b8ae847..) c/0007/del_ipv6_on_close (depends on: c/0006/override_common_name)
Re: [Openvpn-devel] Windows build fix for CVE-2015-4000
On 06/25/2015 10:46 AM, Jan Just Keijser wrote: Joseph S. Testa II wrote: Hi all, I was wondering if an updated Windows build is being planned for release soon to fix CVE-2015-4000, et. al, as described in http://www.openssl.org/news/secadv_20150611.txt. I haven't seen anyone talk about this on the mailing list since the advisory came out two weeks ago, so I thought I'd ask. I think you're referring to the logjam bug. We've a short discussion on this on May 21st when the vulnerability was announced: the main gist of this vulnerability is to use DH param files (on the server) that are at least 1024, preferable 2048 or even 3072 bits in length. As Steffan wrote: 1) OpenVPN encourages users to generate their own DH-group using 'openssl dhparam', instead of using common groups. The man page / examples used to provide 1024 bits DH keys (updated to 2048 recently), and although 1024 bits dh params *can* be broken, that is still *very* expensive. Probably too expensive for your data if you don't share the group with others. 2) OpenVPN's tls-auth feature can prevent the downgrade attack on TLS from happening (but, only if you use tls-auth, of course). Still, use DH params of at least 2048 bits, please! Upgrading is easy and only needs a change on the server. Generate new params using e.g.: openssl dhparam -out dh3072.pem 3072 update your server config to use this file: dh dh3072.pem and restart the server. So, in view of this I don't think a rebuild of the client is in order, as this bug can be easily circumvented (server-side) by using the appropriate DH file. HTH, JJK Thanks for the info. How about the other CVE's listed in that OpenSSL advisory? I'm not able to tell if they're an issue in conjunction with OpenVPN. Has anyone done a review on them as well? - Joe
Re: [Openvpn-devel] Windows build fix for CVE-2015-4000
Joseph S. Testa II wrote: Hi all, I was wondering if an updated Windows build is being planned for release soon to fix CVE-2015-4000, et. al, as described in http://www.openssl.org/news/secadv_20150611.txt. I haven't seen anyone talk about this on the mailing list since the advisory came out two weeks ago, so I thought I'd ask. I think you're referring to the logjam bug. We've a short discussion on this on May 21st when the vulnerability was announced: the main gist of this vulnerability is to use DH param files (on the server) that are at least 1024, preferable 2048 or even 3072 bits in length. As Steffan wrote: 1) OpenVPN encourages users to generate their own DH-group using 'openssl dhparam', instead of using common groups. The man page / examples used to provide 1024 bits DH keys (updated to 2048 recently), and although 1024 bits dh params *can* be broken, that is still *very* expensive. Probably too expensive for your data if you don't share the group with others. 2) OpenVPN's tls-auth feature can prevent the downgrade attack on TLS from happening (but, only if you use tls-auth, of course). Still, use DH params of at least 2048 bits, please! Upgrading is easy and only needs a change on the server. Generate new params using e.g.: openssl dhparam -out dh3072.pem 3072 update your server config to use this file: dh dh3072.pem and restart the server. So, in view of this I don't think a rebuild of the client is in order, as this bug can be easily circumvented (server-side) by using the appropriate DH file. HTH, JJK
[Openvpn-devel] Windows build fix for CVE-2015-4000
Hi all, I was wondering if an updated Windows build is being planned for release soon to fix CVE-2015-4000, et. al, as described in http://www.openssl.org/news/secadv_20150611.txt. I haven't seen anyone talk about this on the mailing list since the advisory came out two weeks ago, so I thought I'd ask. Thanks, - Joe