Browse Source

initial package creation

Signed-off-by: Toshaan Bharvani <toshaan@powerel.org>
master
Toshaan Bharvani 2 years ago
commit
48d3bdb32b
  1. 225
      SOURCES/0001-Allow-running-a-default-configuration-with-TLS-libra.patch
  2. 38
      SOURCES/0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch
  3. BIN
      SOURCES/gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg
  4. 9
      SOURCES/openvpn-2.4-change-tmpfiles-permissions.patch
  5. 38
      SOURCES/roadwarrior-client.conf
  6. 67
      SOURCES/roadwarrior-server.conf
  7. 377
      SPECS/openvpn.spec

225
SOURCES/0001-Allow-running-a-default-configuration-with-TLS-libra.patch

@ -0,0 +1,225 @@
From cf5864f5922e4f40357d9f75a35cd448e671dddf Mon Sep 17 00:00:00 2001
From: Arne Schwabe <arne@rfc2549.org>
Date: Fri, 3 Jun 2022 11:52:19 +0200
Subject: [PATCH] Allow running a default configuration with TLS libraries
without BF-CBC

Modern TLS libraries might drop Blowfish by default or distributions
might disable Blowfish in OpenSSL/mbed TLS. We still signal OCC
options with BF-CBC compatible strings. To avoid requiring BF-CBC
for this, special this one usage of BF-CBC enough to avoid a hard
requirement on Blowfish in the default configuration.

This patch is cherry-picked from 79ff3f79 and the missing
ciphername = "none"; has been added in the OCC code.

Due to uncrustify complains, a few extra whitespace fixes had to be
done to options.c.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220603095219.637361-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24456.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---
src/openvpn/crypto_backend.h | 2 ++
src/openvpn/init.c | 37 ++++++++++++++++-----
src/openvpn/options.c | 62 ++++++++++++++++++++++++++++--------
3 files changed, 80 insertions(+), 21 deletions(-)

diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
index a9bb38ed..aebda3d6 100644
--- a/src/openvpn/crypto_backend.h
+++ b/src/openvpn/crypto_backend.h
@@ -256,6 +256,8 @@ const cipher_kt_t *cipher_kt_get(const char *ciphername);
* The returned name is normalised to the OpenVPN config name in case the
* name differs from the name used by the crypto library.
*
+ * Returns [null-cipher] in case the cipher_kt is NULL.
+ *
* @param cipher_kt Static cipher parameters
*
* @return a statically allocated string describing the cipher.
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index da4d60af..b1b7b350 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2764,14 +2764,35 @@ do_init_crypto_tls_c1(struct context *c)
#endif /* if P2MP */
}
- /* Do not warn if we only have BF-CBC in options->ciphername
- * because it is still the default cipher */
- bool warn = !streq(options->ciphername, "BF-CBC")
- || options->enable_ncp_fallback;
- /* Get cipher & hash algorithms */
- init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
- options->keysize, true, warn);
-
+ /*
+ * BF-CBC is allowed to be used only when explicitly configured
+ * as NCP-fallback or when NCP has been disabled or explicitly
+ * allowed in the in ncp_ciphers list.
+ * In all other cases do not attempt to initialize BF-CBC as it
+ * may not even be supported by the underlying SSL library.
+ *
+ * Therefore, the key structure has to be initialized when:
+ * - any non-BF-CBC cipher was selected; or
+ * - BF-CBC is selected and NCP is disabled (explicit request to
+ * use the BF-CBC cipher); or
+ * - BF-CBC is selected, NCP is enabled and fallback is enabled
+ * (BF-CBC will be the fallback).
+ * - BF-CBC is in data-ciphers and we negotiate to use BF-CBC:
+ * If the negotiated cipher and options->ciphername are the
+ * same we do not reinit the cipher
+ *
+ * Note that BF-CBC will still be part of the OCC string to retain
+ * backwards compatibility with older clients.
+ */
+ if (!streq(options->ciphername, "BF-CBC") || !options->ncp_enabled
+ || (options->ncp_enabled && tls_item_in_cipher_list("BF-CBC", options->ncp_ciphers))
+ || options->enable_ncp_fallback)
+ {
+ /* Do not warn if the if the cipher is used only in OCC */
+ bool warn = !options->ncp_enabled || options->enable_ncp_fallback;
+ init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
+ options->keysize, true, warn);
+ }
/* Initialize PRNG with config-specified digest */
prng_init(options->prng_hash, options->prng_nonce_secret_len);
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index f6ef02ae..2206d9f4 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -1135,7 +1135,7 @@ parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_aren
#ifndef ENABLE_SMALL
static void
-show_dhcp_option_list(const char *name, const char * const*array, int len)
+show_dhcp_option_list(const char *name, const char *const *array, int len)
{
int i;
for (i = 0; i < len; ++i)
@@ -2288,7 +2288,7 @@ options_postprocess_verify_ce(const struct options *options,
if (options->mode == MODE_SERVER)
{
#define USAGE_VALID_SERVER_PROTOS "--mode server currently only supports " \
- "--proto values of udp, tcp-server, tcp4-server, or tcp6-server"
+ "--proto values of udp, tcp-server, tcp4-server, or tcp6-server"
#ifdef TARGET_ANDROID
msg(M_FATAL, "--mode server not supported on Android");
#endif
@@ -3103,7 +3103,7 @@ options_postprocess_cipher(struct options *o)
if (!o->ncp_enabled)
{
msg(M_USAGE, "--ncp-disable needs an explicit --cipher or "
- "--data-ciphers-fallback config option");
+ "--data-ciphers-fallback config option");
}
msg(M_WARN, "--cipher is not set. Previous OpenVPN version defaulted to "
@@ -3681,9 +3681,30 @@ calc_options_string_link_mtu(const struct options *o, const struct frame *frame)
{
struct frame fake_frame = *frame;
struct key_type fake_kt;
- init_key_type(&fake_kt, o->ciphername, o->authname, o->keysize, true,
- false);
+
frame_remove_from_extra_frame(&fake_frame, crypto_max_overhead());
+
+
+ /* o->ciphername might be BF-CBC even though the underlying SSL library
+ * does not support it. For this reason we workaround this corner case
+ * by pretending to have no encryption enabled and by manually adding
+ * the required packet overhead to the MTU computation.
+ */
+ const char *ciphername = o->ciphername;
+
+ if (strcmp(o->ciphername, "BF-CBC") == 0)
+ {
+ /* none has no overhead, so use this to later add only --auth
+ * overhead */
+
+ /* overhead of BF-CBC: 64 bit block size, 64 bit IV size */
+ frame_add_to_extra_frame(&fake_frame, 64/8 + 64/8);
+ ciphername = "none";
+ }
+
+ init_key_type(&fake_kt, ciphername, o->authname, o->keysize, true,
+ false);
+
crypto_adjust_frame_parameters(&fake_frame, &fake_kt, o->replay,
cipher_kt_mode_ofb_cfb(fake_kt.cipher));
frame_finalize(&fake_frame, o->ce.link_mtu_defined, o->ce.link_mtu,
@@ -3853,18 +3874,33 @@ options_string(const struct options *o,
+ (TLS_SERVER == true)
<= 1);
- init_key_type(&kt, o->ciphername, o->authname, o->keysize, true,
- false);
+ /* Skip resolving BF-CBC to allow SSL libraries without BF-CBC
+ * to work here in the default configuration */
+ const char *ciphername = o->ciphername;
+ int keysize;
+
+ if (strcmp(o->ciphername, "BF-CBC") == 0)
+ {
+ init_key_type(&kt, "none", o->authname, o->keysize, true,
+ false);
+ keysize = 128;
+ }
+ else
+ {
+ init_key_type(&kt, o->ciphername, o->authname, o->keysize, true,
+ false);
+ ciphername = cipher_kt_name(kt.cipher);
+ keysize = kt.cipher_length * 8;
+ }
/* Only announce the cipher to our peer if we are willing to
* support it */
- const char *ciphername = cipher_kt_name(kt.cipher);
if (p2p_nopull || !o->ncp_enabled
|| tls_item_in_cipher_list(ciphername, o->ncp_ciphers))
{
buf_printf(&out, ",cipher %s", ciphername);
}
buf_printf(&out, ",auth %s", md_kt_name(kt.digest));
- buf_printf(&out, ",keysize %d", kt.cipher_length * 8);
+ buf_printf(&out, ",keysize %d", keysize);
if (o->shared_secret_file)
{
buf_printf(&out, ",secret");
@@ -6168,9 +6204,9 @@ add_option(struct options *options,
}
}
#ifdef TARGET_LINUX
- else if (streq (p[0], "bind-dev") && p[1])
+ else if (streq(p[0], "bind-dev") && p[1])
{
- VERIFY_PERMISSION (OPT_P_SOCKFLAGS);
+ VERIFY_PERMISSION(OPT_P_SOCKFLAGS);
options->bind_dev = p[1];
}
#endif
@@ -6248,7 +6284,7 @@ add_option(struct options *options,
{
int64_t val = atoll(p[2]);
options->inactivity_minimum_bytes = (val < 0) ? 0 : val;
- if ( options->inactivity_minimum_bytes > INT_MAX )
+ if (options->inactivity_minimum_bytes > INT_MAX)
{
msg(M_WARN, "WARNING: '--inactive' with a 'bytes' value"
" >2 Gbyte was silently ignored in older versions. If "
@@ -8132,7 +8168,7 @@ add_option(struct options *options,
#endif
else if (streq(p[0], "providers") && p[1])
{
- for (size_t j = 1; j < MAX_PARMS && p[j] != NULL;j++)
+ for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; j++)
{
options->providers.names[j] = p[j];
}
--
2.31.1

38
SOURCES/0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch

@ -0,0 +1,38 @@
From: David Sommerseth <dazo@eurephia.org>
Subject: [PATCH] Change the default cipher to AES-256-GCM for server
configurations

This change makes the server use AES-256-GCM instead of BF-CBC as the default
cipher for the VPN tunnel. To avoid breaking existing running configurations
defaulting to BF-CBC, the Negotiable Crypto Parameters (NCP) list contains
the BF-CBC in addition to AES-CBC. This makes it possible to migrate
existing older client configurations one-by-one to use at least AES-CBC unless
the client is updated to v2.4 (which defaults to upgrade to AES-GCM automatically)

[Update 2022-06-10]
The BF-CBC reference is now removed as of Fedora 36 and newer. The Blowfish
cipher is no longer available by default in OpenSSL 3.0. It can be enabled
via the legacy provider in OpenSSL 3.0, but BF-CBC is deprecated and should
not be used any more. OpenVPN 2.4 and newer will always negotiate a stronger
cipher by default and older OpenVPN releases are no longer supported upstream.

---
distro/systemd/openvpn-server@.service.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/distro/systemd/openvpn-server@.service.in b/distro/systemd/openvpn-server@.service.in
index 9a8a2c7..0ecda08 100644
--- a/distro/systemd/openvpn-server@.service.in
+++ b/distro/systemd/openvpn-server@.service.in
@@ -10,7 +10,7 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
Type=notify
PrivateTmp=true
WorkingDirectory=/etc/openvpn/server
-ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf
+ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --cipher AES-256-GCM --data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC --config %i.conf
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
LimitNPROC=10
DeviceAllow=/dev/null rw
--
2.11.0

BIN
SOURCES/gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg

Binary file not shown.

9
SOURCES/openvpn-2.4-change-tmpfiles-permissions.patch

@ -0,0 +1,9 @@
diff --git a/distro/systemd/tmpfiles-openvpn.conf b/distro/systemd/tmpfiles-openvpn.conf
index bb79671e..9258f5c6 100644
--- a/distro/systemd/tmpfiles-openvpn.conf
+++ b/distro/systemd/tmpfiles-openvpn.conf
@@ -1,2 +1,2 @@
-d /run/openvpn-client 0710 root root -
-d /run/openvpn-server 0710 root root -
+d /run/openvpn-client 0750 root openvpn -
+d /run/openvpn-server 0750 root openvpn -

38
SOURCES/roadwarrior-client.conf

@ -0,0 +1,38 @@
#########################################
# Sample client-side OpenVPN config file
# for connecting to multi-client server.
#
# Adapted from http://openvpn.sourceforge.net/20notes.html
#
# The server can be pinged at 10.8.0.1.
#
# This configuration can be used by multiple
# clients, however each client should have
# its own cert and key files.
#
# tun-style tunnel

port 1194
dev tun
remote [my server hostname or IP address]

# TLS parms

tls-client
ca sample-keys/tmp-ca.crt
cert sample-keys/client.crt
key sample-keys/client.key

# This parm is required for connecting
# to a multi-client server. It tells
# the client to accept options which
# the server pushes to us.
pull

# Scripts can be used to do various
# things (change nameservers, for
# example.
#up scripts/ifup-post
#down scripts/ifdown-post

verb 4

67
SOURCES/roadwarrior-server.conf

@ -0,0 +1,67 @@
########################################
# Sample OpenVPN config file for
# 2.0-style multi-client udp server
#
# Adapted from http://openvpn.sourceforge.net/20notes.html
#
# tun-style tunnel

port 1194
dev tun

# Use "local" to set the source address on multi-homed hosts
#local [IP address]

# TLS parms
tls-server
ca sample-keys/tmp-ca.crt
cert sample-keys/server.crt
key sample-keys/server.key
dh sample-keys/dh1024.pem

# Tell OpenVPN to be a multi-client udp server
mode server

# The server's virtual endpoints
ifconfig 10.8.0.1 10.8.0.2

# Pool of /30 subnets to be allocated to clients.
# When a client connects, an --ifconfig command
# will be automatically generated and pushed back to
# the client.
ifconfig-pool 10.8.0.4 10.8.0.255

# Push route to client to bind it to our local
# virtual endpoint.
push "route 10.8.0.1 255.255.255.255"

# Push any routes the client needs to get in
# to the local network.
push "route 192.168.0.0 255.255.255.0"

# Push DHCP options to Windows clients.
push "dhcp-option DOMAIN example.com"
push "dhcp-option DNS 192.168.0.1"
push "dhcp-option WINS 192.168.0.1"

# Client should attempt reconnection on link
# failure.
keepalive 10 60

# Delete client instances after some period
# of inactivity.
inactive 600

# Route the --ifconfig pool range into the
# OpenVPN server.
route 10.8.0.0 255.255.255.0

# The server doesn't need privileges
user openvpn
group openvpn

# Keep TUN devices and keys open across restarts.
persist-tun
persist-key

verb 4

377
SPECS/openvpn.spec

@ -0,0 +1,377 @@
%define _hardened_build 1

# Build conditionals
# tests_long - Enabled by default, enables long running tests in %%check
%bcond_without tests_long

Name: openvpn
Version: 2.5.7
Release: 2%{?dist}
Summary: A full-featured TLS VPN solution
URL: https://community.openvpn.net/
Source0: https://build.openvpn.net/downloads/releases/%{name}-%{version}.tar.xz
Source1: https://build.openvpn.net/downloads/releases/%{name}-%{version}.tar.xz.asc
Source2: roadwarrior-server.conf
Source3: roadwarrior-client.conf
# Upstream signing key
Source10: gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg
Patch1: 0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch
Patch2: 0001-Allow-running-a-default-configuration-with-TLS-libra.patch
Patch50: openvpn-2.4-change-tmpfiles-permissions.patch
License: GPLv2
BuildRequires: gnupg2
BuildRequires: gcc
BuildRequires: automake
BuildRequires: autoconf
BuildRequires: autoconf-archive
BuildRequires: libtool
BuildRequires: gettext
BuildRequires: lzo-devel
BuildRequires: lz4-devel
BuildRequires: make
BuildRequires: openssl-devel
BuildRequires: pkcs11-helper-devel >= 1.11
BuildRequires: pam-devel
BuildRequires: libselinux-devel
BuildRequires: libcmocka-devel
BuildRequires: systemd
BuildRequires: systemd-devel

%{?systemd_requires}
Requires(pre): /usr/sbin/useradd

%if 0%{?rhel} > 7 || 0%{?fedora} > 29
BuildRequires: python3-docutils
%else
# We cannot use python36-docutils on RHEL-7 as
# the ./configure script does not currently find
# the rst2man-3 executable, it only looks for rst2man
BuildRequires: python-docutils
%endif

# For the perl_default_filter macro
BuildRequires: perl-macros

# Filter out the perl(Authen::PAM) dependency.
# No perl dependency is really needed at all.
%{?perl_default_filter}

%description
OpenVPN is a robust and highly flexible tunneling application that uses all
of the encryption, authentication, and certification features of the
OpenSSL library to securely tunnel IP networks over a single UDP or TCP
port. It can use the Marcus Franz Xaver Johannes Oberhumers LZO library
for compression.

%package devel
Summary: Development headers and examples for OpenVPN plug-ins

%description devel
OpenVPN can be extended through the --plugin option, which provides
possibilities to add specialized authentication, user accounting,
packet filtering and related features. These plug-ins need to be
written in C and provides a more low-level and information rich access
to similar features as the various script-hooks.


%prep
gpgv2 --quiet --keyring %{SOURCE10} %{SOURCE1} %{SOURCE0}
%setup -q -n %{name}-%{version}
%patch1 -p1 -b .ch_default_cipher
%patch2 -p1
%patch50 -p1

# %%doc items shouldn't be executable.
find contrib sample -type f -perm /100 \
-exec chmod a-x {} \;

%build
%configure \
--enable-silent-rules \
--with-crypto-library=openssl \
--enable-pkcs11 \
--enable-selinux \
--enable-systemd \
--enable-x509-alt-username \
--enable-async-push \
--docdir=%{_pkgdocdir} \
SYSTEMD_UNIT_DIR=%{_unitdir} \
TMPFILES_DIR=%{_tmpfilesdir}
%{__make}

%check
# Test Crypto:
./src/openvpn/openvpn --genkey --secret key
./src/openvpn/openvpn --cipher aes-128-cbc --test-crypto --secret key
./src/openvpn/openvpn --cipher aes-256-cbc --test-crypto --secret key
./src/openvpn/openvpn --cipher aes-128-gcm --test-crypto --secret key
./src/openvpn/openvpn --cipher aes-256-gcm --test-crypto --secret key

%if %{with tests_long}
# Randomize ports for tests to avoid conflicts on the build servers.
cport=$[ 50000 + ($RANDOM % 15534) ]
sport=$[ $cport + 1 ]
sed -e 's/^\(rport\) .*$/\1 '$sport'/' \
-e 's/^\(lport\) .*$/\1 '$cport'/' \
< sample/sample-config-files/loopback-client \
> %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client
sed -e 's/^\(rport\) .*$/\1 '$cport'/' \
-e 's/^\(lport\) .*$/\1 '$sport'/' \
< sample/sample-config-files/loopback-server \
> %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server

pushd sample
# Test SSL/TLS negotiations (runs for 2 minutes):
../src/openvpn/openvpn --config \
%{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client &
../src/openvpn/openvpn --config \
%{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server
wait
popd

rm -f %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client \
%{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server
%endif

%install
%{__make} install DESTDIR=$RPM_BUILD_ROOT
find $RPM_BUILD_ROOT -name '*.la' | xargs rm -f
mkdir -p -m 0750 $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/client $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/server
cp %{SOURCE2} %{SOURCE3} sample/sample-config-files/

# Create some directories the OpenVPN package should own
mkdir -m 0750 -p $RPM_BUILD_ROOT%{_rundir}/%{name}-{client,server}
mkdir -m 0770 -p $RPM_BUILD_ROOT%{_sharedstatedir}/%{name}

# Package installs into %%{_pkgdocdir} directly
# Add various additional files
cp -a AUTHORS ChangeLog contrib sample distro/systemd/README.systemd $RPM_BUILD_ROOT%{_pkgdocdir}

# Remove some files which does not really belong here
rm -f $RPM_BUILD_ROOT%{_pkgdocdir}/sample/Makefile{,.in,.am}
rm -f $RPM_BUILD_ROOT%{_pkgdocdir}/contrib/multilevel-init.patch
rm -rf $RPM_BUILD_ROOT%{_pkgdocdir}/sample/sample-keys

%pre
getent group openvpn &>/dev/null || groupadd -r openvpn
getent passwd openvpn &>/dev/null || \
/usr/sbin/useradd -r -g openvpn -s /sbin/nologin -c OpenVPN \
-d /etc/openvpn openvpn

%post
for srv in `systemctl | awk '/openvpn-client@.*\.service/{print $1} /openvpn-server@.*\.service/{print $1}'`;
do
%systemd_post $srv
done

%preun
for srv in `systemctl | awk '/openvpn-client@.*\.service/{print $1} /openvpn-server@.*\.service/{print $1}'`;
do
%systemd_preun $srv
done

%postun
for srv in `systemctl | awk '/openvpn-client@.*\.service/{print $1} /openvpn-server@.*\.service/{print $1}'`;
do
%systemd_postun_with_restart $srv
done


%files
%{_pkgdocdir}
%exclude %{_pkgdocdir}/README.IPv6
%exclude %{_pkgdocdir}/README.mbedtls
%exclude %{_pkgdocdir}/sample/sample-plugins
%{_mandir}/man8/%{name}.8*
%{_mandir}/man5/%{name}-*.5*
%{_sbindir}/%{name}
%{_libdir}/%{name}/
%{_unitdir}/%{name}-client@.service
%{_unitdir}/%{name}-server@.service
%{_tmpfilesdir}/%{name}.conf
%config %dir %{_sysconfdir}/%{name}/
%config %dir %attr(-,-,openvpn) %{_sysconfdir}/%{name}/client
%config %dir %attr(-,-,openvpn) %{_sysconfdir}/%{name}/server
%attr(0750,-,openvpn) %{_rundir}/%{name}-client
%attr(0750,-,openvpn) %{_rundir}/%{name}-server
%attr(0770,openvpn,openvpn) %{_sharedstatedir}/%{name}

%files devel
%{_pkgdocdir}/sample/sample-plugins
%{_includedir}/openvpn-plugin.h
%{_includedir}/openvpn-msg.h


%changelog
* Tue May 31 2022 David Sommerseth <davids@openvpn.net> - 2.5.7-2
- Added additional upstream patch resolving BF-CBC issues (to be removed with 2.5.8)
https://patchwork.openvpn.net/patch/2504/
- Removed BF-CBC from the --data-ciphers list. This is no longer available by default
in OpenSSL 3.0

* Tue May 31 2022 David Sommerseth <davids@openvpn.net> - 2.5.7-1
- Update to upstream OpenVPN 2.5.7

* Wed Mar 16 2022 David Sommerseth <davids@openvpn.net> - 2.5.6-1
- Update to upstream OpenVPN 2.5.6
- Fixes CVE-2022-0547

* Thu Jan 27 2022 David Sommerseth <davids@openvpn.net> - 2.5.5-4
- Fix systemd related scriptlet error (#1887984)

* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.5-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild

* Wed Dec 15 2021 David Sommerseth <davids@openvpn.net> - 2.5.5-2
- Rebuild of 2.5.5

* Wed Dec 15 2021 David Sommerseth <davids@openvpn.net> - 2.5.5-1
- Update to upstream OpenVPN 2.5.5 (#2032844)

* Tue Oct 5 2021 David Sommerseth <davids@openvpn.net> - 2.5.4-1
- Update to upstream OpenVPN 2.5.4
- Added new man page: openvpn-examples(5)

* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 2.5.3-3
- Rebuilt with OpenSSL 3.0.0

* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild

* Fri Jun 18 2021 David Sommerseth <davids@openvpn.net> - 2.5.3-1
- Update to upstream OpenVPN 2.5.3
- Fixes CVE-2021-3606

* Wed Apr 21 2021 David Sommerseth <davids@openvpn.net> - 2.5.2-1
- Update to upstream OpenVPN 2.5.2
- Fixes CVE-2020-15078
- Replaces --ncp-ciphers with --data-ciphers in the server systemd service unit

* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.5.1-2
- Rebuilt for updated systemd-rpm-macros
See https://pagure.io/fesco/issue/2583.

* Wed Feb 24 2021 David Sommerseth <dazo@eurephia.org> - 2.5.1-1
- Update to upstream OpenVPN 2.5.1

* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild

* Wed Oct 28 2020 David Sommerseth <dazo@eurephia.org> - 2.5.0-1
- Update to upstream OpenVPN 2.5.0

* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.9-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild

* Sun Apr 19 2020 David Sommerseth <dazo@eurephia.org> - 2.4.9-1
- Update to upstream OpenVPN 2.4.9

* Wed Feb 12 2020 David Sommerseth <dazo@eurephia.org> - 2.4.8-3
- Rebuilt to be linked against latest lzo (RHBZ#1802299)

* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.8-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild

* Fri Nov 1 2019 David Sommerseth <dazo@eurephia.org> - 2.4.8-1
- Updating to upstream OpenVPN 2.4.8

* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.7-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild

* Wed Feb 20 2019 David Sommerseth <dazo@eurephia.org> - 2.4.7-1
- Updating to upstream OpenVPN 2.4.7

* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.6-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild

* Sat Oct 6 2018 David Sommerseth <dazo@eurephia.org> - 2.4.6-3
- Enable the asynchronous push feature, which can improve connect speeds with slow authentication backends

* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild

* Thu Apr 26 2018 David Sommerseth <dazo@eurephia.org> - 2.4.6-1
- Updating to upstream, openvpn-2.4.6

* Thu Mar 1 2018 David Sommerseth <dazo@eurephia.org> - 2.4.5-1
- Updating to upstream, openvpn-2.4.5
- Package upstream ChangeLog, which contains a bit more details than Changes.rst
- Cleaned up spec file further, removed Group: tag, trimmed changelog section,
added gcc to BuildRequires.
- Excluded not relevant file, README.mbedtls
- Package upstream version of README.systemd
- Fix wrong group owner of /etc/openvpn/{client,server} (rhbz#1526743)
- Changed crypto self-test to test AES-{128,256}-{CBC,GCM} instead of only BF-CBC (deprecated)
- Change /run/openvpn-{client,server} permissions to be 0750 instead of 0710, with group set to openvpn

* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.4-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild

* Thu Jan 25 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.4.4-2
- Fix systemd executions/requirements

* Tue Sep 26 2017 David Sommerseth <dazo@eurephia.org> - 2.4.4-1
- Update to upstream openvpn-2.4.4
- Includes fix for possible stack overflow if --key-method 1 is used {CVE-2017-12166}

* Fri Aug 4 2017 David Sommerseth <dazo@eurephia.org> - 2.4.3-4
- Change to AES-GCM as the default cipher for server configurations (rhbz#1479270)

* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild

* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild

* Wed Jun 21 2017 David Sommerseth <dazo@eurephia.org> - 2.4.3-1
- Updating to upstream openvpn-2.4.3
- Fix remotely-triggerable ASSERT() on malformed IPv6 packet {CVE-2017-7508}
- Prevent two kinds of stack buffer OOB reads and a crash for invalid input data {CVE-2017-7520}
- Fix potential double-free in --x509-alt-username {CVE-2017-7521}
- Fix remote-triggerable memory leaks {CVE-2017-7521}
- Ensure OpenVPN systemd services are restarted upon upgrades
- Verify PGP signature of source tarball as part of package building
- Build against system lz4 library

* Fri May 12 2017 David Sommerseth <dazo@eurephia.org> - 2.4.2-2
- Install and take ownership of /run/openvpn-{client,server} (rhbz#1444601)
- Install and take ownership of /var/lib/openvpn (rhbz#922786)

* Thu May 11 2017 David Sommerseth <dazo@eurephia.org> - 2.4.2-1
- Updating to upstream openvpn-2.4.2
- Switching back to OpenSSL, using compat-openssl10 (rhbz#1443749, rhbz#1432125, rhbz#1440468)
- Re-enabling --enable-x509-alt-username (rhbz#1443942)
- Add --enable-selinux
- Build with lz4 library from Fedora

* Wed Mar 29 2017 David Sommerseth <dazo@eurephia.org> - 2.4.1-3
- Splitting out -devel files into a separate package
- Removed several contrib and sample files which makes is not
strictly needed in this package.
- build: Enable tests runs by default, long running tests can
be disabled with "--without tests_long"
- build: Removed defined %%{plugins} macro not in use

* Fri Mar 24 2017 David Sommerseth <dazo@eurephia.org> - 2.4.1-2
- Various cleanups
- Use systemd-rpm macros (rhbz #850257)
- Removed the deprecated openvpn@.service unit. Replaced by openvpn-{client,server}@.service
- Added README.systemd describing new systemd unit files

* Thu Mar 23 2017 David Sommerseth <dazo@eurephia.org> - 2.4.1-1
- Updating to upstream release, v2.4.1
- Added mbed TLS patch to allow RSA keys down to 1024 bits plus SHA1
and RIPE-160 hasing algorithms (based on OpenVPN 3 legacy profile)
- Removed no-functional ./configure options
- Use upstream tmfiles.d/openvpn
- Package newer openvpn-client/server@.service unit files

* Thu Feb 09 2017 Jon Ciesla <limburgher@gmail.com> 2.4.0-2
- Move to mbedtls to resolve FTBFS.
- Dropped, re-add once openvpn supports openssl 1.1.x
- --enable-pkcs11 \
- --enable-x509-alt-username \

* Tue Dec 27 2016 Jon Ciesla <limburgher@gmail.com> 2.4.0-1
- 2.4.0.

Loading…
Cancel
Save