-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
A new version of OpenVPN-NL is available on the OpenVPN-NL site [1].
This version fixes a few small issues reported by the community, and
includes support for the random number generator introduced in
PolarSSL v1.1.0 [2]. Aside from these technical changes, the
deployment advisory has been updated with a new section on virtual
machines. Details of these changes will be given in the next few sections.
Due to the improvements in the random number generator, we strongly
recommend that you upgrade to the new version of OpenVPN-NL.
New PolarSSL RNG
- ----------------
In response to security concerns PolarSSL has introduced a new random
number generator. It consists of two parts: an entropy gathering
function, which allows the combination of a number of entropy sources,
and a front-end deterministic random bit generator (DRBG), based on
NIST-SP800-90 [3].
OpenVPN-NL uses a combination of the existing HAVEGE random number
generator and the platform entropy device (e.g. /dev/random on Linux,
CryptoAPI on Windows) as entropy sources. Two new OpenVPN-NL command
line options have been introduced to allow users to tweak the new RNG:
- min-platform-entropy: On Linux, sets the minimum number of bytes to
read from /dev/random when reseeding. As /dev/random is blocking,
setting this too high can cause OpenVPN-NL to block when not enough
platform entropy is available. The deployment advisory recommends the
use of at least 10 bytes. The default is 16 bytes.
- use-prediction-resistance: Enables prediction resistance according
to the NIST standard [3]. This should only be enabled if enough
platform entropy is available. Enabling this option is recommended in
the deployment advisory. The default is to disable prediction resistance.
New deployment advisory
- -----------------------
The deployment advisory has been updated to v1.2. This version adds a
new paragraph on the use of OpenVPN-NL in virtual environments and on
concentrators:
"Users are advised to use hardware random number generators or entropy
gathering daemons via the interfaces and conventions that the host
offers. These feed into the system entropy pool. This is recommended
on concentrators and systems that run in virtual environments.
Enabling the use-prediction-resistance configuration option is
recommended. Note that this may deplete kernel entropy sources more
quickly. Users are advised not to adjust the configuration option
min-platform-entropy below the value 10."
Minor bug fixes
- ---------------
- Fixed bug in certificate serial number output to scripts. The last
digit of the serial number was not output in some situations.
- Disabled non-blocking connect on the Windows version, fixing the
broken TCP behaviour.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQEcBAEBCAAGBQJPOiyPAAoJED0YDGtLy/yg4DwH/2SU8WKE1UuzFaMDquQPYGiJ
0HJXmnMXbpP4TTDTapmjObu0xcHpnG7r0tP9CcGA79LKjNEA35GMgThaWoeyHQDK
93+cCNYZHY+kKEWaMWKJ7O0sO0wsaQ8YpNTHMh07qqX5e7IwdpZBTYDW+hLVwi2z
fmRQ9jszkHLgFjenOGIGIiHLBR+VQbljRx5iWMiIz4Dyd3YRsfoMObykWxdftQ8W
w/TIQb4lW+mpOjLdSTwwrwBTNlwf7jK0CBTCEf0RvDER/9VXDzmcR5pvSsA1OzFe
y/xxI/0ptvdtjaYlol3d682yPCar0UjKBidtWpqUR/zyq/dAujY6YDUI7ScNNlY=
=qWLz
-----END PGP SIGNATURE-----
