[OpenVPN-NL] OpenVPN-NL 2.4.4-nl1 released

Steffan Karger steffan.karger at fox-it.com
Wed Nov 15 12:54:42 CET 2017

Hash: SHA256

We'd like to point out one more important change in the default
settings of OpenVPN-NL 2.4, to help users transition more smoothly:

OpenVPN-NL 2.4 by default rejects certificates (anywhere in the chain)
that use a SHA1 digest, or RSA keys that are smaller than 2048 bits.

We strongly recommend to use certificates that match these criteria,
but if support for SHA1 and/or < 2048 bits RSA is required, use the
"--tls-cert-profile legacy" option to re-enable support for
certificates with SHA1 or 1024+ bits RSA.

On 14-11-17 16:59, Steffan Karger wrote:
> A new version of OpenVPN-NL (2.4.4-nl1) is available on the
> OpenVPN-NL website [1].  This version is based on OpenVPN 2.4.4
> [2], and mbed TLS 2.6.0 [3].
> This release does not fix any imminent security issues, but does
> further tighten overall security.  Users are advised to upgrade to
> OpenVPN-NL 2.4.4-nl1 at any convenient time.
> OpenVPN-NL 2.4 comes with a number of new features.  Most of these
> are equal to the new features in upstream OpenVPN 2.4, see [4] for
> details. For OpenVPN-NL specifically, we'd like to highlight a
> few:
> New ciphers:
> The control channel now support the following cipher suites by
> default: TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 
> The --tls-cipher option allows to also include the 
> backwards-compatibility cipher suite: 
> The data channel now supports both --cipher AES-256-CBC + --auth
> SHA256 (like 2.3 did), and --cipher AES-256-GCM (which doesn't need
> --auth).
> Data channel cipher negotiation: Negotiable Cipher Parameters (NCP)
> allows users to upgrade from the previous OpenVPN-NL data channel
> cipher (AES-256-CBC + HMAC-SHA256) to the new data channel cipher
> (AES-256-GCM) without running multiple server instances. The new
> cipher has better performance and a lower per-packet overhead.  If
> NCP is enabled at both ends, AES-256-GCM is automatically
> negotiated.  In OpenVPN-NL 2.4, NCP is enabled by default on client
> instances, but disabled by default on server instances to allow
> server administrators to have full control over the cipher upgrade.
> NCP can be enabled using the --ncp-enable option.
> Control channel encryption: The new --tls-crypt option can be used
> instead of --tls-auth, to both encrypt and authenticate control
> channel packets.  This hides the TLS certificate contents from
> attackers without the --tls-crypt key.
> Better support for roaming clients: UDP mode now supports client
> IP/port changes without requiring a reconnect.  This reduces the
> need for clients to reconnect often, improving connection stability
> and reducing server load.
> Stricter CRL checking: The CRL verification implementation now
> verifies that the CRL is correctly signed by the CA, and interprets
> the CRL 'nextUpdate' field as an expiration date.  If the CRL is
> expired, connections will be rejected.
> Stricter config file checking: Unused parameters to config options
> are no longer silently ignored. Instead, such configs are now
> rejected on startup.
> For more details, please refer to the upstream Changes document on
> [4].
> References ---------- [1] https://openvpn.fox-it.com/ [2]
> https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24 [3] 
> https://tls.mbed.org/tech-updates/releases/mbedtls-2.6.0-2.1.9-and-1.3
[4] https://github.com/OpenVPN/openvpn/blob/v2.4.4/Changes.rst
Version: GnuPG v2


More information about the list-openvpn-nl mailing list