[OpenVPN-NL] OpenVPN-NL 2.4.4-nl1 released
steffan.karger at fox-it.com
Wed Nov 15 12:54:42 CET 2017
-----BEGIN PGP SIGNED MESSAGE-----
We'd like to point out one more important change in the default
settings of OpenVPN-NL 2.4, to help users transition more smoothly:
OpenVPN-NL 2.4 by default rejects certificates (anywhere in the chain)
that use a SHA1 digest, or RSA keys that are smaller than 2048 bits.
We strongly recommend to use certificates that match these criteria,
but if support for SHA1 and/or < 2048 bits RSA is required, use the
"--tls-cert-profile legacy" option to re-enable support for
certificates with SHA1 or 1024+ bits RSA.
On 14-11-17 16:59, Steffan Karger wrote:
> A new version of OpenVPN-NL (2.4.4-nl1) is available on the
> OpenVPN-NL website . This version is based on OpenVPN 2.4.4
> , and mbed TLS 2.6.0 .
> This release does not fix any imminent security issues, but does
> further tighten overall security. Users are advised to upgrade to
> OpenVPN-NL 2.4.4-nl1 at any convenient time.
> OpenVPN-NL 2.4 comes with a number of new features. Most of these
> are equal to the new features in upstream OpenVPN 2.4, see  for
> details. For OpenVPN-NL specifically, we'd like to highlight a
> New ciphers:
> The control channel now support the following cipher suites by
> default: TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
> The --tls-cipher option allows to also include the
> backwards-compatibility cipher suite:
> The data channel now supports both --cipher AES-256-CBC + --auth
> SHA256 (like 2.3 did), and --cipher AES-256-GCM (which doesn't need
> Data channel cipher negotiation: Negotiable Cipher Parameters (NCP)
> allows users to upgrade from the previous OpenVPN-NL data channel
> cipher (AES-256-CBC + HMAC-SHA256) to the new data channel cipher
> (AES-256-GCM) without running multiple server instances. The new
> cipher has better performance and a lower per-packet overhead. If
> NCP is enabled at both ends, AES-256-GCM is automatically
> negotiated. In OpenVPN-NL 2.4, NCP is enabled by default on client
> instances, but disabled by default on server instances to allow
> server administrators to have full control over the cipher upgrade.
> NCP can be enabled using the --ncp-enable option.
> Control channel encryption: The new --tls-crypt option can be used
> instead of --tls-auth, to both encrypt and authenticate control
> channel packets. This hides the TLS certificate contents from
> attackers without the --tls-crypt key.
> Better support for roaming clients: UDP mode now supports client
> IP/port changes without requiring a reconnect. This reduces the
> need for clients to reconnect often, improving connection stability
> and reducing server load.
> Stricter CRL checking: The CRL verification implementation now
> verifies that the CRL is correctly signed by the CA, and interprets
> the CRL 'nextUpdate' field as an expiration date. If the CRL is
> expired, connections will be rejected.
> Stricter config file checking: Unused parameters to config options
> are no longer silently ignored. Instead, such configs are now
> rejected on startup.
> For more details, please refer to the upstream Changes document on
> References ----------  https://openvpn.fox-it.com/ 
> https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
More information about the list-openvpn-nl