On 26/04/17 17:08, Lee Howard wrote: > On 04/25/2017 01:39 PM, David Sommerseth wrote: >> This is actually just a very late heads-up about challenges with OpenVPN >> in Fedora 26. >> >> Fedora is moving towards OpenSSL v1.1, which is in my opinion a sane and >> good step forward. Unfortunately, that gives OpenVPN a real challenge. >> The OpenSSL v1.1 support is not completed. Patches have been sent to >> the upstream devel mailing list for review, but only half of them have >> been processed and applied so far. >> >> So, to be able to provide OpenVPN in Fedora 26 it was decided to switch >> to mbed TLS instead of OpenSSL (which OpenVPN also supports). That have >> revealed several issues: >> >> - mbed TLS 2.3+ does by default not support certificates hashes >> "older" than SHA1. And RSA keys must be 2048 bits or more. >> This have been fixed by a couple of additional patches on top >> of the upstream OpenVPN code base. > > Why is switching to mbed TLS and patching that preferred over just > patching OpenVPN? Basically, security - as VPNs are by default security sensitive. The patches on the OpenVPN mailing list which enables OpenSSL 1.1 support need to be reviewed properly before we can fully trust them. And considering that the mbed TLS support have been in OpenVPN for several years and have also been used by OpenVPN-NL [1] for a long time, I consider that approach more secure. In addition I don't want to maintain what would in effect be a fork of OpenVPN (even though only for a while). So I follow the common Red Hat mantra of "upstream first". One upstream have officially blessed OpenVPN with OpenSSL 1.1, we will pull in the these patches unless a new v2.4 release is coming. This makes it easier to get upstream bugs fixed; we don't need to consider if a potential bug is a result of the un-reviewed OpenSSL patches or not. Those two patches I have added are basically based upon other patches under review [2] (I have been involved in that review too). In addition a similar approach have been implemented in the OpenVPN 3 core library [2] (which is being used by the OpenVPN Connect product range) which uses the same concept. So I consider those patches less security sensitive. [1] <https://openvpn.fox-it.com/> [2] <https://www.mail-archive.com/openvpn-devel@xxxxxxxxxxxxxxxxxxxxx/msg14452.html> [3] <https://github.com/OpenVPN/openvpn3/commit/88ae6eba36e91aa04ad95252456129ffcf544bd9> -- kind regards, David Sommerseth
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
