Minor update: Version 2.4.1 ============= - ``--remote-cert-ku`` now only requires the certificate to have at least the bits set of one of the values in the supplied list, instead of requiring an exact match to one of the values in the list. - ``--remote-cert-tls`` now only requires that a keyUsage is present in the certificate, and leaves the verification of the value up to the crypto library, which has more information (i.e. the key exchange method in use) to verify that the keyUsage is correct. - ``--ns-cert-type`` is deprecated. Use ``--remote-cert-tls`` instead. The nsCertType x509 extension is very old, and barely used. ``--remote-cert-tls`` uses the far more common keyUsage and extendedKeyUsage extension instead. Make sure your certificates carry these to be able to use ``--remote-cert-tls``.
Test reports welcome. Index: Makefile =================================================================== RCS file: /d/cvs/ports/net/openvpn/Makefile,v retrieving revision 1.72 diff -u -p -r1.72 Makefile --- Makefile 16 Feb 2017 21:16:55 -0000 1.72 +++ Makefile 27 Mar 2017 04:33:40 -0000 @@ -2,9 +2,8 @@ COMMENT= easy-to-use, robust, and highly configurable VPN -DISTNAME= openvpn-2.4.0 +DISTNAME= openvpn-2.4.1 CATEGORIES= net security -REVISION= 0 HOMEPAGE= https://openvpn.net/index.php/open-source/ Index: distinfo =================================================================== RCS file: /d/cvs/ports/net/openvpn/distinfo,v retrieving revision 1.35 diff -u -p -r1.35 distinfo --- distinfo 6 Feb 2017 10:22:35 -0000 1.35 +++ distinfo 27 Mar 2017 04:33:40 -0000 @@ -1,2 +1,2 @@ -SHA256 (openvpn-2.4.0.tar.gz) = 8h21JbPAOpu9Cnq20OT7r4kC8ji/U7i8TgT4NOTnyqQ= -SIZE (openvpn-2.4.0.tar.gz) = 1409019 +SHA256 (openvpn-2.4.1.tar.gz) = gxoaBSaP47FkbTZ+JVnP+U00fSE8qJlcxIpO7cRSCXo= +SIZE (openvpn-2.4.1.tar.gz) = 1385789 Index: patches/patch-configure =================================================================== RCS file: /d/cvs/ports/net/openvpn/patches/patch-configure,v retrieving revision 1.14 diff -u -p -r1.14 patch-configure --- patches/patch-configure 6 Feb 2017 10:22:35 -0000 1.14 +++ patches/patch-configure 27 Mar 2017 04:33:40 -0000 @@ -1,10 +1,10 @@ $OpenBSD: patch-configure,v 1.14 2017/02/06 10:22:35 jca Exp $ ---- configure.orig Tue Dec 27 12:22:04 2016 -+++ configure Tue Jan 17 03:33:06 2017 -@@ -17090,7 +17090,7 @@ fi +--- configure.orig Wed Mar 22 16:34:35 2017 ++++ configure Mon Mar 27 06:03:11 2017 +@@ -17299,7 +17299,7 @@ else + fi - plugindir="${with_plugindir}" -sampledir="\$(docdir)/sample" +sampledir="\$(docdir)" Index: patches/patch-include_Makefile_in =================================================================== RCS file: /d/cvs/ports/net/openvpn/patches/patch-include_Makefile_in,v retrieving revision 1.7 diff -u -p -r1.7 patch-include_Makefile_in --- patches/patch-include_Makefile_in 6 Feb 2017 10:22:35 -0000 1.7 +++ patches/patch-include_Makefile_in 27 Mar 2017 04:33:40 -0000 @@ -1,7 +1,7 @@ $OpenBSD: patch-include_Makefile_in,v 1.7 2017/02/06 10:22:35 jca Exp $ ---- include/Makefile.in.orig Tue Dec 27 12:22:04 2016 -+++ include/Makefile.in Tue Jan 17 03:33:06 2017 -@@ -322,7 +322,7 @@ host_cpu = @host_cpu@ +--- include/Makefile.in.orig Wed Mar 22 16:34:37 2017 ++++ include/Makefile.in Mon Mar 27 06:01:57 2017 +@@ -325,7 +325,7 @@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ Index: patches/patch-src_openvpn_route_c =================================================================== RCS file: /d/cvs/ports/net/openvpn/patches/patch-src_openvpn_route_c,v retrieving revision 1.7 diff -u -p -r1.7 patch-src_openvpn_route_c --- patches/patch-src_openvpn_route_c 6 Feb 2017 10:22:35 -0000 1.7 +++ patches/patch-src_openvpn_route_c 27 Mar 2017 04:33:40 -0000 @@ -2,9 +2,9 @@ $OpenBSD: patch-src_openvpn_route_c,v 1. - add support for on-link routes ---- src/openvpn/route.c.orig Mon Dec 26 12:51:00 2016 -+++ src/openvpn/route.c Tue Jan 17 03:36:54 2017 -@@ -1758,12 +1758,17 @@ add_route(struct route_ipv4 *r, +--- src/openvpn/route.c.orig Wed Mar 22 16:34:21 2017 ++++ src/openvpn/route.c Mon Mar 27 06:01:57 2017 +@@ -1778,12 +1778,17 @@ add_route(struct route_ipv4 *r, } #endif Index: patches/patch-src_openvpn_ssl_openssl_c =================================================================== RCS file: patches/patch-src_openvpn_ssl_openssl_c diff -N patches/patch-src_openvpn_ssl_openssl_c --- patches/patch-src_openvpn_ssl_openssl_c 6 Feb 2017 10:22:35 -0000 1.3 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,40 +0,0 @@ -$OpenBSD: patch-src_openvpn_ssl_openssl_c,v 1.3 2017/02/06 10:22:35 jca Exp $ - -Avoid accessing a field of SSL_CTX that is now private in LibreSSL. - ---- src/openvpn/ssl_openssl.c.orig Sat Feb 4 18:30:20 2017 -+++ src/openvpn/ssl_openssl.c Sat Feb 4 18:35:47 2017 -@@ -485,14 +485,6 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, con - - /* Generate a new ECDH key for each SSL session (for non-ephemeral ECDH) */ - SSL_CTX_set_options(ctx->ctx, SSL_OP_SINGLE_ECDH_USE); --#if OPENSSL_VERSION_NUMBER >= 0x10002000L -- /* OpenSSL 1.0.2 and newer can automatically handle ECDH parameter loading */ -- if (NULL == curve_name) -- { -- SSL_CTX_set_ecdh_auto(ctx->ctx, 1); -- return; -- } --#endif - /* For older OpenSSL, we'll have to do the parameter loading on our own */ - if (curve_name != NULL) - { -@@ -502,6 +494,10 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, con - } - else - { -+#if OPENSSL_VERSION_NUMBER >= 0x10002000L -+ SSL_CTX_set_ecdh_auto(ctx->ctx, 1); -+ return; -+#else - /* Extract curve from key */ - EC_KEY *eckey = NULL; - const EC_GROUP *ecgrp = NULL; -@@ -519,6 +515,7 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, con - { - nid = EC_GROUP_get_curve_name(ecgrp); - } -+#endif - } - - /* Translate NID back to name , just for kicks */ Index: patches/patch-src_openvpn_tun_c =================================================================== RCS file: /d/cvs/ports/net/openvpn/patches/patch-src_openvpn_tun_c,v retrieving revision 1.11 diff -u -p -r1.11 patch-src_openvpn_tun_c --- patches/patch-src_openvpn_tun_c 6 Feb 2017 10:22:35 -0000 1.11 +++ patches/patch-src_openvpn_tun_c 27 Mar 2017 04:33:40 -0000 @@ -2,9 +2,9 @@ $OpenBSD: patch-src_openvpn_tun_c,v 1.11 - no need for link0 any more, we have separate tap interfaces ---- src/openvpn/tun.c.orig Mon Dec 26 12:51:00 2016 -+++ src/openvpn/tun.c Tue Jan 17 03:39:13 2017 -@@ -1196,7 +1196,7 @@ do_ifconfig(struct tuntap *tt, +--- src/openvpn/tun.c.orig Wed Mar 22 16:34:21 2017 ++++ src/openvpn/tun.c Mon Mar 27 06:01:57 2017 +@@ -1201,7 +1201,7 @@ do_ifconfig(struct tuntap *tt, if (tun) { argv_printf(&argv, @@ -13,7 +13,7 @@ $OpenBSD: patch-src_openvpn_tun_c,v 1.11 IFCONFIG_PATH, actual, ifconfig_local, -@@ -1208,7 +1208,7 @@ do_ifconfig(struct tuntap *tt, +@@ -1213,7 +1213,7 @@ do_ifconfig(struct tuntap *tt, { remote_end = create_arbitrary_remote( tt ); argv_printf(&argv, @@ -22,7 +22,7 @@ $OpenBSD: patch-src_openvpn_tun_c,v 1.11 IFCONFIG_PATH, actual, ifconfig_local, -@@ -1219,8 +1219,13 @@ do_ifconfig(struct tuntap *tt, +@@ -1224,8 +1224,13 @@ do_ifconfig(struct tuntap *tt, } else { Index: pkg/PLIST =================================================================== RCS file: /d/cvs/ports/net/openvpn/pkg/PLIST,v retrieving revision 1.20 diff -u -p -r1.20 PLIST --- pkg/PLIST 6 Feb 2017 10:22:35 -0000 1.20 +++ pkg/PLIST 27 Mar 2017 04:33:40 -0000 @@ -52,31 +52,6 @@ share/examples/openvpn/sample-keys/clien share/examples/openvpn/sample-keys/dh2048.pem share/examples/openvpn/sample-keys/gen-sample-keys.sh share/examples/openvpn/sample-keys/openssl.cnf -share/examples/openvpn/sample-keys/sample-ca/ -share/examples/openvpn/sample-keys/sample-ca/01.pem -share/examples/openvpn/sample-keys/sample-ca/02.pem -share/examples/openvpn/sample-keys/sample-ca/03.pem -share/examples/openvpn/sample-keys/sample-ca/ca.crl -share/examples/openvpn/sample-keys/sample-ca/ca.crt -share/examples/openvpn/sample-keys/sample-ca/ca.key -share/examples/openvpn/sample-keys/sample-ca/client-pass.key -share/examples/openvpn/sample-keys/sample-ca/client-revoked.crt -share/examples/openvpn/sample-keys/sample-ca/client-revoked.csr -share/examples/openvpn/sample-keys/sample-ca/client-revoked.key -share/examples/openvpn/sample-keys/sample-ca/client.crt -share/examples/openvpn/sample-keys/sample-ca/client.csr -share/examples/openvpn/sample-keys/sample-ca/client.key -share/examples/openvpn/sample-keys/sample-ca/client.p12 -share/examples/openvpn/sample-keys/sample-ca/index.txt -share/examples/openvpn/sample-keys/sample-ca/index.txt.attr -share/examples/openvpn/sample-keys/sample-ca/index.txt.attr.old -share/examples/openvpn/sample-keys/sample-ca/index.txt.old -share/examples/openvpn/sample-keys/sample-ca/secp256k1.pem -share/examples/openvpn/sample-keys/sample-ca/serial -share/examples/openvpn/sample-keys/sample-ca/serial.old -share/examples/openvpn/sample-keys/sample-ca/server.crt -share/examples/openvpn/sample-keys/sample-ca/server.csr -share/examples/openvpn/sample-keys/sample-ca/server.key share/examples/openvpn/sample-keys/server-ec.crt share/examples/openvpn/sample-keys/server-ec.key share/examples/openvpn/sample-keys/server.crt Index: pkg/README =================================================================== RCS file: /d/cvs/ports/net/openvpn/pkg/README,v retrieving revision 1.2 diff -u -p -r1.2 README --- pkg/README 25 Apr 2016 18:21:09 -0000 1.2 +++ pkg/README 27 Mar 2017 04:33:40 -0000 @@ -18,7 +18,7 @@ Using an /etc/hostname.* file without pe OpenVPN normally re-creates the tun/tap interface at startup. This has been reported to cause problems with some PF configurations (especially with queueing), if you run into problems with this then -then OpenVPN should be started from the hostname.* file, e.g.: +OpenVPN should be started from the hostname.* file, e.g.: # cat << EOF > /etc/hostname.tun0 up -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE