On 2014/10/15 12:28, Nothingness wrote: > Also an OpenVPN user, > > Now that the POODLE vuln is out, could the 5.5 version of openvpn be > bumped to 2.3.4 please? One thing that got introduced in 2.3.3 was > --tls-version-min so you can specify the minimum version of TLS to use. > I can't find a way to get above TLSv1/SSLv3 using 2.3.2.
The most I'd be happy with for -stable is something like this. However doing this for every port which might use SSLv3 is clearly not sustainable. Index: patches/patch-src_openvpn_ssl_openssl_c =================================================================== RCS file: patches/patch-src_openvpn_ssl_openssl_c diff -N patches/patch-src_openvpn_ssl_openssl_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_openvpn_ssl_openssl_c 15 Oct 2014 14:06:11 -0000 @@ -0,0 +1,12 @@ +$OpenBSD$ +--- src/openvpn/ssl_openssl.c.orig Wed Oct 15 15:05:25 2014 ++++ src/openvpn/ssl_openssl.c Wed Oct 15 15:05:07 2014 +@@ -180,7 +180,7 @@ tls_ctx_set_options (struct tls_root_ctx *ctx, unsigne + ASSERT(NULL != ctx); + + SSL_CTX_set_session_cache_mode (ctx->ctx, SSL_SESS_CACHE_OFF); +- SSL_CTX_set_options (ctx->ctx, SSL_OP_SINGLE_DH_USE); ++ SSL_CTX_set_options (ctx->ctx, SSL_OP_SINGLE_DH_USE | SSL_OP_NO_SSLv3); + SSL_CTX_set_default_passwd_cb (ctx->ctx, pem_password_callback); + + /* Require peer certificate verification */ > Noth > > On Fri, 2014-08-01 at 08:39 +0200, Stefan Sperling wrote: > > On Fri, Aug 01, 2014 at 07:00:43AM +0100, Ryan O'Connor wrote: > > > There are more than 30 fixes in 2.3.4. > > > > > > To see what those are, please surf to: > > > https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23 > > > > > > As OpenBSD takes security very seriously, I suppose it will provide 2.3.4 > > > for its users. > > > > Another openvpn user here. > > > > Is there any particular fix you need? Skimming the change log I don't > > see any critical fixes between 2.3.2 and 2.3.4. > > > > Changing a port while the ports tree is frozen presents a huge > > burden on the people building release packages. > > And important fixes can always be merged into -stable later. > > > >
