Here's an update to openvpn-2.4.9
ChangeLog: https://github.com/OpenVPN/openvpn/blob/release/2.4/Changes.rst#version-249 https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.9 The most interesting entry is probably: --8<-- Fix condition where a client's session could "float" to a new IP address that is not authorized ("fix illegal client float"). This can be used to disrupt service to a freshly connected client (no session keys negotiated yet). It can not be used to inject or steal VPN traffic. CVE-2020-11810, trac #1272). -->8-- TLSv1.3 support isn't available with LibreSSL (we do not expose defines and functions that would be needed). Even though --show-tls will print a cipher list, --tls-ciphersuites is not reachable: --8<-- $ openvpn --tls-ciphersuites Options error: Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: tls-ciphersuites (2.4.9) Use --help for more information. -->8-- Test reports for the server side welcome, same for compat tests with servers that support TLSv1.3. Index: Makefile =================================================================== RCS file: /d/cvs/ports/net/openvpn/Makefile,v retrieving revision 1.99 diff -u -p -r1.99 Makefile --- Makefile 10 Nov 2019 21:50:23 -0000 1.99 +++ Makefile 17 Apr 2020 15:57:18 -0000 @@ -2,8 +2,7 @@ COMMENT= easy-to-use, robust, and highly configurable VPN -DISTNAME= openvpn-2.4.8 -REVISION= 0 +DISTNAME= openvpn-2.4.9 CATEGORIES= net security Index: distinfo =================================================================== RCS file: /d/cvs/ports/net/openvpn/distinfo,v retrieving revision 1.43 diff -u -p -r1.43 distinfo --- distinfo 5 Nov 2019 17:53:17 -0000 1.43 +++ distinfo 17 Apr 2020 15:57:28 -0000 @@ -1,2 +1,2 @@ -SHA256 (openvpn-2.4.8.tar.gz) = ZeHaPzoI5+kAwXXn/DDYNIgf0t6g6zmyUyWoYanaC8U= -SIZE (openvpn-2.4.8.tar.gz) = 1452539 +SHA256 (openvpn-2.4.9.tar.gz) = RrJo74jmfKbeLp8ZlD655ayFROVfXB869ncpjQPmS24= +SIZE (openvpn-2.4.9.tar.gz) = 1455736 Index: patches/patch-configure =================================================================== RCS file: /d/cvs/ports/net/openvpn/patches/patch-configure,v retrieving revision 1.21 diff -u -p -r1.21 patch-configure --- patches/patch-configure 5 Nov 2019 17:53:17 -0000 1.21 +++ patches/patch-configure 17 Apr 2020 15:57:37 -0000 @@ -2,7 +2,7 @@ $OpenBSD: patch-configure,v 1.21 2019/11 Index: configure --- configure.orig +++ configure -@@ -18032,7 +18032,7 @@ else +@@ -18146,7 +18146,7 @@ else fi Index: patches/patch-include_Makefile_in =================================================================== RCS file: /d/cvs/ports/net/openvpn/patches/patch-include_Makefile_in,v retrieving revision 1.10 diff -u -p -r1.10 patch-include_Makefile_in --- patches/patch-include_Makefile_in 5 Nov 2019 17:53:17 -0000 1.10 +++ patches/patch-include_Makefile_in 17 Apr 2020 15:57:37 -0000 @@ -2,7 +2,7 @@ $OpenBSD: patch-include_Makefile_in,v 1. Index: include/Makefile.in --- include/Makefile.in.orig +++ include/Makefile.in -@@ -334,7 +334,7 @@ host_cpu = @host_cpu@ +@@ -336,7 +336,7 @@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ Index: patches/patch-src_openvpn_ssl_c =================================================================== RCS file: /d/cvs/ports/net/openvpn/patches/patch-src_openvpn_ssl_c,v retrieving revision 1.1 diff -u -p -r1.1 patch-src_openvpn_ssl_c --- patches/patch-src_openvpn_ssl_c 21 Feb 2019 23:32:23 -0000 1.1 +++ patches/patch-src_openvpn_ssl_c 17 Apr 2020 15:58:18 -0000 @@ -1,14 +0,0 @@ -$OpenBSD: patch-src_openvpn_ssl_c,v 1.1 2019/02/21 23:32:23 jca Exp $ - -Index: src/openvpn/ssl.c ---- src/openvpn/ssl.c.orig -+++ src/openvpn/ssl.c -@@ -4146,7 +4146,7 @@ show_available_tls_ciphers(const char *cipher_list, - { - printf("Available TLS Ciphers, listed in order of preference:\n"); - --#if (ENABLE_CRYPTO_OPENSSL && OPENSSL_VERSION_NUMBER >= 0x1010100fL) -+#if (ENABLE_CRYPTO_OPENSSL && OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_TLS1_3)) - printf("\nFor TLS 1.3 and newer (--tls-ciphersuites):\n\n"); - show_available_tls_ciphers_list(cipher_list_tls13, tls_cert_profile, true); - #else -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
