OpenVPN have been rebased to the latest upstream version - v2.4.3.
This update adds a lot of improvements, most notably is improved elliptic curve support (ECDH), support for AES-GCM, an additional encryption layer of the control channel (--tls-crypt) and a type of cipher negotiation which allows gradually updating client ciphers to stronger ones without much extra complexity. In addition is also a seamless client IP/port floating allowing clients to change IP address or port without going through a full renegotiation of the established tunnel. For the full set of changes, see https://github.com/OpenVPN/openvpn/blob/v2.4.1/Changes.rst
The overall systemd integration have also improved, allowing systemd to better manage the OpenVPN processes. This update also ships with brand new systemd unit files, which adds additionally security hardening. These new unit files are preferred over the old openvpn@.service unit file. These new unit files are also used as is in other systemd Linux distributions, which ensures a more consistent behaviour and usage of OpenVPN on systemd based systems. Please see /usr/share/doc/openvpn/README.systemd for more information.
/usr/share/doc/openvpn/README.systemd
This update may introduce some surprises too.
CRL checking is now done by the SSL libraries directly. These libraries have a far more stricter acceptance policy than the old approach OpenVPN used earlier. For example, if your CRL file have expired, this will have an impact on all your users regardless if their certificates are revoked or not.
In Fedora 26, OpenVPN will currently use compat-openssl10 and compat-openssl10-pkcs11-helper. These compat packages is considered a workaround until the openssl-1.1 support which have arrived in OpenVPN quite recently, have been more thoroughly tested. In a later update the OpenVPN package will be updated to make use of the newer openssl-1.1 library.
I just updated the release notes to match up with the recent development of this package. Most importantly, we currently use compat-openssl10 now instead of mbedtls-2.4.x, which restores much of the features Mbed TLS is lacking.
Another note: OpenVPN v2.4.3 will be release Wed June 21. Packaging is mostly done and will be pushed out ASAP after the official release.
@dsommers when you say you updated the release notes, do you mean you updated the text in the opening of hte ticket? I am sorry I didn't track this ticket sooner.
Do you need the additional note folded in or can we ignore it for the purposes of release notes?
Metadata Update from @pbokoc: - Issue assigned to pbokoc
Pushed to branch f26, in case anyone feels like doing a review: https://pagure.io/release-notes/c/76126e8d5d33c3c4a90c82e87e7286a95e75cf44?branch=f26
Metadata Update from @pbokoc: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.