Context Navigation

Basic info

Publish security assessment of OpenVPN2 on main website.
Trail of Bits security audit of OpenVPN2 published: https://openvpn.net/blog/trail-of-bits/

Website release process woes
Website team reports they are going to publish the new CMS for community downloads and security advisories next week.

TLS 1.0 PRF problem
OpenVPN has used a scheme based on the TLS 1.0 PRF with MD5+SHA1 in the past. Since OpenVPN 2.6.0+ and 3.6.0+ using Keying Material Exporters (RFC 5705) is preferrred as modern alternative to that. If one or both sides are older versions of OpenVPN like 2.5 and use the older method of making key material, there can be a problem.
For example on platforms like RHEL9 with FIPS enabled, you cannot use TLS 1.0 PRF with MD5+SHA1. So even for these special cases MD5 has become impossible in this particular situation.
As a practical example, this means OpenVPN 2.5 on RHEL9 with FIPS enabled cannot work at all. But 2.6 does work because it uses TLS export, but only if the other side supports TLS export too.
We should first of all document this. But second, having a self-test in OpenVPN that warns of this situation can be beneficial.

License amendment for OpenVPN2 to solve openssl/mbedtls licensing issues
For new contributions the new license already applies.
The --tls-export-cert option needs to be removed, and reimplemented. dazo sent in the patch to remove it, plaisthos will reimplement it.
Then it is up to dazo to review things so we can work on finalizing this.
One of the last tasks is reviewing if remaining items are trivial patches, and maybe get legal advice on those if necessary.

Donations for OpenVPN community
There is currently no place to donate money to the community.
The question is, do we want to allow donations? The answer is yes.
We need to figure out how to deal with that legally, and what payment methods to accept and how.
Probably credit card is a must. Maybe paypal as well. Bitcoin seems to encounter some resistance in the discussions.
We definitely do not want the donation thing to be forced - have a mechanism to do it, but keep it out of the way.
Random things yelled out (to investigate): legal entity? stripe? paypal? creditcard? open collective? github sponsors? linux foundation? sf conservancy?

Tunnelcrack progress TunnelCrack community wiki article
Current status: when mitigations start appearing we will mention them in meeting notes.

OpenVPN community meetup 2024
Naming: We decided to rename from 'Hackathon' to 'OpenVPN community meetup'. This has a more open spirit to it, as we want to encourage developers and those interested in contributing to feel welcome.
Where: Karlsruhe, Germany. It is a relatively central location in Europe and is fairly easily reachable by train. A meeting location is yet to be arranged.
When: At the moment tentatively set to 20-22 September 2024.
Who: We'll do an open invitation to openvpn-devel mailing list, but also CC: specifically past attendees and people of interest.
Shirts: There is plenty of time still to prepare a shirt design.

Static-key mini how-to is outdated.
This page is outdated badly: https://openvpn.net/community-resources/static-key-mini-howto/
company will send this to tech writer to redo based on https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/example-fingerprint.rst info
and also retain a link to that github doc.
having a simple guide online will help adoption

openvpn release process topics
there was a request in https://github.com/OpenVPN/openvpn/issues/397 to have releases on github as well.
djpig seems to think it would be fairly doable to copy/paste that info to github as well.
we could do this during a next release.

OpenVPN 2.6 performance results.
tests should cover: gre, ipsec, userland, dco
linux, freebsd, windows
requires time to be dedicated to doing this
when time available will do it

What's going on with new taskbar icons?
matt provided icons in https://github.com/OpenVPN/openvpn-gui/issues/595\\**update: will be picked up by selva when he has time

security@… mailing list
company is trying to get to soc2 compliance.
probably will need a simple nda to be signed by recipients of emails to security@…
company guy took standard nda we use for contractors, suggests to use that.
novaflash thinks we should review that first to see if it's really suitable or not, community members are not contractors after all.

Another key signing topic
company switched EV code signing to cloudhsm, this is same cert type we use for driver signing, is also suitable for binary signing.
in future we could possibly switch community to that same key. saves having to maintain 2 different keys.
depends on how hard/easy it is to access company key signing thingee from community infrastructure.
also no high priority at the moment, we have a working solution now.

SBOM topic
cron2 was asked if openvpn has a software bill of materials. answer was no.
coincidentally, in openvpn inc a security requirement is to have an SBOM so this is on our list of things to do
when we pick up this task we can coordinate on it.

Forums machine on community infrastructure is only non-Linux system.
mattock made a new forums system that runs on rocky linux 8 as agreed with ecrist.
ecrist has looked at it but the current state of the migration is unknown.

Management interface documentation on main website will be updated with info from doc/management-notes.txt
novaflash will pick this up at some point

Last modified 5 months ago Last modified on 12/06/23 11:44:26