Opened 6 years ago
Closed 5 years ago
#1121 closed Feature Wish (fixed)
tls-crypt-v2: client-specific tls-crypt keys
Reported by: | Antonio Quartulli | Owned by: | Antonio Quartulli |
---|---|---|---|
Priority: | blocker | Milestone: | release 2.5 |
Component: | Crypto | Version: | |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: |
Description
OpenVPN 2.4 currently support a control channel encryption mechanism which hides the content of control packets from malicious observers.
The main downside of this mechanism is that it currently uses one shared key among the entire VPN infrastructure (i.e. shared among all the clients and the server).
This ticket is about a new version of this feature, where each client gets provided with its own key.
Change History (4)
comment:1 Changed 6 years ago by
comment:2 Changed 6 years ago by
Milestone: | → release 2.5 |
---|---|
Version: | OpenVPN 2.5.0 (Community Ed) |
comment:3 Changed 6 years ago by
Patches have been reviewed once again and they need to be resent to the ml. They can probably be ACK'd right after.
comment:4 Changed 5 years ago by
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
This feature has been added to git master, to be part of the coming release/2.5.
commit ff931c5e99a808e762bc0203d70f19bf3767e216 Author: Steffan Karger Date: Mon Oct 22 13:45:15 2018 +0200 tls-crypt-v2: add script hook to verify metadata To allow rejecting incoming connections very early in the handshake, add a --tls-crypt-v2-verify option that allows administators to run an external command to verify the metadata from the client key. See doc/tls-crypt-v2.txt for more details. Because of the extra dependencies, this requires adding a mock parse_line() to the tls-crypt unit tests. Also, this turns tls_wrap_free into a static inline function, so that we don't need to compile in ssl.c (and all of it's dependencies) with the unit tests. Signed-off-by: Antonio Quartulli Signed-off-by: Steffan Karger Acked-by: Antonio Quartulli Message-Id: <1540208715-14044-6-git-send-email-steffan.karger@fox-it.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17789.html Signed-off-by: David Sommerseth commit 19dffdbde08f6b1ea5d32d429a255218d4304c66 Author: Steffan Karger Date: Mon Oct 22 13:45:14 2018 +0200 tls-crypt-v2: implement tls-crypt-v2 handshake This makes clients send-and-use, and servers receive-unwrap-and-use tls-crypt-v2 client keys, which completes the on-the-wire work. Signed-off-by: Steffan Karger Acked-by: Antonio Quartulli Message-Id: <1540208715-14044-5-git-send-email-steffan.karger@fox-it.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17787.html Signed-off-by: David Sommerseth commit 283290bf77dbc6c1c23deddd6145e74576bf79f1 Author: Steffan Karger Date: Mon Oct 22 13:45:13 2018 +0200 tls-crypt-v2: add P_CONTROL_HARD_RESET_CLIENT_V3 opcode Not used yet, but prepare for sending and receiving tls-crypt-v2 handshake messages. Signed-off-by: Steffan Karger Acked-by: Antonio Quartulli Message-Id: <1540208715-14044-4-git-send-email-steffan.karger@fox-it.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17790.html Signed-off-by: David Sommerseth commit a98a56768fdb652664dd10e09037a05f96494b23 Author: Steffan Karger Date: Mon Oct 22 13:45:12 2018 +0200 tls-crypt-v2: add unwrap_client_key Add helper functions to unwrap tls-crypt-v2 client keys. Signed-off-by: Steffan Karger Acked-by: Antonio Quartulli Message-Id: <1540208715-14044-3-git-send-email-steffan.karger@fox-it.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17791.html Signed-off-by: David Sommerseth commit 9d59029a088b26b8dd50dc2523f87e2b38e4ab53 Author: Steffan Karger Date: Mon Oct 22 13:45:11 2018 +0200 tls-crypt-v2: generate tls-crypt-v2 keys As a first step towards a full tls-crypt-v2 implementation, add functionality to generate tls-crypt-v2 client and server keys. Signed-off-by: Steffan Karger Acked-by: Antonio Quartulli Message-Id: <1540208715-14044-2-git-send-email-steffan.karger@fox-it.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17792.html Signed-off-by: David Sommerseth commit 6394cba7b5b11974b0159891f2bf65164775c6c0 Author: Steffan Karger Date: Mon Oct 22 13:45:10 2018 +0200 tls-crypt-v2: add specification to doc/ This is a preliminary description of tls-crypt-v2. It should give a good impression about the reasoning and design behind tls-crypt-v2, but might need some polishing and updating. Signed-off-by: Steffan Karger Acked-by: Antonio Quartulli Message-Id: <1540208715-14044-1-git-send-email-steffan.karger@fox-it.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17788.html Signed-off-by: David Sommerseth
The patchset is out on the mailing list since a while.
Antonio is currently reviewing it.