Accept TLSVersionMin in OpenVPN ONC parameters
Reported by
j...@voxilate.com,
Apr 1 2017
|
||||
Issue descriptionChrome Version: 57.0.2987.137 Chrome OS Version: 9202.60.0 stable-channel Gawdy Chrome OS Platform: Acer CB3-131 Network info: N/A OpenVPN version: 2.3.2 (built just last week, though!) The version of OpenVPN being built on ChromeOS is 10 versions behind and does not support TLS auth higher than 1.0. It should support a minimum TLS version and there should be a way to pass this value to the command line via onc file. Steps To Reproduce: 1) Configure VPN to connect to an OpenVPN server that requires TLS 1.2 auth. 2) Configure VPN to connect to an OpenVPN server with nor requirement. 3) Run openvpn against a config file at the command line with tls-version-min. 4) Run openvpn --version. Expected Result: Openvpn should be upgraded to 2.3.14 (released in March 2016, super-stable) and Google Chromebook users should be able to successfully authenticate with VPN servers using TLS 1.2 or higher. There should also be a way to pass tls-version-min from an onc file. Actual Result: ChromeOS openvpn client won't connect to a server that requires TLS 1.2 plus not just because there's no option in the onc file, but also that the binary itself is not new enough to understand the connection. The only way you can support Chromebook users, in this case, is to drop the TLS 1.2+ requirement (and openvpn on the client defaults to 1.0), which is suboptimal. Reproducible: Yes. Workarounds: Developers can update openvpn themselves, but this isn't feasible for non-techies. I get the impression from reading bugs that there's no push to allow for easy configuration of OpenVPN for non-techies, which is a shame...but we can work (painfully) around that. *However*, forcing administrators to drop their security requirements or drop Chromebooks is...even more suboptimal.
,
Apr 30 2017
> Just to clarify: are you planning to pass this in by manually importing an .onc file from chrome://net-internals ? Yep. > I have opened bug 716913 to track the upgrade to openvpn 2.4.x, since there is another feature we need from that branch. Will use this bug to track the ONC and DBUS plumbing for whatever new connection parameters we add after updating the package. Awesome, thanks. Not sure if you folks are tracking it, but a security audit of OpenVPN 2.4.0 was completed a few weeks ago: https://ostif.org/the-audit-of-openvpn-is-complete/ The audit results are still private, pending release of 2.4.2 - so 2.4.2 is likely what you're going to want to take if it's available (or 2.4.1, which includes some fixes for issues discovered during audit, then be sure to upgrade to 2.4.2 when it's out).
,
Nov 3 2017
,
Nov 3 2017
Hi Matthew, would you mind taking a look at this? We're now using the latest OpenVPN (2.4.4) but TLSVersionMin still needs to be plumbed up through ONC, similar to ExtraHosts.
,
Nov 4 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform/system_api/+/56afcde692b1218a2dc82e18794e58de5720d3f3 commit 56afcde692b1218a2dc82e18794e58de5720d3f3 Author: Matthew Wang <matthewmwang@chromium.org> Date: Sat Nov 04 04:56:47 2017 system_api: adding constant for OpenVPN.TLSVersionMin support Adding kOpenVPNTLSVersionMin constant BUG= chromium:707517 TEST=Unit tests still work Change-Id: I3e23c75e4e482d59eed5909f0af7729a22b5d862 Reviewed-on: https://chromium-review.googlesource.com/753427 Commit-Ready: Matthew Wang <matthewmwang@chromium.org> Tested-by: Matthew Wang <matthewmwang@chromium.org> Reviewed-by: Kevin Cernekee <cernekee@chromium.org> [modify] https://crrev.com/56afcde692b1218a2dc82e18794e58de5720d3f3/dbus/shill/dbus-constants.h
,
Dec 22 2017
The following revision refers to this bug: https://chromium.googlesource.com/aosp/platform/system/connectivity/shill/+/5fbc09c74459b2f8f9ae11205ebbc0bb91d1dfdb commit 5fbc09c74459b2f8f9ae11205ebbc0bb91d1dfdb Author: Matthew Wang <matthewmwang@chromium.org> Date: Fri Dec 22 02:08:56 2017 shill: vpn: Shill support for OpenVPN.TLSVersionMin Adds OpenVPN support for minimum TLS version. BUG= chromium:707517 TEST=Unit tests pass CQ-DEPEND=CL:753427 Change-Id: Id6954f4871882372154a731adf0fa51525d73d43 [modify] https://crrev.com/5fbc09c74459b2f8f9ae11205ebbc0bb91d1dfdb/vpn/openvpn_driver.cc [modify] https://crrev.com/5fbc09c74459b2f8f9ae11205ebbc0bb91d1dfdb/doc/service-api.txt [modify] https://crrev.com/5fbc09c74459b2f8f9ae11205ebbc0bb91d1dfdb/vpn/openvpn_driver_unittest.cc
,
Dec 22 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/b75a4cecd83e7de933f7721dcc05417bc133fea2 commit b75a4cecd83e7de933f7721dcc05417bc133fea2 Author: Matthew Wang <matthewmwang@chromium.org> Date: Fri Dec 22 04:11:30 2017 ONC: Add TLSVersionMin property to OpenVPN Support minimum TLS minimum version for OpenVPN. BUG= 707517 TEST=chromeos_unittests TEST=networkingPrivate Cq-Include-Trybots: master.tryserver.chromium.linux:closure_compilation Change-Id: I7e98ed41edc9ad22e020d357fe82810500e1feda Reviewed-on: https://chromium-review.googlesource.com/838423 Commit-Queue: Matthew Wang <matthewmwang@chromium.org> Reviewed-by: Toni Barzic <tbarzic@chromium.org> Reviewed-by: Steven Bennetts <stevenjb@chromium.org> Cr-Commit-Position: refs/heads/master@{#525926} [modify] https://crrev.com/b75a4cecd83e7de933f7721dcc05417bc133fea2/chromeos/network/onc/onc_signature.cc [modify] https://crrev.com/b75a4cecd83e7de933f7721dcc05417bc133fea2/chromeos/network/onc/onc_translation_tables.cc [modify] https://crrev.com/b75a4cecd83e7de933f7721dcc05417bc133fea2/chromeos/test/data/network/openvpn_clientcert_with_cert_pems.onc [modify] https://crrev.com/b75a4cecd83e7de933f7721dcc05417bc133fea2/chromeos/test/data/network/openvpn_with_password.onc [modify] https://crrev.com/b75a4cecd83e7de933f7721dcc05417bc133fea2/chromeos/test/data/network/shill_openvpn.json [modify] https://crrev.com/b75a4cecd83e7de933f7721dcc05417bc133fea2/chromeos/test/data/network/shill_openvpn_clientcert.json [modify] https://crrev.com/b75a4cecd83e7de933f7721dcc05417bc133fea2/chromeos/test/data/network/valid_openvpn_with_cert_pems.onc [modify] https://crrev.com/b75a4cecd83e7de933f7721dcc05417bc133fea2/components/onc/docs/onc_spec.md [modify] https://crrev.com/b75a4cecd83e7de933f7721dcc05417bc133fea2/components/onc/onc_constants.cc [modify] https://crrev.com/b75a4cecd83e7de933f7721dcc05417bc133fea2/components/onc/onc_constants.h [modify] https://crrev.com/b75a4cecd83e7de933f7721dcc05417bc133fea2/extensions/common/api/networking_private.idl [modify] https://crrev.com/b75a4cecd83e7de933f7721dcc05417bc133fea2/third_party/closure_compiler/externs/networking_private.js
,
Jan 2 2018
|
||||
►
Sign in to add a comment |
||||
Comment 1 by cernekee@chromium.org
, Apr 30 2017Cc: cernekee@chromium.org
Labels: -Type-Bug ChromeOsVpn Type-Feature
Summary: Accept TLSVersionMin in OpenVPN ONC parameters (was: Update OpenVPN 2.3.2 to stable 2.3.14 to support TLS v1.2+ & accept TLSVersionMin in ONC parameters)