On 23/08/13 09:01, Gert Doering wrote: > Hi, > > On Thu, Aug 22, 2013 at 11:38:50PM +0200, David Sommerseth wrote: >> However, I understand that some firmware "vendors" doesn't have the same >> "quick" turn-over as RHEL does. So I think I would rather let these old >> firmwares run OpenVPN 2.0 or 2.1 and let them support their own ancient >> code base on their own. We need to move forward and not cling to the old >> days forever. > > This is not about "our source does not compile with 0.96 anymore" - > it's about "2.3 with the TLS changes does not *talk* to OpenVPN > 2.2-compiled-with-0.96 anymore"
Fully understood!
> (so asking the router vendors to
> use OpenVPN 2.1 or 2.0 instead won't exactly improve things as the
> TLS handshake code would be the same).
>
> If this hits two users out of the whole Android user base, I tend to
> "well, bad luck, get your router firmware updated"
Well, that was actually _exactly_ what I meant :)
> - if it hits more "mainstream" users, we'll need to have a better
> answer.
I generally have no bad feelings if we state publicly that OpenVPN
doesn't support any older OpenSSL libraries than 0.9.8 (or 0.9.7, if
insisting hard), even if OpenVPN compiles with them. Running anything
that old is a security risk (and has been for quite a while [1]). So I
see no reason why we should make it easier for anyone in these cases.
We've ditched Win2k and RHEL4 support for similar convenience reasons as
well.
[1] Last update to 0.9.6 was in March 2004
Last update to 0.9.7 was in Feb 2007.
0.9.8 and newer are getting updates.
<https://www.openssl.org/source/>
--
kind regards,
David Sommerseth
signature.asc
Description: OpenPGP digital signature
