Am 26.07.20 um 02:01 schrieb Arne Schwabe: > Am 17.07.20 um 19:10 schrieb David Sommerseth: >> The --no-replay feature is considered to be a security weakness, which >> was also highlighed during the OpenVPN 2.4 security audit [0]. This >> option was added to the DeprecatedOptions[1] list and has been reported >> as deprecated since OpenVPN 2.4. > > As a side note, removing this feature weakens the ability to use OpenVPN > is a pure tunnel without crypto (--auth none, --cipher none and > no-replay) since this removes the ability to disable replay proctection > when no authentication is enabled. (replay protection without auth is > silly as a attacker can just fake the replay id too.) > > Acked-By: Arne Schwabe
I given that a bit of a thought. But we need to decide if we to support unencrypted transport only session or not in future. If we do not want to support them, then applying this patch is fine, otherwise we should restrict disabling no-replay to --auth none and also --auth none to --cipher none basically: --cipher != none => auth none and no-replay forbidden --cipher == none => allows auth none and also no-replay --cipher none and auth none, warn if no-replay is used that it does not prevent replay attacks. But do not fail since we would break a lot of setups.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
