The OpenVPN-NL lifecycle
The current release of OpenVPN-NL is based on:
Required cryptographic options:
- OpenVPN ciphers and cipher modes: AES-256-CBC, AES-256-GCM
- OpenVPN message digest/HMAC: SHA256
- TLS Cipher: TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384, TLS-DHE-RSA-WITH-AES-256-GCM-SHA384, TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 or TLS-DHE-RSA-WITH-AES-256-CBC-SHA, with 2048 bit moduli for EDH or P-256 of P-384 for ECDH
OpenVPN-NL is available as compiled installable packages for the following platforms:
- Debian Linux (32 and 64-bit)
- Red Hat Enterprise Linux Server (32 and 64-bit)
- SUSE Linux Enterprise Server (32 and 64-bit)
- Ubuntu Linux LTS (32 and 64-bit)
- Microsoft Windows (7, 2008 Server, 2008 R2 Server, 8.1) (32 and 64-bit)
The source code is available as a tarball as well, but not supported.
The current release of the Deployment Advisory is Version 1.3
|OpenVPN-NL v1.3||2.4.6-nl2||Current||This release is based on OpenVPN 2.4.6 and mbed TLS 2.9.0. This release contains security fixes for the tap-windows driver, the windows interactive service and mbed TLS. (announcement)|
|2.4.4-nl1||Deprecated||This release is based on OpenVPN 2.4.4 and mbed TLS 2.6.0. This release adds GCM mode, Control Channel encryption, better support for roaming clients and many other new features. (announcement)|
|2.3.9-nl4||Deprecated||This release is based on OpenVPN 2.3.9 and PolarSSL to 1.2.19. This release removes support for the less secure key-method 1 data channel key exchange. (announcement)|
|2.3.9-nl3||Untrusted||This release is based on OpenVPN 2.3.9 and PolarSSL to 1.2.19. A number of security issues in OpenVPN are fixed. (announcement)|
|2.3.9-nl2||Untrusted||This release is based on OpenVPN 2.3.9 and PolarSSL to 1.2.19. A number of minor security issues in both OpenVPN and PolarSSL are fixed. (announcement)|
|2.3.8-nl1||Untrusted||This release is based on OpenVPN 2.3.8 and PolarSSL to 1.2.15. A number of minor security issues in PolarSSL are fixed. (announcement)|
|2.3.5-nl3||Untrusted||Fixes a remote exploitable vulnerabilty in PolarSSL's ASN1 sequence parsing. (announcement)|
|2.3.5-nl2||Untrusted||New fix for a denial-of-service vulnerabilty in OpenVPN-NL server control channel message parsing. This release is based on OpenVPN 2.3.5. (announcement)|
|2.3.5-nl1||Untrusted||New PolarSSL (1.2.12), which includes a fix for a denial-of-service vulnerabilty in X509 parsing. This release is based on OpenVPN 2.3.5. (announcement)|
|2.3.4-nl1||Untrusted||New PolarSSL (1.2.11), which includes a fix for a denial-of-service vulnerabilty when GCM TLS cipher suites are used. This release is based on OpenVPN 2.3.4. (announcement)|
|2.3.2-nl2||Untrusted||New PolarSSL (1.2.10), which includes a fix for a possible side-channel attack. This release is based on OpenVPN 2.3.2. (announcement)|
|2.3.2-nl1||Untrusted||New PolarSSL (1.2.8), which includes a fix for a denial-of-service exploit during a TLS handshake. This release is based on OpenVPN 2.3.2. (announcement)|
|2.3.1-nl1||Untrusted||New OpenVPN-NL release, based on OpenVPN 2.3.1. This release upgrades PolarSSL to version 1.2.6 and adds support for AES-GCM TLS ciphers. (announcement)|
|OpenVPN-NL v1.2||2.1.4-fox6||Untrusted||New PolarSSL RNG based on multiple entropy sources; deployment advisory updated with a new section about virtual machines. (announcement)|
|OpenVPN-NL v1.1||2.1.4-fox5||Untrusted||Deployment advisory update: advises against the use of OpenVPN-NL on virtual machines, pending investigation. (announcement)|
|OpenVPN-NL v1.0||2.1.4-fox5||Untrusted||Initial release. Secure on bare metal PCs, random number generation may be insecure on certain virtual machines|
The following events can trigger new releases:
- A new release of one of the packages on which OpenVPN-NL is based
- A new release of one of the platforms for which OpenVPN-NL is packaged
Releases which address security issues will be released as quickly as possible, other releases will be dealt with at a more planned pace.
In line with the upstream OpenVPN policy, new releases of OpenVPN-NL will if possible, be backwards compatible in the sense that two different OpenVPN(-NL) releases can connect to one another (they do not break the protocol), and that new OpenVPN(-NL) releases can read the configuration files of older versions of OpenVPN(-NL).
When a new release of OpenVPN-NL is available, this will always be announced through the OpenVPN-NL mailing list. This is a low-volume read-only mailing list for this purpose only. Announcements include a statement on whether the new release addresses security issues.
New upstream OpenVPN releases
New upstream OpenVPN releases may add new functionality. While the basic attitude is to adopt these new functions into OpenVPN-NL, this is not guaranteed. Some new functionality may not be adopted for practical or security reasons.
- A note on practical reasons: Version 2.3 of OpenVPN includes most of the improvements that defined the difference between OpenVPN 2.1.4 and OpenVPN-NL. This means that from version 2.3 of OpenVPN and onwards, adopting new features of the main OpenVPN branch can and will be rather generously adopted into OpenVPN-NL.
- A note on security reasons: OpenVPN-NL is packaged in such a way that many configurations the NBV advises against are not supported. This means for example that various older cryptographic functions are not supported, and that null-encryption is also not supported. Should a new version of the OpenVPN branch include functionality that NBV advises against, it is very likely that those functions will not be adopted into OpenVPN-NL.
New and old releases of a Linux platform
If one of the supported Linux platforms has a new release, the following will happen:
- The next release of OpenVPN-NL will include support for the new version of that platform. If the time between the platform release and the next OpenVPN-NL release is expected to be more than three months, an extra release of OpenVPN-NL for that platform only will be made.
- In the first six months after the new release of the platform, new releases of OpenVPN-NL will also be packaged for the old release of that Linux platform. After those six months, new OpenVPN-NL releases will no longer be packaged for the old release of that Linux platform.
Given the way that OpenVPN-NL is compiled and packaged, it is not unlikely that the package of a newer platform release will work on the older release of that platform.
Windows: special notes on XP, Vista, 10 and future versions
Compared to Linux, Windows is a rather complicated platform to build packages for. Counted in man-hours of work, the majority of time is dedicated to supporting the Windows platform. The Windows release of OpenVPN will be tested against 7, 2008 Server, and 8.1.
- XP: It should be noted that XP has reached its end of support by April 8, 2014. OpenVPN-NL 2.3.9-nl4 is the last version to run on Windows XP.
- Vista: The releases will not be tested against Vista, but are not unlikely to work. However, no effort will be taken to solve any problems which are specific to Vista.
- 10: Not supported yet.
- Future Windows versions: Whether a new Windows version will result in actions to ensure that OpenVPN-NL will work on that version of Windows, will be decided on a case-by-case basis.
The source code of OpenVPN-NL finds its way to the public via two channels:
- All modifications of OpenVPN-NL to upstream OpenVPN are submitted to the open source OpenVPN community. Most of the bigger patches have found their way into the upstream OpenVPN 2.3 branch. Some smaller patches, typically those that reduce functionality (e.g. reduce the available cryptographic algorithms) will at most find their way to the "contrib" repositories.
- For all OpenVPN-NL releases which are available for download, the source code of that version will be made available. The positive evaluation of the NBV applies only to the binaries which are distributed via the OpenVPN-NL website. One may choose to compile OpenVPN-NL oneself, but the assessment of the NBV is not warranted for any self-compiled version. The source code of OpenVPN-NL is distributed in this manner as a courtesy to the professional who really knows what he is doing, and also to comply with the copyright licence which applies to the source code (GPLv2).
A specific release for a platform is always in one of the following three states:
- Current: this release is up-to-date. This one is the recommended release for that platform.
- Deprecated: this is an old version of OpenVPN-NL for that platform, which is not up-to-date, but has no known security issues. If a current version exists for the platform, that version is recommended for general reasons. There are no security-related reasons to advise against using an deprecated version.
Untrusted/insecure: this is an old release of OpenVPN-NL, for which reasons exist to very strongly advise against using it. There are two typical cases:
- The release has become that much different from the current version of OpenVPN-NL, that it is no longer practical to determine whether a vulnerability found in a current (or deprecated) release applies to the old release.
- The version has known vulnerabilities or is for other reasons sufficiently suspect to very strongly advise against using it.
The state of a release always moves down, and may skip the deprecated state. For example, a current release might directly become untrusted/insecure, skipping the deprecated state. A release in the deprecated state may quickly advance into the untrusted/insecure state.
On the OpenVPN-NL website, current and deprecated releases will be available for download, but untrusted/insecure versions and their corresponding source code will never be available for download. Untrusted/insecure versions or corresponding source code will also not be available via other channels from NBV or Fox-IT.
System administrators that for some reason are dependent on a specific release of OpenVPN should be aware that it may become untrusted/insecure at some time in the future. Workarounds might exist which mitigate the vulnerabilities in a specific context to some extent. However, such an untrusted/insecure release will no longer be available for download, so the administrator that heavily depends on such a particular release might choose to pre-emptively hold a backup of the OpenVPN-NL release. Nevertheless, under all circumstances, NBV advises to use a current OpenVPN-NL release.
When an OpenVPN-NL release moves into the untrusted/insecure state, this will be announced on the OpenVPN-NL mailing list. This announcement will typically be complemented with the announcement of a new release.