git: 0a512a27a188 - 2021Q4 - security/openvpn: deprecate tunnelblick

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Matthias Andree <mandree_at_FreeBSD.org>
Date: Sun, 12 Dec 2021 11:30:01 UTC
The branch 2021Q4 has been updated by mandree:

URL: https://cgit.FreeBSD.org/ports/commit/?id=0a512a27a18872541a55fa9b0bf87787a4d14a3d

commit 0a512a27a18872541a55fa9b0bf87787a4d14a3d
Author:     Matthias Andree <mandree@FreeBSD.org>
AuthorDate: 2021-12-12 10:55:48 +0000
Commit:     Matthias Andree <mandree@FreeBSD.org>
CommitDate: 2021-12-12 11:29:23 +0000

    security/openvpn: deprecate tunnelblick
    
    While here, shorten LZO_DESC to fit 80x24 dialogs.
    
    (cherry picked from commit bedfd042b988444cb311f477d5cf1e4457ead29f)
---
 security/openvpn/Makefile | 12 ++++++------
 security/openvpn/pkg-help | 17 +++++++++++++++++
 2 files changed, 23 insertions(+), 6 deletions(-)

diff --git a/security/openvpn/Makefile b/security/openvpn/Makefile
index 62b50ea7cc1c..4bb6b3093932 100644
--- a/security/openvpn/Makefile
+++ b/security/openvpn/Makefile
@@ -43,11 +43,11 @@ OPTIONS_SINGLE=		SSL
 OPTIONS_SINGLE_SSL=	OPENSSL MBEDTLS
 ASYNC_PUSH_DESC=	Enable async-push support
 EASYRSA_DESC=		Install security/easy-rsa RSA helper package
-LZO_DESC=		LZO compression support (incompatible with LibreSSL)
+LZO_DESC=		LZO compression (incompatible with LibreSSL)
 MBEDTLS_DESC=		SSL/TLS via mbedTLS (lacks TLS v1.3)
 PKCS11_DESC=		Use security/pkcs11-helper (OpenSSL only)
 SMALL_DESC=		Build a smaller executable with fewer features
-TUNNELBLICK_DESC=	Tunnelblick XOR scramble patch (READ HELP!)
+TUNNELBLICK_DESC=	XOR scrambling patch - DEPRECATED!
 UNITTESTS_DESC=		Enable unit tests
 X509ALTUSERNAME_DESC=	Enable --x509-username-field (OpenSSL only)
 
@@ -119,11 +119,11 @@ pre-everything::
 	@${SHELL} -c 'exit 1'
 .endif
 
-.if !empty(PORT_OPTIONS:MMBEDTLS)
+.if !empty(PORT_OPTIONS:MMBEDTLS) || !empty(PORT_OPTIONS:MTUNNELBLICK)
 pre-everything::
-	@${ECHO_CMD} >&2 "====================================================="
-	@${ECHO_CMD} >&2 "Note that the mbedTLS option will go away 2022-03-31."
-	@${ECHO_CMD} >&2 "====================================================="
+	@${ECHO_CMD} >&2 "======================================================================"
+	@${ECHO_CMD} >&2 "Note that the mbedTLS and Tunnelblick options will go away 2022-03-31."
+	@${ECHO_CMD} >&2 "======================================================================"
 .endif
 
 post-patch:
diff --git a/security/openvpn/pkg-help b/security/openvpn/pkg-help
index 9fd1cd9567bd..f770021373b2 100644
--- a/security/openvpn/pkg-help
+++ b/security/openvpn/pkg-help
@@ -1,3 +1,5 @@
+DEPRECATED FEATURE - TO BE REMOVED END OF 2022-03-31 LATEST
+
 Note that "Tunnelblick" is a controversial option.
 It is included for compatibility, not enabled by default,
 and should only be used with due consideration, and it should not
@@ -8,3 +10,18 @@ option, neither to the --help output, nor the manual page.
 
 Please see this website for a more detailed discussion:
 https://tunnelblick.net/cOpenvpn_xorpatch.html
+
+The essence is that there are alternatives proposed that can avoid
+this patch:
+
+The OpenVPN developers "do not encourage people building their own
+versions of OpenVPN changing the wire-protocol like this, without the
+patch being through a proper patch review and having evaluated possible
+security risks related to such a change.
+  And we especially discourage using such an approach when there exists
+a far better solution, used by the TOR community. It is called obfsproxy
+and can be used together with OpenVPN without needing any re-compilation
+of OpenVPN."
+
+https://community.openvpn.net/openvpn/wiki/TrafficObfuscation
+https://2019.www.torproject.org/docs/pluggable-transports