From nobody Wed Aug 20 18:04:19 2025 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4c6Z8g5TJpz64m6s; Wed, 20 Aug 2025 18:04:19 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4c6Z8g4kFqz4KWd; Wed, 20 Aug 2025 18:04:19 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1755713059; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=lNbMFPs029LzuaMwH+e9tclmV477CqoAAZAXxKrvKP0=; b=H3shnPQ9FdQp4hBz1sZTPmVJuruj2pw+KpYBm4OLE2xnEzD8exql99FEena/5UysUX77sQ h5heyXgIOqzPwk2YRh4YyNUGUcJP9OAGr1XXphL5pYfrEiT0RZsNrE50f+swXJ2z1QejPP EXwsXAMi+85g9EVxhGBRwYlkNMWsn1VqeANwFI3ALEKuwvhs2xio8iu1xGVAfWrIVvFDlN vC7mzJ8bRi32qz0C0qFcDLYumdNTqSZ66itZoZLX82UCRO6+s2cPCrJnzfSfx0mvMu/m3v pi09j1I/wJjaPoBrbShrrSJ2Yy4ASejlYmbMZCLvvV1vucstfPT4zv6D0UqEiQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1755713059; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=lNbMFPs029LzuaMwH+e9tclmV477CqoAAZAXxKrvKP0=; b=NiL2MnwNJiIbslL7efap5njcj8dEaR4uxsHYT/lYA2LWk6mTPNMPPx4BGx6eOVno7oRrrI RYnhqWwo3ZCWnbOwpr6xulEq2nIcnfDR2cBdnM65w8raZCL0k3osFHtoJ+YcGq/rkfuPkV UHVEIjV8B0nxk3lYFTTf3Bto71KaqaMLFz/mzTN2RNquDk8CktnRqcmhMztqg85F8eIhY6 gUOfgKs8SkS2YoK4lDvFHKwTKvX8nGdASJBcL1cPcFnHdijXYPaV+WGiC81HFYT/eGNxky UjUONuttQF1lyi0F5McIgCb+l60FJEnpQIn/WOrUB6z3olJWYdsUxtmLb73JTQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1755713059; a=rsa-sha256; cv=none; b=nQFyLsTDi8aVnms6b+wKbqkIgeJaRkoqyz3ica7aaUOihYOhFMDLWPi7K/Iel9tNSacdIc 7+1Bn3EB3KPO6+BT9hU8XpHkb+lihDyaE4hpldsRgOTQmYshwqDvuoXNyBF5pO8EcrgX2m wbrShgHVp+0C76t0NrYRQXig9wJpNU+1JjIydboeVCJWMFBwZj9YfNOtQVOr5CuGbhSIoI Wd5/q4hfSw/2RLcGl1i+2y0csJ9xq+TFQUp53zXZwMOOb2k+86+SEQFqeh/QtfFmevocez g8RhOKLKjSZ0UjU4EOS1OSMJNIy97KI2ppXo0cj0HItXLiST9wbZe64dt3Xe6A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4c6Z8g3xD7z8R9; Wed, 20 Aug 2025 18:04:19 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 57KI4JHp088755; Wed, 20 Aug 2025 18:04:19 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 57KI4JfY088752; Wed, 20 Aug 2025 18:04:19 GMT (envelope-from git) Date: Wed, 20 Aug 2025 18:04:19 GMT Message-Id: <202508201804.57KI4JfY088752@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Matthias Andree Subject: git: acfe37ddd77d - main - security/openvpn: remove 2048-bit legacy Diffie Hellman List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-ports-main@freebsd.org Sender: owner-dev-commits-ports-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: mandree X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: acfe37ddd77db77a7858be8d46892fce3151498d Auto-Submitted: auto-generated The branch main has been updated by mandree: URL: https://cgit.FreeBSD.org/ports/commit/?id=acfe37ddd77db77a7858be8d46892fce3151498d commit acfe37ddd77db77a7858be8d46892fce3151498d Author: Matthias Andree AuthorDate: 2025-08-20 17:47:38 +0000 Commit: Matthias Andree CommitDate: 2025-08-20 18:01:45 +0000 security/openvpn: remove 2048-bit legacy Diffie Hellman I received a fallout complaint from i386 FreeBSD 15-PRERELEASE builders that, as of now, has no other explanation than a tightened (if intermediately) SECLEVEL on that machine, and that's due to Diffie-Hellman 2048 bit parameters, and self-tests are failing with stereotypical "ee key too small" and "dh key too small". While it's not clear what the exact cause of the failure is and if we had a glitch in the OpenSSL 3.5.1 import (Enji updated the main branch to 3.5.2 shortly after), let's modernize the setup a bit. Fallout and Builder logs (I take it the 2nd URL states that the FreeBSD src branch was at commit c6778f3a442): https://pkg-status.freebsd.org/beefy17/data/main-i386-default/p98b748365fe6_sc6778f3a442/logs/openvpn-2.6.14.log https://pkg-status.freebsd.org/beefy17/build.html?mastername=main-i386-default&build=p98b748365fe6_sc6778f3a442 2025-08-20 11:46:39 OpenVPN 2.6.14 i386-portbld-freebsd15.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] [DCO] 2025-08-20 11:46:39 Note: dev-type not tun, disabling data channel offload. 2025-08-20 11:46:39 library versions: OpenSSL 3.5.1 1 Jul 2025, LZO 2.10 2025-08-20 11:46:39 OpenVPN 2.6.14 i386-portbld-freebsd15.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] [DCO] 2025-08-20 11:46:39 DCO version: FreeBSD 15.0-PRERELEASE 1500061 2025-08-20 11:46:39 library versions: OpenSSL 3.5.1 1 Jul 2025, LZO 2.10 2025-08-20 11:46:39 DCO version: FreeBSD 15.0-PRERELEASE 1500061 2025-08-20 11:46:39 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 2025-08-20 11:46:39 GDG: problem writing to routing socket: Invalid argument (errno=22) 2025-08-20 11:46:39 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 2025-08-20 11:46:39 OpenSSL: error:030000A8:digital envelope routines::unknown security bits: 2025-08-20 11:46:39 OpenSSL: error:0A00018A:SSL routines::dh key too small: 2025-08-20 11:46:39 SSL_CTX_set0_tmp_dh_pkey 2025-08-20 11:46:39 Exiting due to fatal error 2025-08-20 11:46:39 OpenSSL: error:030000A8:digital envelope routines::unknown security bits: 2025-08-20 11:46:39 OpenSSL: error:0A00018F:SSL routines::ee key too small: 2025-08-20 11:46:39 Cannot load inline certificate file 2025-08-20 11:46:39 Exiting due to fatal error FAIL: t_cltsrv.sh That prompted upstream to file a bug and the suggestion to strip dh2048.pem from installing the demo file and sample configuration should not affect existing setups, however, if someone would have used the shipped dh2048.pem file, that would have to be regenerated with openssl dhparam -out dh2048.pem 2048. https://github.com/OpenVPN/openvpn/issues/819 https://gerrit.openvpn.net/c/openvpn/+/1145 Upstream changelog, as of v3 of the latter: | Remove use of 'dh dh2048.pem' from sample configs, remove 'dh2048.pem' file | | Since commit bd9aa06feb41 (Jan 2015) OpenVPN has allowed to use | '--dh none' to disable traditional Diffie Hellman, since more secure | ECDH algorithms are available that do not use explicit DH parameters. | | If configured with a suffiently high securelevel (3+), or if running in | FIPS mode, OpenSSL 3.5 will refuse 2048 bit DH files, making our tests | fail. | | Thus, remove all the DH2048 stuff from our sample configs. Obtained from: Gert Doering While here, delete files/patch-src_plugins_auth-pam_auth-pam.c because upstream (namely Antonio Quartulli) had fixed that omission in v2.6-beta1 already (in 2022, as of OpenVPN's commit 0fed64a91d894b46). Nobody has been able yet to reproduce the test failure other than by forcing SECLEVEL=3, so let's just push this and see if we receive pkg-fallout again next time i386 gets its ports built. Upstream considers the patch necessary anyways, so let's not waste too much time on testing on a dying system. --- security/openvpn/Makefile | 3 ++- .../patch-doc_man-sections_generic-options.rst | 4 ++-- .../files/patch-doc_tests_authentication-plugins.md | 11 +++++++++++ ...tch-sample__sample-config-files__loopback-client | 13 ------------- ...tch-sample__sample-config-files__loopback-server | 12 ++++++++++-- ...patch-sample_sample-config-files_loopback-client | 13 +++++++++++++ .../patch-sample_sample-config-files_server.conf | 21 +++++++++++++++++++++ ...lugins_keying-material-exporter-demo_server.ovpn | 11 +++++++++++ .../files/patch-src_plugins_auth-pam_auth-pam.c | 10 ---------- 9 files changed, 70 insertions(+), 28 deletions(-) diff --git a/security/openvpn/Makefile b/security/openvpn/Makefile index c771eea03b22..7c44e64f7dba 100644 --- a/security/openvpn/Makefile +++ b/security/openvpn/Makefile @@ -1,6 +1,6 @@ PORTNAME= openvpn DISTVERSION= 2.6.14 -PORTREVISION?= 0 +PORTREVISION?= 1 CATEGORIES= security net net-vpn MASTER_SITES= https://swupdate.openvpn.org/community/releases/ \ https://build.openvpn.net/downloads/releases/ \ @@ -105,6 +105,7 @@ pre-everything:: .endif post-patch: + ${RM} sample/sample-keys/dh2048.pem # no longer needed ${REINPLACE_CMD} -E -i '' -e 's/(user|group) nobody/\1 openvpn/' \ -e 's/"nobody"( after init)/"openvpn" \1/' \ ${WRKSRC}/sample/sample-config-files/*.conf \ diff --git a/security/openvpn/files/patch-doc_man-sections_generic-options.rst b/security/openvpn/files/patch-doc_man-sections_generic-options.rst index 295f20cd7f1f..28c93860b329 100644 --- a/security/openvpn/files/patch-doc_man-sections_generic-options.rst +++ b/security/openvpn/files/patch-doc_man-sections_generic-options.rst @@ -1,6 +1,6 @@ ---- doc/man-sections/generic-options.rst.orig 2023-01-25 10:00:58 UTC +--- doc/man-sections/generic-options.rst.orig 2025-04-02 06:53:10 UTC +++ doc/man-sections/generic-options.rst -@@ -507,5 +507,8 @@ which mode OpenVPN is configured as. +@@ -514,5 +514,8 @@ --user user since it is usually used by other system services already. Always create a dedicated user for openvpn. diff --git a/security/openvpn/files/patch-doc_tests_authentication-plugins.md b/security/openvpn/files/patch-doc_tests_authentication-plugins.md new file mode 100644 index 000000000000..d680c64019f7 --- /dev/null +++ b/security/openvpn/files/patch-doc_tests_authentication-plugins.md @@ -0,0 +1,11 @@ +--- doc/tests/authentication-plugins.md.orig 2025-04-02 06:53:10 UTC ++++ doc/tests/authentication-plugins.md +@@ -36,7 +36,7 @@ To build the needed authentication plug-in, run: + verb 4 + dev tun + server 10.8.0.0 255.255.255.0 +- dh sample/sample-keys/dh2048.pem ++ dh none + ca sample/sample-keys/ca.crt + cert sample/sample-keys/server.crt + key sample/sample-keys/server.key diff --git a/security/openvpn/files/patch-sample__sample-config-files__loopback-client b/security/openvpn/files/patch-sample__sample-config-files__loopback-client deleted file mode 100644 index 0b485a641d8a..000000000000 --- a/security/openvpn/files/patch-sample__sample-config-files__loopback-client +++ /dev/null @@ -1,13 +0,0 @@ ---- sample/sample-config-files/loopback-client.orig 2016-08-23 14:16:22 UTC -+++ sample/sample-config-files/loopback-client -@@ -9,8 +9,8 @@ - # ./openvpn --config sample-config-files/loopback-client (In one window) - # ./openvpn --config sample-config-files/loopback-server (Simultaneously in another window) - --rport 16000 --lport 16001 -+rport 16100 -+lport 16101 - remote localhost - local localhost - dev null diff --git a/security/openvpn/files/patch-sample__sample-config-files__loopback-server b/security/openvpn/files/patch-sample__sample-config-files__loopback-server index 58691b133de7..3eac712d9054 100644 --- a/security/openvpn/files/patch-sample__sample-config-files__loopback-server +++ b/security/openvpn/files/patch-sample__sample-config-files__loopback-server @@ -1,6 +1,6 @@ ---- sample/sample-config-files/loopback-server.orig 2016-08-23 14:16:22 UTC +--- sample/sample-config-files/loopback-server.orig 2025-04-02 06:53:10 UTC +++ sample/sample-config-files/loopback-server -@@ -9,8 +9,8 @@ +@@ -9,15 +9,15 @@ # ./openvpn --config sample-config-files/loopback-client (In one window) # ./openvpn --config sample-config-files/loopback-server (Simultaneously in another window) @@ -11,3 +11,11 @@ remote localhost local localhost dev null + verb 3 + reneg-sec 10 + tls-server +-dh sample-keys/dh2048.pem ++dh none + ca sample-keys/ca.crt + key sample-keys/server.key + cert sample-keys/server.crt diff --git a/security/openvpn/files/patch-sample_sample-config-files_loopback-client b/security/openvpn/files/patch-sample_sample-config-files_loopback-client new file mode 100644 index 000000000000..5726f12af605 --- /dev/null +++ b/security/openvpn/files/patch-sample_sample-config-files_loopback-client @@ -0,0 +1,13 @@ +--- sample/sample-config-files/loopback-client.orig 2025-04-02 06:53:10 UTC ++++ sample/sample-config-files/loopback-client +@@ -12,8 +12,8 @@ + # this config file has the crypto material (cert, key, ..) "inlined", + # while the "server" config has it as external reference - test both paths + +-rport 16000 +-lport 16001 ++rport 16100 ++lport 16101 + remote localhost + local localhost + dev null diff --git a/security/openvpn/files/patch-sample_sample-config-files_server.conf b/security/openvpn/files/patch-sample_sample-config-files_server.conf new file mode 100644 index 000000000000..ba2194589405 --- /dev/null +++ b/security/openvpn/files/patch-sample_sample-config-files_server.conf @@ -0,0 +1,21 @@ +--- sample/sample-config-files/server.conf.orig 2025-04-02 06:53:10 UTC ++++ sample/sample-config-files/server.conf +@@ -87,11 +87,6 @@ key server.key # This file should be kept secret + cert server.crt + key server.key # This file should be kept secret + +-# Diffie hellman parameters. +-# Generate your own with: +-# openssl dhparam -out dh2048.pem 2048 +-dh dh2048.pem +- + # Allow to connect to really old OpenVPN versions + # without AEAD support (OpenVPN 2.3.x or older) + # This adds AES-256-CBC as fallback cipher and +@@ -307,4 +302,4 @@ verb 3 + + # Notify the client that when the server restarts so it + # can automatically reconnect. +-explicit-exit-notify 1 +\ No newline at end of file ++explicit-exit-notify 1 diff --git a/security/openvpn/files/patch-sample_sample-plugins_keying-material-exporter-demo_server.ovpn b/security/openvpn/files/patch-sample_sample-plugins_keying-material-exporter-demo_server.ovpn new file mode 100644 index 000000000000..2ff14e611905 --- /dev/null +++ b/security/openvpn/files/patch-sample_sample-plugins_keying-material-exporter-demo_server.ovpn @@ -0,0 +1,11 @@ +--- sample/sample-plugins/keying-material-exporter-demo/server.ovpn.orig 2025-04-02 06:53:10 UTC ++++ sample/sample-plugins/keying-material-exporter-demo/server.ovpn +@@ -8,7 +8,7 @@ key ../../sample-keys/server.key + ca ../../sample-keys/ca.crt + cert ../../sample-keys/server.crt + key ../../sample-keys/server.key +-dh ../../sample-keys/dh2048.pem ++dh none + + server 10.8.0.0 255.255.255.0 + port 1194 diff --git a/security/openvpn/files/patch-src_plugins_auth-pam_auth-pam.c b/security/openvpn/files/patch-src_plugins_auth-pam_auth-pam.c deleted file mode 100644 index 633bc0f0204d..000000000000 --- a/security/openvpn/files/patch-src_plugins_auth-pam_auth-pam.c +++ /dev/null @@ -1,10 +0,0 @@ ---- src/plugins/auth-pam/auth-pam.c.orig 2021-06-21 04:44:39 UTC -+++ src/plugins/auth-pam/auth-pam.c -@@ -39,6 +39,7 @@ - #include - #include - #include -+#include - #include - #include - #include