From patchwork Tue Dec 1 10:03:55 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Magnus Kroken X-Patchwork-Id: 1408729 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=merlin.20170209 header.b=z92SbU11; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=Q2U4XJoQ; dkim-atps=neutral Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4CldJV1h9Jz9sVk for ; Tue, 1 Dec 2020 21:15:06 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe :List-Id:MIME-Version:Message-Id:Date:Subject:To:From:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Owner; bh=SbN+wykowFpGJnZL5Pd12UlnrnoVmuU9jkYADhm4SeY=; b=z92SbU11x2waHbBaqoT9eeOxEH 8txApe3bH9mvYDDAK/INqyFep8BxM8D4+QpE1CCK5dA4jW3LSHGj4Kb7k1jE8a/QD2Ur7nxOT8BiN G61WNprv6I7OQ2wN3g31IoUOoRgxN84JKX4K2IFtGo2MUhrM8l0AMyhAvyTufu/L0aOG0s/j/xIag pB1pEBRht7Y+xG5KKj0fUL/v4xkZrgNFPo6BMx7GyK9AiFMeCZmaEnGHNjPkJva/Gl0eL/WRQipGt 4FZ7JsWSd7N3dOAtcBumuzAvl7pRKMPynlqEPJzUsFC2IZoXNWE2CC5XN/Uk7ye0ObIHzs30W4cqv O4/9eaEQ==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kk2ep-0006eS-Ao; Tue, 01 Dec 2020 10:13:15 +0000 Received: from mail-lf1-x143.google.com ([2a00:1450:4864:20::143]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kk2Vu-0002ye-HT for openwrt-devel@lists.openwrt.org; Tue, 01 Dec 2020 10:04:03 +0000 Received: by mail-lf1-x143.google.com with SMTP id d20so2932728lfe.11 for ; Tue, 01 Dec 2020 02:04:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=6tZtr+XuLzgve/xNjsq/x9T7/eXPlCmX/eWus2JvKa4=; b=Q2U4XJoQdW564+Y0al97Z9odA5ffAf/B2c9TYnuCExcIe3Y6Q/7XB5acbsp6IOVeCp yNLSPQXb/pMQuq/tt+7BGHChPDSSQS97pPryfAwg58vHcBK9NFEnVFW6eh0NowlgcLi9 aMLXWMT7pJZswMnM8HHMDEwos4+4QJXZtZaALz1FFu6VtrvoyuKdzLjLsARgY43fvGVT YAIUPz6EhjVevx5X36OVJ9IlxSfGttnzKHi/h8wI1CItllfWeduIp0+cTmPyaB9rrNfD nsu8KiTHLqKrtMoEDHHEwvHDvC3TlVQwIhT5XB+lPYnIvNWE2xSBw3Qmh/pCZffqxC3e YKvw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=6tZtr+XuLzgve/xNjsq/x9T7/eXPlCmX/eWus2JvKa4=; b=BYSj/U7QjFR5irtVqI3xK/vDc+l8iprxjAEBUgTKLamTSoMpiPNKG24cu1k/mwPhh5 cIMk04xtq+jFA9ICNobCj5fzj/e8l4kfCa9anbEOjc90wXYjQ3PFZMFGVZnDi7AA5y3m JFdSUfVzAHh94SSCkkBGJ5PZEKjjQXXLxCLVD2MrIw8vtuCoJuf1J1i7nvZSgTr2CID2 diljDoJQNVP/6bZzZXmrxMoJKGv3FXGhBUiVKkFgMQV1jSVNqKtJ6GWiEc2BdU2SwRtl vjdPNWN1c0lhvVIM2UQYGBr1XXKrDr8/bR589aEA6dQsIINa6Ua5aK3FHWagiFg6MNYX N/Gg== X-Gm-Message-State: AOAM533PVgP/FFUTlp7xWTiO3dhVy0HYJVEy+3J68e5w0tHQATcGsfGB 6WKn2IvlwYyb8Dydpk/lZtaZmIaghGE= X-Google-Smtp-Source: ABdhPJzrg0+0k689Iai076dBZrGrbven0X2+D7FlkcIUiRpgE9kUgPovF70YiednZeY3XKlCppVW2Q== X-Received: by 2002:a19:c55:: with SMTP id 82mr805422lfm.84.1606817039402; Tue, 01 Dec 2020 02:03:59 -0800 (PST) Received: from localhost.localdomain (ti0005q162-3333.bb.online.no. [46.9.152.45]) by smtp.gmail.com with ESMTPSA id u5sm149174lff.78.2020.12.01.02.03.58 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 01 Dec 2020 02:03:58 -0800 (PST) From: Magnus Kroken To: openwrt-devel@lists.openwrt.org Subject: [PATCH] openvpn: disable LZO support by default Date: Tue, 1 Dec 2020 11:03:55 +0100 Message-Id: <20201201100355.1701-1-mkroken@gmail.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20201201_050402_658588_9E42D489 X-CRM114-Status: GOOD ( 12.10 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:143 listed in] [list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [mkroken[at]gmail.com] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org OpenVPN recommends disabling compression, as it may weaken the security of the connection. For users who need compression, we build with LZ4 support by default. LZO in OpenVPN pulls in liblzo at approx. 32 kB. OpenWrt users will no longer be able to connect to OpenVPN peers that require LZO compression, unless they build the OpenVPN package themselves. Signed-off-by: Magnus Kroken --- package/network/services/openvpn/Config-mbedtls.in | 2 +- package/network/services/openvpn/Config-openssl.in | 2 +- package/network/services/openvpn/files/openvpn.config | 6 +----- 3 files changed, 3 insertions(+), 7 deletions(-) diff --git a/package/network/services/openvpn/Config-mbedtls.in b/package/network/services/openvpn/Config-mbedtls.in index 2a2f303c48..3cf233b8f7 100644 --- a/package/network/services/openvpn/Config-mbedtls.in +++ b/package/network/services/openvpn/Config-mbedtls.in @@ -2,7 +2,7 @@ if PACKAGE_openvpn-mbedtls config OPENVPN_mbedtls_ENABLE_LZO bool "Enable LZO compression support" - default y + default n config OPENVPN_mbedtls_ENABLE_LZ4 bool "Enable LZ4 compression support" diff --git a/package/network/services/openvpn/Config-openssl.in b/package/network/services/openvpn/Config-openssl.in index 7a7be74db9..335bbaa2c4 100644 --- a/package/network/services/openvpn/Config-openssl.in +++ b/package/network/services/openvpn/Config-openssl.in @@ -2,7 +2,7 @@ if PACKAGE_openvpn-openssl config OPENVPN_openssl_ENABLE_LZO bool "Enable LZO compression support" - default y + default n config OPENVPN_openssl_ENABLE_LZ4 bool "Enable LZ4 compression support" diff --git a/package/network/services/openvpn/files/openvpn.config b/package/network/services/openvpn/files/openvpn.config index f6278836e7..09d504da28 100644 --- a/package/network/services/openvpn/files/openvpn.config +++ b/package/network/services/openvpn/files/openvpn.config @@ -293,9 +293,7 @@ config openvpn sample_server # # LZ4 requires OpenVPN 2.4+ client and server # option compress lz4 - # LZO is compatible with most OpenVPN versions - # (set "compress lzo" on 2.4+ clients, and "comp-lzo yes" on older clients) -# option compress lzo + # Control how OpenVPN handles peers using compression # # Do not allow any connections using compression @@ -487,8 +485,6 @@ config openvpn sample_client # # LZ4 requires OpenVPN 2.4+ on server and client # option compress lz4 - # LZO is compatible with most OpenVPN versions -# option compress lzo # Set log file verbosity. option verb 3