wifipineapple-openwrt/package/network/services/openvpn
Jo-Philipp Wich 2569721374 openvpn: disable CBC record splitting in PolarSSL/mbedTLS (#19101)
OpenVPN assumes that its control channel messages are sent and received
unfragmented, this assumption is broken when CBC record splitting is
enabled in mbedTLS.

The record splitting is intended as countermeasure against BEAST attacks
which do not apply to OpenVPN, therefore we simply disable it until
upstream OpenVPN gains the ability to process fragmented control
messages.

Disabling the splitting also works around a (not remotely triggerable)
segmentation fault in mbedTLS.

References:

 * https://dev.openwrt.org/ticket/19101
 * https://community.openvpn.net/openvpn/ticket/524
 * https://github.com/ARMmbed/mbedtls/pull/185

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

git-svn-id: svn://svn.openwrt.org/openwrt/trunk@45602 3c298f89-4303-0410-b956-a3cf2f4a3e73
2015-05-04 08:49:21 +00:00
..
files openvpn: autostart openvpn instances for each .conf file in /etc/openvpn 2015-02-07 21:01:28 +00:00
patches openvpn: disable CBC record splitting in PolarSSL/mbedTLS (#19101) 2015-05-04 08:49:21 +00:00
Config-nossl.in openvpn: make size optimization configurable 2014-03-11 12:07:17 +00:00
Config-openssl.in openvpn: make size optimization configurable 2014-03-11 12:07:17 +00:00
Config-polarssl.in openvpn: make size optimization configurable 2014-03-11 12:07:17 +00:00
Makefile openvpn: disable CBC record splitting in PolarSSL/mbedTLS (#19101) 2015-05-04 08:49:21 +00:00