diff options
| author | Linus Färnstrand <linus@mullvad.net> | 2019-11-20 13:43:16 +0100 |
|---|---|---|
| committer | Linus Färnstrand <linus@mullvad.net> | 2019-11-20 14:33:29 +0100 |
| commit | 61e00ff0d630bc0d6c5a37b8866366eb098f3679 (patch) | |
| tree | dcaaf50e4a224e77ed682a11f9526565f314af6c | |
| parent | c2c918ab17e17b333c04156d2325cca786d0d564 (diff) | |
| download | mullvadvpn-61e00ff0d630bc0d6c5a37b8866366eb098f3679.tar.xz mullvadvpn-61e00ff0d630bc0d6c5a37b8866366eb098f3679.zip | |
Limit OpenVPN to use TLS >=1.2 and limit 1.3 ciphers
| -rw-r--r-- | CHANGELOG.md | 5 | ||||
| -rw-r--r-- | talpid-core/src/process/openvpn.rs | 14 |
2 files changed, 15 insertions, 4 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index c06b6c9343..05b84dfcaa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -54,6 +54,11 @@ Line wrap the file at 100 chars. Th string. - Fix suspend and resume issues with OpenVPN by upgrading the TAP driver. +### Security +- Force OpenVPN to use TLS 1.2 or newer. And limit the TLS 1.3 ciphers to only the strongest ones. + The Mullvad servers have never allowed any insecure ciphers, so this was not really a problem. + Just one extra safety precaution. + ## [2019.10-beta1] - 2019-11-06 This release is for Android only. diff --git a/talpid-core/src/process/openvpn.rs b/talpid-core/src/process/openvpn.rs index 1abe3b9594..da18d87074 100644 --- a/talpid-core/src/process/openvpn.rs +++ b/talpid-core/src/process/openvpn.rs @@ -14,6 +14,7 @@ use talpid_types::net; static BASE_ARGUMENTS: &[&[&str]] = &[ &["--client"], + &["--tls-client"], &["--nobind"], #[cfg(not(windows))] &["--dev", "tun"], @@ -29,6 +30,7 @@ static BASE_ARGUMENTS: &[&[&str]] = &[ &["--sndbuf", "1048576"], &["--fast-io"], &["--cipher", "AES-256-CBC"], + &["--tls-version-min", "1.2"], &["--verb", "3"], #[cfg(windows)] &[ @@ -42,10 +44,12 @@ static BASE_ARGUMENTS: &[&[&str]] = &[ ], ]; -static ALLOWED_TLS_CIPHERS: &[&str] = &[ +static ALLOWED_TLS1_2_CIPHERS: &[&str] = &[ "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384", "TLS-DHE-RSA-WITH-AES-256-CBC-SHA", ]; +static ALLOWED_TLS1_3_CIPHERS: &[&str] = + &["TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256"]; /// An OpenVPN process builder, providing control over the different arguments that the OpenVPN /// binary accepts. @@ -242,7 +246,7 @@ impl OpenVpnCommand { args.push(tunnel_device.clone()); } - args.extend(Self::security_arguments().iter().map(OsString::from)); + args.extend(Self::tls_cipher_arguments().iter().map(OsString::from)); args.extend(self.proxy_arguments().iter().map(OsString::from)); args @@ -258,10 +262,12 @@ impl OpenVpnCommand { args } - fn security_arguments() -> Vec<String> { + fn tls_cipher_arguments() -> Vec<String> { let mut args = vec![]; args.push("--tls-cipher".to_owned()); - args.push(ALLOWED_TLS_CIPHERS.join(":")); + args.push(ALLOWED_TLS1_2_CIPHERS.join(":")); + args.push("--tls-ciphersuites".to_owned()); + args.push(ALLOWED_TLS1_3_CIPHERS.join(":")); args } |