[OpenWrt-Devel] [PATCH] OpenVPN: Add TLS minimum and maximum version

Liam Dennehy liam at wiemax.net
Fri Jun 9 07:48:02 EDT 2017


OpenVPN Hardening Guide suggests limiting the TLS versions available to
clients. https://community.openvpn.net/openvpn/wiki/Hardening
This patch allows the OpenVPN init script to recognise tls-version-min
and tls-version-max configuration options in UCI for the generated config
file.

Signed-off-by: Liam Dennehy <liam at wiemax.net>
---
 package/network/services/openvpn/files/openvpn.init | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package/network/services/openvpn/files/openvpn.init b/package/network/services/openvpn/files/openvpn.init
index 861d0d62b3..2e0f6e0696 100644
--- a/package/network/services/openvpn/files/openvpn.init
+++ b/package/network/services/openvpn/files/openvpn.init
@@ -123,6 +123,7 @@ start_instance() {
 		route_metric route_up rport script_security secret server server_bridge setenv shaper sndbuf \
 		socks_proxy status status_version syslog tcp_queue_limit tls_auth \
 		tls_cipher tls_remote tls_timeout tls_verify tmp_dir topology tran_window \
+		tls_version_min tls_version_max \
 		tun_mtu tun_mtu_extra txqueuelen user verb down push up \
 		ifconfig_ipv6 route_ipv6 server_ipv6 ifconfig_ipv6_pool ifconfig_ipv6_push iroute_ipv6
 
-- 
2.13.0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20170609/b3a756b8/attachment.htm>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel


More information about the openwrt-devel mailing list