cpet/freebsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

security/openvpn: deprecate tunnelblick

Browse Source 
While here, shorten LZO_DESC to fit 80x24 dialogs.

(cherry picked from commit bedfd042b9)
This commit is contained in:
Matthias Andree 2021-12-12 11:55:48 +01:00
parent a34084d590
commit 0a512a27a1
2 changed files with 23 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
security/openvpn/Makefile
View File

@ -43,11 +43,11 @@ OPTIONS_SINGLE= SSL
OPTIONS_SINGLE_SSL= OPENSSL MBEDTLS
ASYNC_PUSH_DESC= Enable async-push support
EASYRSA_DESC= Install security/easy-rsa RSA helper package
LZO_DESC= LZO compression support (incompatible with LibreSSL)
LZO_DESC= LZO compression (incompatible with LibreSSL)
MBEDTLS_DESC= SSL/TLS via mbedTLS (lacks TLS v1.3)
PKCS11_DESC= Use security/pkcs11-helper (OpenSSL only)
SMALL_DESC= Build a smaller executable with fewer features
TUNNELBLICK_DESC= Tunnelblick XOR scramble patch (READ HELP!)
TUNNELBLICK_DESC= XOR scrambling patch - DEPRECATED!
UNITTESTS_DESC= Enable unit tests
X509ALTUSERNAME_DESC= Enable --x509-username-field (OpenSSL only)
@ -119,11 +119,11 @@ pre-everything::
@${SHELL} -c 'exit 1'
.endif
.if !empty(PORT_OPTIONS:MMBEDTLS)
.if !empty(PORT_OPTIONS:MMBEDTLS) || !empty(PORT_OPTIONS:MTUNNELBLICK)
pre-everything::
@${ECHO_CMD} >&2 "====================================================="
@${ECHO_CMD} >&2 "Note that the mbedTLS option will go away 2022-03-31."
@${ECHO_CMD} >&2 "====================================================="
@${ECHO_CMD} >&2 "======================================================================"
@${ECHO_CMD} >&2 "Note that the mbedTLS and Tunnelblick options will go away 2022-03-31."
@${ECHO_CMD} >&2 "======================================================================"
.endif
post-patch:

17
security/openvpn/pkg-help
View File

@ -1,3 +1,5 @@
DEPRECATED FEATURE - TO BE REMOVED END OF 2022-03-31 LATEST
Note that "Tunnelblick" is a controversial option.
It is included for compatibility, not enabled by default,
and should only be used with due consideration, and it should not
@ -8,3 +10,18 @@ option, neither to the --help output, nor the manual page.
Please see this website for a more detailed discussion:
https://tunnelblick.net/cOpenvpn_xorpatch.html
The essence is that there are alternatives proposed that can avoid
this patch:
The OpenVPN developers "do not encourage people building their own
versions of OpenVPN changing the wire-protocol like this, without the
patch being through a proper patch review and having evaluated possible
security risks related to such a change.
And we especially discourage using such an approach when there exists
a far better solution, used by the TOR community. It is called obfsproxy
and can be used together with OpenVPN without needing any re-compilation
of OpenVPN."
https://community.openvpn.net/openvpn/wiki/TrafficObfuscation
https://2019.www.torproject.org/docs/pluggable-transports