Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Register
  • Sign in
  • F foris-controller-openvpn-module
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
  • Issues 13
    • Issues 13
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 1
    • Merge requests 1
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • TurrisTurris
  • Foris ControllerForis Controller
  • foris-controller-openvpn-module
  • Issues
  • #5
Closed
Open
Issue created Aug 21, 2018 by Josef Schlehofer@jschlehofer

Disable compress option by default

Can we disable compress option at all in our plugin? It seems that we use compress lzo from here:
https://gitlab.labs.nic.cz/turris/foris-controller-openvpn-module/blob/master/foris_controller_backends/openvpn/__init__.py#L265

On support, we received ticket #2861, which says:

there is a vulnerability with OpenVPN with 'compress lzo' enable and with this vulnerability, it's possible to decrypt parts of HTTP traffic. HTTPS is not affected.

More details can be found here: https://www.bleepingcomputer.com/news/security/voracle-attack-can-recover-http-data-from-vpn-connections/

The only downside of disabling that option is that it can reduce the speed of OpenVPN.

The OpenVPN doc was also updated. See more details from their mail list: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16919.html

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking