English Chinese (Simplified) (zh_CN)
OpenVPN Rebased to Version 2.4.3
[application]*OpenVPN* has been rebased to version 2.4.3. This update adds many improvements, notably improved elliptic curve cryptography support (`ECDH`), support for `AES-GCM`, and additional encryption layer of the control channel (the [option]`--tls-crypt` option), and a type of cipher negotiation which allows for gradually upgrading client ciphers to stronger ones without significant added complexity. Additionally, there is now a seamless client IP and port available, allowing clients to change their IP address or port without having to fully renegotiate an established tunnel.
For a full list of changes in this version, see the link:++https://github.com/OpenVPN/openvpn/blob/v2.4.3/Changes.rst++[upstream changelog on GitHub].
Overall integration with [application]*systemd* has also improved, and systemd can now better manage OpenVPN processes. This update ships with brand new systemd unit files, which add additional security hardening. These new unit files are preferred over the old `openvpn@.service` file. The same unit files are used in other Linux distributions which use systemd, ensuring a more consistent behavior and usage between different systemd-based systems. See installed documentation in `/usr/share/doc/openvpn/README.systemd` for more information about this topic.
Additional Notes
In other changes, Certificate Revocation List (`CRL`) checking is now done by [command]`SSL` libraries directly. These libraries have a far more strict acceptance policy than the approach previously used in OpenVPN. For example, if your CRL file has expired, this will have an impact on every user, regardless of whether their certificates are revoked or not.
Additionally, OpenVPN in Fedora 26 currently use the [package]*compat-openssl10* and [package]*compat-openssl10-pkcs11-helper* compatibility packages, which are considered to be a workaround until more thorough testing can be done on OpenSSL 1.1, which has only been introduced in OpenVPN recently. In a later update, the OpenVPN package is expected to be upgraded to make use of the newer [package]*openssl-1.1* library.