OpenVPN has been rebased to version 2.4.3. This update adds
many improvements, notably improved elliptic curve cryptography support
ECDH), support for
AES-GCM, and additional encryption layer of the
control channel (the
--tls-crypt option), and a type of cipher
negotiation which allows for gradually upgrading client ciphers to stronger
ones without significant added complexity. Additionally, there is now a
seamless client IP and port available, allowing clients to change their IP
address or port without having to fully renegotiate an established tunnel.
For a full list of changes in this version, see the upstream changelog on GitHub.
Overall integration with systemd has also improved, and
systemd can now better manage OpenVPN processes. This update ships with
brand new systemd unit files, which add additional security hardening. These
new unit files are preferred over the old
openvpn@.service file. The same
unit files are used in other Linux distributions which use systemd, ensuring
a more consistent behavior and usage between different systemd-based
systems. See installed documentation in
/usr/share/doc/openvpn/README.systemd for more information about this
In other changes, Certificate Revocation List (
CRL) checking is now done
SSL libraries directly. These libraries have a far more strict
acceptance policy than the approach previously used in OpenVPN. For example,
if your CRL file has expired, this will have an impact on every user,
regardless of whether their certificates are revoked or not.
Additionally, OpenVPN in Fedora 26 currently use the compat-openssl10 and compat-openssl10-pkcs11-helper compatibility packages, which are considered to be a workaround until more thorough testing can be done on OpenSSL 1.1, which has only been introduced in OpenVPN recently. In a later update, the OpenVPN package is expected to be upgraded to make use of the newer openssl-1.1 library.