patches

[Nikos Mavrogiannopoulos]

In the view of the recent NSA wiretappings, I reviewed some security
related parameters of openconnect. My proposed patches enhance
protection against passive eavesdroppers and all known active attacks on
TLS hopefully without harming compatibility.

* 0001-Enable-a-padding-when-sending-password-to-avoid-leak.patch:
With this patch the authentication session over TLS no longer leaks the
length of the password (gnutls uses random padding per record but this
is disabled with the %COMPAT keyword).

* 0002-Added-pfs-option-to-force-perfect-forward-secrecy.patch:
Forces perfect forward secrecy. That way a leak of the server key will
not lead to decryption of all past sessions with this server (it may be
that a server doesn't support PFS, so it is not set by default).

* 0003-When-selecting-TLS-protocol-options-for-GnuTLS-set-t.patch:
Removes some protocol weakening options for gnutls. For some reason
these options were only set when using gnutls and not openssl, so I
don't think it is of any benefit keeping them.

regards,
Nikos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Enable-a-padding-when-sending-password-to-avoid-leak.patch
Type: text/x-patch
Size: 1333 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20130627/0d030a04/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Added-pfs-option-to-force-perfect-forward-secrecy.patch
Type: text/x-patch
Size: 3886 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20130627/0d030a04/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-When-selecting-TLS-protocol-options-for-GnuTLS-set-t.patch
Type: text/x-patch
Size: 1352 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20130627/0d030a04/attachment-0002.bin>