Releasing 1.1pre2.
This commit is contained in:
Guus Sliepen
parent
c259d552fa
commit
f8d94f34fc
3 changed files with 21 additions and 28 deletions
13
NEWS
13
NEWS
|
|
@ -1,3 +1,16 @@
|
|||
Version 1.1pre2 Juli 17 2011
|
||||
|
||||
* .cookie files are renamed to .pid files, which are compatible with 1.0.x.
|
||||
|
||||
* Experimental protocol enhancements that can be enabled with the option
|
||||
ExperimentalProtocol = yes:
|
||||
|
||||
* Ephemeral ECDH key exchange will be used for both the meta protocol and
|
||||
UDP session keys.
|
||||
* Key exchanges are signed with ECDSA.
|
||||
* ECDSA public keys are automatically exchanged after RSA authentication if
|
||||
nodes do not know each other's ECDSA public key yet.
|
||||
|
||||
Version 1.1pre1 June 25 2011
|
||||
|
||||
* Control interface allows control of a running tinc daemon. Used by:
|
||||
|
|
|
|||
34
README
34
README
|
|
@ -1,4 +1,4 @@
|
|||
This is the README file for tinc version 1.1pre1. Installation
|
||||
This is the README file for tinc version 1.1pre2. Installation
|
||||
instructions may be found in the INSTALL file.
|
||||
|
||||
tinc is Copyright (C) 1998-2011 by:
|
||||
|
|
@ -29,39 +29,19 @@ protocol is not fixed yet.
|
|||
Security statement
|
||||
------------------
|
||||
|
||||
In August 2000, we discovered the existence of a security hole in all versions
|
||||
of tinc up to and including 1.0pre2. This had to do with the way we exchanged
|
||||
keys. Since then, we have been working on a new authentication scheme to make
|
||||
tinc as secure as possible. The current version uses the OpenSSL library and
|
||||
uses strong authentication with RSA keys.
|
||||
|
||||
On the 29th of December 2001, Jerome Etienne posted a security analysis of tinc
|
||||
1.0pre4. Due to a lack of sequence numbers and a message authentication code
|
||||
for each packet, an attacker could possibly disrupt certain network services or
|
||||
launch a denial of service attack by replaying intercepted packets. The current
|
||||
version adds sequence numbers and message authentication codes to prevent such
|
||||
attacks.
|
||||
|
||||
On September the 15th of 2003, Peter Gutmann contacted us and showed us a
|
||||
writeup describing various security issues in several VPN daemons. He showed
|
||||
that tinc lacks perfect forward security, the connection authentication could
|
||||
be done more properly, that the sequence number we use as an IV is not the best
|
||||
practice and that the default length of the HMAC for packets is too short in
|
||||
his opinion. We do not know of a way to exploit these weaknesses, but we will
|
||||
address these issues in tinc 2.0.
|
||||
|
||||
Cryptography is a hard thing to get right. We cannot make any
|
||||
guarantees. Time, review and feedback are the only things that can
|
||||
prove the security of any cryptographic product. If you wish to review
|
||||
tinc or give us feedback, you are stronly encouraged to do so.
|
||||
This version uses an experimental and unfinished cryptographic protocol. Use
|
||||
it at your own risk.
|
||||
|
||||
|
||||
Compatibility
|
||||
-------------
|
||||
|
||||
Version 1.1pre1 is compatible with 1.0pre8, 1.0 and later, but not with older
|
||||
Version 1.1pre2 is compatible with 1.0pre8, 1.0 and later, but not with older
|
||||
versions of tinc.
|
||||
|
||||
When the ExperimentalProtocol option is used, tinc is still compatible with
|
||||
1.0.X and 1.1pre2 itself, but not with any other 1.1preX version.
|
||||
|
||||
|
||||
Requirements
|
||||
------------
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ AC_PREREQ(2.61)
|
|||
AC_INIT
|
||||
AC_CONFIG_SRCDIR([src/tincd.c])
|
||||
AC_GNU_SOURCE
|
||||
AM_INIT_AUTOMAKE(tinc, 1.1pre1+git)
|
||||
AM_INIT_AUTOMAKE(tinc, 1.1pre2)
|
||||
AC_CONFIG_HEADERS([config.h])
|
||||
AM_MAINTAINER_MODE
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue