Import Upstream version 1.1~pre17

README

@@ -1,7 +1,7 @@
-This is the README file for tinc version 1.1pre15. Installation
+This is the README file for tinc version 1.1pre17. Installation
 instructions may be found in the INSTALL file.
 
-tinc is Copyright © 1998-2017 Ivo Timmermans, Guus Sliepen <guus@tinc-vpn.org>, and others.
+tinc is Copyright © 1998-2018 Ivo Timmermans, Guus Sliepen <guus@tinc-vpn.org>, and others.
 
 For a complete list of authors see the AUTHORS file.
 
@@ -28,11 +28,25 @@ Security statement
 This version uses an experimental and unfinished cryptographic protocol. Use it
 at your own risk.
 
+When connecting to nodes that use the legacy protocol used in tinc 1.0, be
+aware that any security issues in tinc 1.0 will apply to tinc 1.1 as well. On
+September 6th, 2018, Michael Yonly contacted us and provided proof-of-concept
+code that allowed a remote attacker to create an authenticated, one-way
+connection with a node using the legacy protocol, and also that there was a
+possibility for a man-in-the-middle to force UDP packets from a node to be sent
+in plaintext. The first issue was trivial to exploit on tinc versions prior to
+1.0.30, but the changes in 1.0.30 to mitigate the Sweet32 attack made this
+weakness much harder to exploit. These issues have been fixed in tinc 1.0.35
+and tinc 1.1pre17. The new protocol in the tinc 1.1 branch is not susceptible
+to these issues. However, be aware that SPTPS is only used between nodes
+running tinc 1.1pre* or later, and in a VPN with nodes running different
+versions, the security might only be as good as that of the oldest version.
+
 
 Compatibility
 -------------
 
-Version 1.1pre15 is compatible with 1.0pre8, 1.0 and later, but not with older
+Version 1.1pre17 is compatible with 1.0pre8, 1.0 and later, but not with older
 versions of tinc.
 
 When the ExperimentalProtocol option is used, tinc is still compatible with
@@ -50,9 +64,9 @@ ensure you have the latest stable versions of all the required libraries:
 
 The following libraries are used by default, but can be disabled if necessary:
 
-- zlib (http://www.zlib.net/)
+- zlib (https://zlib.net/)
 - LZO (https://www.oberhumer.com/opensource/lzo/)
-- ncurses (http://invisible-island.net/ncurses/)
+- ncurses (https://invisible-island.net/ncurses/)
 - readline (https://cnswww.cns.cwru.edu/php/chet/readline/rltop.html)
 
 
@@ -68,8 +82,8 @@ be forwarded by intermediate nodes.
 
 Tinc 1.1 support two protocols. The first is a legacy protocol that provides
 backwards compatibility with tinc 1.0 nodes, and which by default uses 2048 bit
-RSA keys for authentication, and encrypts traffic using Blowfish in CBC mode
-and HMAC-SHA1. The second is a new protocol which uses Curve25519 keys for
+RSA keys for authentication, and encrypts traffic using AES256 in CBC mode
+and HMAC-SHA256. The second is a new protocol which uses Curve25519 keys for
 authentication, and encrypts traffic using Chacha20-Poly1305, and provides
 forward secrecy.
 
@@ -82,7 +96,7 @@ Ethernet network switch or hub.
 
 Normally, when started tinc will detach and run in the background. In a native
 Windows environment this means tinc will install itself as a service, which will
-restart after reboots.  To prevent tinc from detaching or running as a service,
+restart after reboots. To prevent tinc from detaching or running as a service,
 use the -D option.
 
 The status of the VPN can be queried using the "tinc" command, which connects