Skip to content
Snippets Groups Projects
Commit a28deda5 authored by Jo-Philipp Wich's avatar Jo-Philipp Wich
Browse files

openvpn: disable CBC record splitting in PolarSSL/mbedTLS (#19101) 

OpenVPN assumes that its control channel messages are sent and received
unfragmented, this assumption is broken when CBC record splitting is
enabled in mbedTLS.

The record splitting is intended as countermeasure against BEAST attacks
which do not apply to OpenVPN, therefore we simply disable it until
upstream OpenVPN gains the ability to process fragmented control
messages.

Disabling the splitting also works around a (not remotely triggerable)
segmentation fault in mbedTLS.

References:

 * https://dev.openwrt.org/ticket/19101
 * https://community.openvpn.net/openvpn/ticket/524
 * https://github.com/ARMmbed/mbedtls/pull/185



Signed-off-by: default avatarJo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 45602
parent aea93173
No related merge requests found
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment