vpnc: update version and add nossl variant #25603
Conversation
|
I noticed you've added a non-SSL version. We want to ensure we fully understand all potential use-case scenarios. Could you please share more information about the situations where this version would be used? This will help us ensure we're providing the best possible solution for all our users. May I know what is the size diference between SSL and nonSSL variant? We recommend using SSL/TLS, because of the security, which is top priority for us. |
vpnc supports VPN connections either with SSL certificates or using a private pre-shared group key. In case the nonSSL variant is used to connect to an endpoint that relies on certificates, it will bail out, no connection will be established. In the second case with the pre-shared key, the whole SSL library is not involved with the connection setup, so it doesn't matter whether you use an SSL or nonSSL build. So the nossl version can only be used for scenarios which work with the pre-shared group key. I use it to connect to a Fritzbox.
The SSL variant pulls in GNUTLS, which takes up more space than I have free on my TP-Link Archer C50. On my Turris Omnia I have more than enough space, but on the Archer C50 there's about a 3.5" floppy worth of space left after installing plain OpenWRT and by avoiding the SSL dependency I can still establish a VPN connection with vpnc :)
In this case there's no security impact as these are independent connection mechanisms. If the endpoint requires SSL/TLS, you must use the SSL/TLS version. If the endpoint uses a pre-shared group key, you can use either version, but the SSL/TLS part will never be used. Please let me know if I should provide more info! Many thanks for the quick response! |
Signed-off-by: Julius Schwartzenberg <julius.schwartzenberg@eclipso.eu>
jschwartzenberg
force-pushed
the
feature/vpnc-nossl
branch
from
ab61088 to
6f233d1
Compare
Maintainer: @danielg4
Compile tested: (mipsel_24kc_musl, TP-Link Archer C50v6, f10ee1e20966bdb86cb61a87338f953de1d86cc6)
Run tested: ((mipsel_24kc_musl, TP-Link Archer C50v6, 24.10-rc2, I tested the original version without ssl and it works, I still need to test this new version but am looking for feedback)
Description:
Updated vpnc to the latest version. I submitted a patch that allows compilation without an SSL library. When using a pre-shared group key, vpnc doesn't use its SSL library, so for many cases this is not needed while it allows vpnc to be used on devices with little space where an SSL library does not fit. See also: streambinder/vpnc#55
Note that I still need to test the newer version and will report back. Many thanks in advance for any feedback you might have!