X-Git-Url: https://tinc-vpn.org/git/browse?p=tinc;a=blobdiff_plain;f=doc%2Ftinc.texi;h=9c459654da7168d83c98f84dee5bcd7c6a502838;hp=03f47177c534d70ffaba4e8eee671ee55afd9831;hb=f5223937e62e1cc5e9b3d322490dd3af8d666750;hpb=5f3e9858952277ef3d6ac9d119826cbdda0746d7 diff --git a/doc/tinc.texi b/doc/tinc.texi index 03f47177..9c459654 100644 --- a/doc/tinc.texi +++ b/doc/tinc.texi @@ -182,7 +182,7 @@ available too. @section Supported platforms @cindex platforms -Tinc has been verified to work under Linux, FreeBSD, OpenBSD, NetBSD, MacOS/X (Darwin), Solaris, and Windows (both natively and in a Cygwin environment), +Tinc has been verified to work under Linux, FreeBSD, OpenBSD, NetBSD, MacOS/X (Darwin), Solaris, and Windows, with various hardware architectures. These are some of the platforms that are supported by the universal tun/tap device driver or other virtual network device drivers. Without such a driver, tinc will most @@ -553,7 +553,6 @@ The documentation that comes along with your distribution will tell you how to d @menu * Darwin (MacOS/X) build environment:: -* Cygwin (Windows) build environment:: * MinGW (Windows) build environment:: @end menu @@ -568,17 +567,6 @@ It might also help to install a recent version of Fink from @uref{http://www.fin You need to download and install LibreSSL (or OpenSSL) and LZO, either directly from their websites (see @ref{Libraries}) or using Fink. -@c ================================================================== -@node Cygwin (Windows) build environment -@subsection Cygwin (Windows) build environment - -If Cygwin hasn't already been installed, install it directly from -@uref{https://www.cygwin.com/}. - -When tinc is compiled in a Cygwin environment, it can only be run in this environment, -but all programs, including those started outside the Cygwin environment, will be able to use the VPN. -It will also support all features. - @c ================================================================== @node MinGW (Windows) build environment @subsection MinGW (Windows) build environment @@ -953,7 +941,8 @@ Also note that this can cause decrypted VPN packets to be sent out on a real net @cindex fd @item fd -Use a file descriptor. +Use a file descriptor, given directly as an integer or passed through a unix domain socket. +On Linux, an abstract socket address can be specified by using "@" as a prefix. All packets are read from this interface. Packets received for the local node are written to it. @@ -1455,7 +1444,7 @@ this means that tinc will temporarily stop processing packets until the called s This guarantees that scripts will execute in the exact same order as the events that trigger them. If you need to run commands asynchronously, you have to ensure yourself that they are being run in the background. -Under Windows (not Cygwin), the scripts should have the extension @file{.bat} or @file{.cmd}. +Under Windows, the scripts should have the extension @file{.bat} or @file{.cmd}. @table @file @cindex tinc-up @@ -3375,8 +3364,22 @@ that tinc's default length of 4 bytes for the MAC is too short, and he doesn't like tinc's use of RSA during authentication. We do not know of a security hole in the legacy protocol of tinc, but it is not as strong as TLS or IPsec. -This version of tinc comes with an improved protocol, called Simple Peer-to-Peer Security, -which aims to be as strong as TLS with one of the strongest cipher suites. +The Sweet32 attack affects versions of tinc prior to 1.0.30. + +On September 6th, 2018, Michael Yonly contacted us and provided +proof-of-concept code that allowed a remote attacker to create an +authenticated, one-way connection with a node, and also that there was a +possibility for a man-in-the-middle to force UDP packets from a node to be sent +in plaintext. The first issue was trivial to exploit on tinc versions prior to +1.0.30, but the changes in 1.0.30 to mitigate the Sweet32 attack made this +weakness much harder to exploit. These issues have been fixed in tinc 1.0.35. + +This version of tinc comes with an improved protocol, called Simple +Peer-to-Peer Security (SPTPS), which aims to be as strong as TLS with one of +the strongest cipher suites. None of the above security issues affected SPTPS. +However, be aware that SPTPS is only used between nodes running tinc 1.1pre* or +later, and in a VPN with nodes running different versions, the security might +only be as good as that of the oldest version. Cryptography is a hard thing to get right. We cannot make any guarantees. Time, review and feedback are the only things that can