Dutch Government Officially Trusts OpenVPN-NL

First time accepted submitter joost.bijl writes "Yesterday the Dutch government took a step to further improve the adoption of Open Source in its ranks. It has officialy approved a modified version of the open source VPN software OpenVPN for use on the governmental level 'Departementaal Vertrouwelijk' (Restricted). The release is called OpenVPN-NL and is fully open-source and available for use. The software has undergone a security evaluation by the Dutch government's national communications security agency (NLNCSA). The major change is the removal of OpenSSL as the cryptographic core of OpenVPN-NL. Instead, the Dutch government opted to include the smaller, better readable and documented open source library PolarSSL to provide the cryptographic and SSL/TLS functionality. The Dutch IT Security company Fox-IT worked together with both OpenVPN and PolarSSL communities and modified the stock software to support the government evaluation process. In total 8000 lines of code and 4000 lines of documentation were checked in to the OpenVPN trunk."

Awesome

[MightyMartian]

This is very good news. OpenVPN is probably the easiest secure VPN software I've ever worked with. I've been running it as the link for our multi-site network for over two years now, and it's also the VPN software our road warriors are using. Simple to configure, and damnit but it just works. After years of trying to get all these weird implementations of IPSec to co-operate with each other, OpenVPN is just a marvel, fast and lightweight.

Re:Awesome

[Capt.DrumkenBum]

OpenVPN rocks!
I have a client site that needs to access some data in my local office. This client site network is locked down so tight that almost nothing goes through. Somehow OpenVPN manages to maintain several connections between here and there. Add to that the fact that they are fully cross platform and you just can't beat them.

Re:Awesome

This is mainly going to be used to allow remote access to restricted infrastructure.
The comments in Holland are that this is allowing unsecured & unchecked workstations (home pc's & laptops) that might be infected with general or specifically designed malways; & then via the vpn gaining access to restricted documents & information.

The last word is not yet spoken about this.

Dutch megan00b

Re:Why should we trust openssl?

[Rich]

That's true, though openssl has had the ability to add empty fragments to avoid the chosen plain text attack I suspect you're referring to for many years. What's strange is that the chosen solution (polarSSL) doesn't seem to have support for OCSP which is the main way to quickly revoke bad keys - particularly important in the light of the recent diginotar breach.

Re:Why should we trust openssl?

[Feyr]

i don't know about gnutls's maturity,

but polarssl does not seem to support renegotiation, that to me indicates it's a pretty bad choice for a vpn which you expect to be up 100% of the time and pass significant traffic. looks like the dutchies just wanted SOMETHING they had made locally in an approved software, security be damned!

diff

[core_tripper]

Differences in code between OpenVPN and OpenVPN-NL. (credits: Palatinux) openvpn_nl-v2.1.4-diffpatch.txt

About why the chose to use PolarSSL:
Among the notable differences between OpenVPN and OpenVPN-NL is the cryptographic library. Correct SSL functionality is essential for the protection that OpenVPN offers. OpenSSL is a large and complex library. PolarSSL is a compact and modular library, which is small enough for a fairly in-depth evaluation. Therefore, in the OpenVPN-NL package, it has been chosen to exchange PolarSSL for OpenSSL. This change does not change functionality; the two libraries (OpenSSL and PolarSSL) are mutually compatible.
source: background OpenVPN
But as being said in another comment, someone now working for Fox-IT was involved in PolarSSL. Extra functionality and documentation was added to PolarSSL by Fox-IT according to a comment on a tech-site (tweakers.net) by someone who claims to be the maintainer of PolarSSL.