Jump to content
Not connected, Your IP: 54.236.35.159
Staff

Major system upgrade COMPLETED

Recommended Posts

UPGRADE COMPLETED SUCCESSFULLY

 

Hello!

We're glad to inform you that a major system upgrade will take place during Sunday, 13 April 2014, 21:00:00 - Sunday, 13 April 2014, 22:00:00 UTC
This upgrade has a triple, important purpose: close any possible exploitation chance, regardless of how unlikely it could be, deriving from past "Heartbleed" vulnerability, bring AirVPN in an even higher security environment and open the road for an important new feature of the service: 3 simultaneous connections per account on different servers (details will be provided soon after the major upgrade which takes precedence).

The upgrade in details

  • switch to 4096 bit size RSA and DH keys
  • implementation of additional OpenVPN TLS-Auth layer
  • re-generation of certificates and keys
  • general optimization

During the upgrade all the VPN clients will be forcefully disconnected and will not be able to reconnect. The upgrade will take approximately 30 minutes.

Disconnections will occur on all servers from-to:
Sunday, 13 April 2014, 21:00:00 - Sunday, 13 April 2014, 22:00:00 UTC

that is:

Sunday, 13 April 2014, 14:00:00 - Sunday, 13 April 2014, 15:00:00 PDT
Sunday, 13 April 2014, 16:00:00 - Sunday, 13 April 2014, 17:00:00 CDT
Sunday, 13 April 2014, 17:00:00 - Sunday, 13 April 2014, 18:00:00 EDT
Sunday, 13 April 2014, 23:00:00 - Monday, 14 April 2014, 00:00:00 CEST
Monday, 14 April 2014, 06:00:00 - Monday, 14 April 2014, 07:00:00 JST


Click here to find your town: http://www.timeanddate.com/worldclock/fixedtime.html?msg=Switch+to+4096+bit+size+keys&iso=20140413T23&p1=215&ah=1

Mandatory actions

After the upgrade, customers running the Air client for Windows will need to shut down and restart the Air client. It is assumed that customers have already downloaded the new package for Windows which includes OpenVPN with non-vulnerable OpenSSL, available here https://airvpn.org/windows and installed the new OpenVPN version.

Customers running any other OpenVPN wrapper or OpenVPN will need to re-download configuration, certificates and keys files.

Additional information for customers running manually configured wrappers:

  • the "TLS-Cipher" or equivalent name in your configuration becomes: TLS-DHE-RSA-WITH-AES-256-CBC-SHA
  • in Tomato, DD-WRT, pfSense, Fritz!Box etc., the client certificate, the server certificate, the client key and the TLS key must be pasted again (after they have been generated and downloaded from the Configuration Generator as usual) in the appropriate fields of your configuration

Please do not hesitate to contact us for any further information.

Kind regards
AirVPN Staff

Share this post


Link to post

I know you said you will provide details afterwards, but I am really curious as to what this will mean for the 4mb minimum bandwidth & future pricing.

 

 and open the road for an important new feature of the service: 3 simultaneous connections per account on different servers (details will be provided soon after the major upgrade which takes precedence).

Share this post


Link to post

Excellent, excellent news!

 

Will we only be able to generate the new config files and keys after the disconnect?

 

Hello!

 

Yes, that's correct. Only AFTER the end of the upgrade.

 

Kind regards

Share this post


Link to post

open the road for an important new feature of the service: 3 simultaneous connections per account on different servers

 

This is going to be very interesting.

 

switch to 4096 bit size RSA and DH keys

 

Could you provide a few more details on why you choose to switch to 4096 bit RSA keys?


» I am not an AirVPN team member. All opinions are my own and are not to be considered official. Only the AirVPN Staff account should be viewed as such.

» The forums is a place where you can ask questions to the community. You are not entitled to guaranteed answer times. Answer quality may vary, too. If you need professional support, please create tickets.

» If you're new, take some time to read LZ1's New User Guide to AirVPN. On questions, use the search function first. On errors, search for the error message instead.

» If you choose to create a new thread, keep in mind that we don't know your setup. Give info about it. Never forget the OpenVPN logs or, for Eddie, the support file (Logs > lifebelt icon).

» The community kindly asks you to not set up Tor exit relays when connected to AirVPN. Their IP addresses are subject to restrictions and these are relayed to all users of the affected servers.

 

» Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, chances are you will be unique amond the mass again.

Share this post


Link to post

The 3 simultaneous connections per account on different servers sound wonderful, so why did I purchase a second account recently? Glad about the complete Key/Cert change. Keep up the great work...

 

Regards,

 

Bubbba

Share this post


Link to post

Awesome news from you guys. Happy to hear that key sizes are being increased from a suggestion I made earlier when I joined. And the part about 3 connections is awesome and I am very excited for it. Keep up the good work and keep on doing what you do best 

Share this post


Link to post

There's obvious advantages to having 3 simultaneous connections (albeit this is already possible if your router is vpn enabled), but can anyone please answer what advantages would there be in having your simultaneous connections on different servers?

Share this post


Link to post

Thank you for upgrading all of this so quickly!

I do notice that OpenVPN has now released version 2.3.3, however AirVPN is hosting the 2.3.2 quickfix that was released the other day. Updates moving quickly these days.

Share this post


Link to post

Great to see the new features. As I am telling everybody AirVPN is the most trustable VPN provider ever. Never saw stable and fast connections like here and the support team is excellent and always kindly.

Share this post


Link to post

Great to see the new features. As I am telling everybody AirVPN is the most trustable VPN provider ever. Never saw stable and fast connections like here and the support team is excellent and always kindly.

Couldn't agree more. That's why after testing other VPN this one is miles ahead in all possible elements, like speed, security, support and privacy policy from others.

Share this post


Link to post

Nice

What is the current DH parameter size? It is not mentioned on the website.

And how about TLS 1.2 support? OpenSSL may not be vulnerable to attacks on TLS 1.0, but TLS 1.2 supports SHA-2.
SHA-1 is in progress of deprecation by MS: http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx
NIST advises against SHA-1: http://www.zdnet.com/nist-makes-a-hash-of-sha-1-ban-7000025980/
This may be less worrysome in the VPN/OpenSSL context, but it's best to stay ahead instead of becoming a cat and mouse game.

Share this post


Link to post

Nice :)

 

What is the current DH parameter size? It is not mentioned on the website.

 

Hello!

 

2048 bit keys, currently.

 

 

And how about TLS 1.2 support? OpenSSL may not be vulnerable to attacks on TLS 1.0, but TLS 1.2 supports SHA-2.

SHA-1 is in progress of deprecation by MS: http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx

NIST advises against SHA-1: http://www.zdnet.com/nist-makes-a-hash-of-sha-1-ban-7000025980/

This may be less worrysome in the VPN/OpenSSL context, but it's best to stay ahead instead of becoming a cat and mouse game.

 

So what...? The Control Channel cipher is HMAC SHA1, not SHA1. SHA1 is the underlying hash verification. Deprecation has nothing to do with it. It is well known that SHA1 should never be used as a security cipher and OpenVPN does not use it. In HMAC SHA1 we don't even have to care at all about SHA1 hash collisions. In order to inject forged packets in your traffic flow, an attacker should first break every single upper layer, starting from HMAC which is extremely robust, and THEN try hash collisions.

 

Kind regards

Share this post


Link to post

Thnaks for all that you do to protect me!


""""So what...? The Control Channel cipher is HMAC SHA1, not SHA1. SHA1 is the underlying hash verification. Deprecation has nothing to do with it. It is well known that SHA1 should never be used as a security cipher and OpenVPN does not use it. In HMAC SHA1 we don't even have to care at all about SHA1 hash collisions. In order to inject forged packets in your traffic flow, an attacker should first break every single upper layer, starting from HMAC which is extremely robust, and THEN try hash collisions.

 

Kind regards"""""

 

You guys rock, protecting me from all those hash collisions, and acronyms beyond my desire to investigate, memorize and produce more of.  I use the net for research and organizing.  F#$% the police, and the crackers, who are probably one and the same...

Share this post


Link to post

There's obvious advantages to having 3 simultaneous connections (albeit this is already possible if your router is vpn enabled), but can anyone please answer what advantages would there be in having your simultaneous connections on different servers?

 

Its better to use your regular connection for personal things and use a VPN for everything else in your anonymous life. Also you can use different servers on different devices. Not really sure what the benefit of that is but 3 connections is better than 1!

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...