From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: OpenVPN cipher negotiation patch set Date: Mon, 18 Mar 2024 16:43:25 +0000 Message-ID: <11E981D6-3FEF-4927-9E3C-EC107D59D806@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8789576930283837852==" List-Id: --===============8789576930283837852== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable > On 17 Mar 2024, at 14:56, Nick Howitt wrote: >=20 > Crumbs. Still supporting 2.3? That should be a no-no. Anyone with an explic= it cipher in their roadwarriors will have problems if they are old, whatever = you do. The oldest version at openvpn.net is 2.4.6 dating back to 2018. Even = then plenty of water has passed under the bridge e.g SWEET32 etc. Compression= should have been disabled and stubbed a long time ago. The minute you allow = cipher negotiation, you risk breakage if the client uses a cipher which is no= t currently supported. Are you going to allow the cipher to be unset (default= ) in the GUI? No, we are not explicitly supporting 2.3 but I believe it should still be wor= king because we currently do not require cipher negotiation. It is not necess= arily the version of the client, but the configuration that was generated and= loaded into it that is the problem here. > There isn't really an upgrade path if you have a number of clients using ex= plicit ciphers, because the minute you upgrade the server, clients will break. Exactly. There isn=E2=80=99t one. We cannot change much about that, but we ca= n have a migration window that is large enough that most people won=E2=80=99t= be affected by any of these problems. > If you update the client before the server, the client will break as well. = I have not studied the effect of that document, but can you use the fallback = cipher (--data-ciphers-fallback) as the parameter you change from the GUI? Th= en you will have auto negotiation enabled as well. Then you give the users a = fixed timeline to update their clients software and/or configs after which yo= u can remove it again. This may work. Exactly. You will find lots of emails on this list about this. It has never b= een implemented due to lack of time though. > On 17/03/2024 14:05, Adolf Belka wrote: >>=20 >> Hi Nick,=20 >>=20 >> On 17/03/2024 13:34, Nick Howitt wrote: >>> Can I ask a question? Why are we playing around with Cipher strings and h= ashes? The minute you do that you make things much harder to get a good conne= ction. The reason is because, if they are not specified, OpenVPN chooses a go= od safe set that allows multiple strong ciphers. This gives a high chance of = the remote end matching you with strong ciphers. If you specify a cipher, the= n you restrict all connections to that single cipher as you don't have any fo= rm of multi-select. Then, if you ever want to change your choice, perhaps bec= ause what you have chosen is no longer recommended, you have a nightmare on y= our hands because you will have to update every remote client config where it= has also been specified.=20 >>>=20 >> When the cipher negotiation was introduced by OpenVPN it was not backwards= compatible. If we had changed to cipher negotiation at that time then users = with older clients would have just failed. This was not acceptable, especiall= y as to update every client would have had to been updated at the same time, = not acceptable for users with 200 or more clients running with their systems = but maybe with older defined ciphers.=20 >>=20 >> Therefore we had to move to a situation where we had the ncp-disable optio= n, so preventing cipher negotiation.=20 >>=20 >>> At a minimum, the dropdowns should have an option which says "default" wh= en nothing is put in the config, and this should be the default option. Anyon= e who then wants to specify an option, then can, but they are going down thei= r own blind alley. If it were me, I would not even give the user a choice. If= I had to, I would give them a choice to exclude ciphers, but not set them.=20 >>>=20 >> No we are looking at moving from the ncp-disable situation to one where ci= pher negotiation is enabled. The previous issue with older clients no longer = holds as users would have to be still using clients at version 2.3 or older. = Cipher negotiation came in with version 2.4=20 >>=20 >> So any users still using version 2.3 will have to update but that should b= e a very small number now, especially as that older version only worked with = openssl-1.0.1x. So anyone still using it must be minimal now and very insecur= e.=20 >>=20 >> So now we can move to cipher negotiation but we still need to enable ciphe= r selection for those users that have clients with older ciphers. These may b= e insecure but again we need to allow users to update their clients one at a = time, not require them to update all clients at the same time.=20 >>=20 >> Once we have cipher negotiation in place, the users will be able to have a= mixed situation of some clients with newer ciphers specified and others stil= l with the older ones so they can update on a client by client basis over tim= e. Currently we are on OpenVPN-2.5.9. With cipher negotiation enabled we woul= d be able to move to the openvpn-2.6.x series. We then would have to stay on = OpenVPN-2.6.x for a specified period to allow users to update any clients tha= t are using the much older ciphers.=20 >>=20 >> Once the period is past we could then consider updating to openvpn-2.7 ser= ies which is likely to come somewhere during this year but that will actively= prevent any older ciphers being used so all users must have updated all clie= nts by that time.=20 >>=20 >>> Also, by specifying the options you get a maintenance issue where the dro= pdowns need to be maintained to stay in line with every update to the underly= ing openvpn code.=20 >>>=20 >>> There is a possibly useful document at https://community.openvpn.net/open= vpn/wiki/CipherNegotiation.=20 >>>=20 >> Yes, I am aware of that document and that has been the basis of deciding h= ow to move forward to allow the cipher negotiation to be enabled while making= sure we impact existing users the least and move to a position where the use= rs can update their clients one at a time, rather than a big bang update wher= e all clients stop working and all have to be updated at the same time during= which no users of the organisation are able to use their roadwarrior connect= ions.=20 >>=20 >>=20 >> The next challenge is how to make all these changes in the ovpnmain.cgi co= de, in a way that does allow the existing systems to continue and to be able = to test this out in some way, to be sure we are not creating a breaking IPFir= e for users when the update is released to Testing and then Full Release.=20 >>=20 >> That is where I have been trying to work on, while at the same time trying= to understand the code, as I am relatively new into what currently exists an= d I have found it a big challenge. I have made progress but not quick enough = and have been diverted by other things.=20 >>=20 >> Has the non-breaking, backwards compatible approach we have used historica= lly been the best option. I don't know, but it is what has been used and so w= e now have to find a way to move forward from that current status to the next= step, again without creating a breaking, backwards incompatible approach.=20 >>=20 >> Always open to alternative approaches, if they are easier to implement and= maintain the non-breaking, backwards compatible policy and give a migration = path to move forward on a client by client update basis.=20 >>=20 >> Regards,=20 >>=20 >> Adolf.=20 >>=20 >>> Regards,=20 >>>=20 >>> Nick=20 >>>=20 >>> On 17/03/2024 11:35, Adolf Belka wrote: >>>>=20 >>>> Hi Michael,=20 >>>>=20 >>>> I am afraid I don't have a patch set. It is just a single diff change.=20 >>>>=20 >>>> I took Erik's original patch set and applied it to the latest ovpnmain.c= gi version at that time and then removed some of the items that I decided cou= ld wait till later or were not needed.=20 >>>>=20 >>>> This created a single diff file, which I was able to apply and test out = to confirm it did what I expected it to do, which it seemed to do.=20 >>>>=20 >>>> The next step I then had intended to do was to break that single diff in= to multiple patches but I found this very difficult to do as I could not easi= ly figure out which bits needed to go together in different patches. Trying t= o understand all the changes and what each were related to I struggled to mak= e sense of.=20 >>>>=20 >>>> My next step was therefore going to be to go back to an unmodified ovpnm= ain.cgi file and make the changes a step at a time, to match what I had previ= ously done and therefore end up with a patch set of small self consistent cha= nges.=20 >>>>=20 >>>> However to do this I had to go back to the start and figure out which of= Erik's changes to apply and what parts of those changes and every time I did= something else in IPFire for a week or so I was having to go back to square = one in trying to remember what I had been going to do next.=20 >>>>=20 >>>> The diff patch file I created is at=20 >>>>=20 >>>> https://git.ipfire.org/?p=3Dpeople/bonnietwin/ipfire-2.x.git;a=3Dcommit;= h=3D4fbf17f4a10fbf2a0ddeae1aa436cf26f6b3a035=20 >>>>=20 >>>> Hopefully you can use this as a basis to extract just the bits needed fo= r the cipher negotiation.=20 >>>>=20 >>>> I will also go back and start again to work on it but focus on it withou= t diverting to anything else, after I have dealt with the wsdd patch modifica= tion.=20 >>>>=20 >>>> Regards,=20 >>>>=20 >>>> Adolf.=20 >>>>=20 >>>=20 >=20 --===============8789576930283837852==--