From mboxrd@z Thu Jan  1 00:00:00 1970
From: Erik Kapfer <erik.kapfer@ipfire.org>
To: development@lists.ipfire.org
Subject:
 [PATCH] OpenVPN: Mark unsecure ciphers and DH-parameter as 'weak' in WUI menu
Date: Thu, 08 Feb 2018 09:54:58 +0100
Message-ID: <1518080098-22100-1-git-send-email-erik.kapfer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1977603405291834505=="
List-Id: <development.lists.ipfire.org>

--===============1977603405291834505==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

64 bit block ciphers like Blowfish, TDEA and CAST5 are vulnerable to the so c=
alled 'Birthday attacks' .
    Infos for 'Sweet32' Birthday attacks can be found in here
        https://sweet32.info/ .
    An Overview of 64 bit clock ciphers can also be found in here
        http://en.citizendium.org/wiki/Block_cipher/Catalogs/Cipher_list#64-b=
it_blocks

1024 bit Diffie-Hellman parameter has also been marked as weak causing the 'L=
ogjam Attack' .
   Infos for 'Logjam Attack' can be found in here
        https://weakdh.org/ .

Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
---
 html/cgi-bin/ovpnmain.cgi | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 9f5e682..0fa1d04 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -2002,7 +2002,7 @@ END
 	    </select></td>
 	<tr><td class=3D'base'>$Lang::tr{'ovpn dh'}:</td>
 		<td class=3D'base'><select name=3D'DHLENGHT'>
-				<option value=3D'1024' $selected{'DHLENGHT'}{'1024'}>1024 $Lang::tr{'bit=
'}</option>
+				<option value=3D'1024' $selected{'DHLENGHT'}{'1024'}>1024 $Lang::tr{'bit=
'} ($Lang::tr{'vpn weak'}</option>
 				<option value=3D'2048' $selected{'DHLENGHT'}{'2048'}>2048 $Lang::tr{'bit=
'}</option>
 				<option value=3D'3072' $selected{'DHLENGHT'}{'3072'}>3072 $Lang::tr{'bit=
'}</option>
 				<option value=3D'4096' $selected{'DHLENGHT'}{'4096'}>4096 $Lang::tr{'bit=
'}</option>
@@ -4713,12 +4713,12 @@ if ($cgiparams{'TYPE'} eq 'net') {
 				<option value=3D'AES-256-CBC' 	 	$selected{'DCIPHER'}{'AES-256-CBC'}>AES=
-CBC (256 $Lang::tr{'bit'}, $Lang::tr{'default'})</option>
 				<option value=3D'AES-192-CBC' 	 	$selected{'DCIPHER'}{'AES-192-CBC'}>AES=
-CBC (192 $Lang::tr{'bit'})</option>
 				<option value=3D'AES-128-CBC' 	 	$selected{'DCIPHER'}{'AES-128-CBC'}>AES=
-CBC (128 $Lang::tr{'bit'})</option>
-				<option value=3D'DES-EDE3-CBC'	 	$selected{'DCIPHER'}{'DES-EDE3-CBC'}>DE=
S-EDE3-CBC (192 $Lang::tr{'bit'})</option>
-				<option value=3D'DESX-CBC' 		$selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (=
192 $Lang::tr{'bit'})</option>
-				<option value=3D'SEED-CBC' 		$selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (=
128 $Lang::tr{'bit'})</option>
-				<option value=3D'DES-EDE-CBC' 		$selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-=
EDE-CBC (128 $Lang::tr{'bit'})</option>
-				<option value=3D'BF-CBC' 			$selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $=
Lang::tr{'bit'})</option>
-				<option value=3D'CAST5-CBC' 		$selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CB=
C (128 $Lang::tr{'bit'})</option>
+				<option value=3D'SEED-CBC' 			$selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC =
(128 $Lang::tr{'bit'})</option>
+				<option value=3D'DES-EDE3-CBC'	 	$selected{'DCIPHER'}{'DES-EDE3-CBC'}>DE=
S-EDE3-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
+				<option value=3D'DESX-CBC' 			$selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC =
(192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
+				<option value=3D'DES-EDE-CBC' 		$selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-=
EDE-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
+				<option value=3D'BF-CBC' 				$selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 =
$Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
+				<option value=3D'CAST5-CBC' 			$selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-C=
BC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
 			</select>
 		</td>
=20
@@ -5210,12 +5210,12 @@ END
 				<option value=3D'AES-256-CBC' $selected{'DCIPHER'}{'AES-256-CBC'}>AES-CB=
C (256 $Lang::tr{'bit'})</option>
 				<option value=3D'AES-192-CBC' $selected{'DCIPHER'}{'AES-192-CBC'}>AES-CB=
C (192 $Lang::tr{'bit'})</option>
 				<option value=3D'AES-128-CBC' $selected{'DCIPHER'}{'AES-128-CBC'}>AES-CB=
C (128 $Lang::tr{'bit'})</option>
-				<option value=3D'DES-EDE3-CBC' $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-=
EDE3-CBC (192 $Lang::tr{'bit'})</option>
-				<option value=3D'DESX-CBC' $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (19=
2 $Lang::tr{'bit'})</option>
 				<option value=3D'SEED-CBC' $selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (12=
8 $Lang::tr{'bit'})</option>
-				<option value=3D'DES-EDE-CBC' $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-ED=
E-CBC (128 $Lang::tr{'bit'})</option>
-				<option value=3D'BF-CBC' $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lan=
g::tr{'bit'})</option>
-				<option value=3D'CAST5-CBC' $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC =
(128 $Lang::tr{'bit'})</option>
+				<option value=3D'DES-EDE3-CBC' $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-=
EDE3-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
+				<option value=3D'DESX-CBC' $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (19=
2 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
+				<option value=3D'DES-EDE-CBC' $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-ED=
E-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
+				<option value=3D'BF-CBC' $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lan=
g::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
+				<option value=3D'CAST5-CBC' $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC =
(128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
 			</select>
 		</td>
     <tr><td class=3D'boldbase' nowrap=3D'nowrap'>$Lang::tr{'comp-lzo'}</td>
--=20
2.7.4


--===============1977603405291834505==--