From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] OpenVPN: Mark unsecure ciphers and DH-parameter as 'weak' in WUI menu
Date: Mon, 12 Feb 2018 13:09:13 +0000 [thread overview]
Message-ID: <1518440953.2541.67.camel@ipfire.org> (raw)
In-Reply-To: <1518080098-22100-1-git-send-email-erik.kapfer@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 5504 bytes --]
Merged.
On Thu, 2018-02-08 at 09:54 +0100, Erik Kapfer wrote:
> 64 bit block ciphers like Blowfish, TDEA and CAST5 are vulnerable to the so
> called 'Birthday attacks' .
> Infos for 'Sweet32' Birthday attacks can be found in here
> https://sweet32.info/ .
> An Overview of 64 bit clock ciphers can also be found in here
> http://en.citizendium.org/wiki/Block_cipher/Catalogs/Cipher_list#64-bi
> t_blocks
>
> 1024 bit Diffie-Hellman parameter has also been marked as weak causing the
> 'Logjam Attack' .
> Infos for 'Logjam Attack' can be found in here
> https://weakdh.org/ .
>
> Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
> ---
> html/cgi-bin/ovpnmain.cgi | 24 ++++++++++++------------
> 1 file changed, 12 insertions(+), 12 deletions(-)
>
> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
> index 9f5e682..0fa1d04 100644
> --- a/html/cgi-bin/ovpnmain.cgi
> +++ b/html/cgi-bin/ovpnmain.cgi
> @@ -2002,7 +2002,7 @@ END
> </select></td>
> <tr><td class='base'>$Lang::tr{'ovpn dh'}:</td>
> <td class='base'><select name='DHLENGHT'>
> - <option value='1024'
> $selected{'DHLENGHT'}{'1024'}>1024 $Lang::tr{'bit'}</option>
> + <option value='1024'
> $selected{'DHLENGHT'}{'1024'}>1024 $Lang::tr{'bit'} ($Lang::tr{'vpn
> weak'}</option>
> <option value='2048'
> $selected{'DHLENGHT'}{'2048'}>2048 $Lang::tr{'bit'}</option>
> <option value='3072'
> $selected{'DHLENGHT'}{'3072'}>3072 $Lang::tr{'bit'}</option>
> <option value='4096'
> $selected{'DHLENGHT'}{'4096'}>4096 $Lang::tr{'bit'}</option>
> @@ -4713,12 +4713,12 @@ if ($cgiparams{'TYPE'} eq 'net') {
> <option value='AES-256-CBC'
> $selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'},
> $Lang::tr{'default'})</option>
> <option value='AES-192-CBC'
> $selected{'DCIPHER'}{'AES-192-CBC'}>AES-CBC (192 $Lang::tr{'bit'})</option>
> <option value='AES-128-CBC'
> $selected{'DCIPHER'}{'AES-128-CBC'}>AES-CBC (128 $Lang::tr{'bit'})</option>
> - <option value='DES-EDE3-CBC'
> $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192
> $Lang::tr{'bit'})</option>
> - <option value='DESX-CBC' $sel
> ected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'})</option>
> - <option value='SEED-CBC' $sel
> ected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option>
> - <option value='DES-EDE-CBC' $
> selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'})</option>
> - <option value='BF-CBC'
> $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'})</option>
> - <option value='CAST5-CBC' $se
> lected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'})</option>
> + <option value='SEED-CBC'
> $selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option>
> + <option value='DES-EDE3-CBC'
> $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'},
> $Lang::tr{'vpn weak'})</option>
> + <option value='DESX-CBC'
> $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'},
> $Lang::tr{'vpn weak'})</option>
> + <option value='DES-EDE-CBC' $
> selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'},
> $Lang::tr{'vpn weak'})</option>
> + <option value='BF-CBC'
> $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'},
> $Lang::tr{'vpn weak'})</option>
> + <option value='CAST5-CBC'
> $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'},
> $Lang::tr{'vpn weak'})</option>
> </select>
> </td>
>
> @@ -5210,12 +5210,12 @@ END
> <option value='AES-256-CBC'
> $selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'})</option>
> <option value='AES-192-CBC'
> $selected{'DCIPHER'}{'AES-192-CBC'}>AES-CBC (192 $Lang::tr{'bit'})</option>
> <option value='AES-128-CBC'
> $selected{'DCIPHER'}{'AES-128-CBC'}>AES-CBC (128 $Lang::tr{'bit'})</option>
> - <option value='DES-EDE3-CBC'
> $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192
> $Lang::tr{'bit'})</option>
> - <option value='DESX-CBC'
> $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'})</option>
> <option value='SEED-CBC'
> $selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option>
> - <option value='DES-EDE-CBC'
> $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128
> $Lang::tr{'bit'})</option>
> - <option value='BF-CBC'
> $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'})</option>
> - <option value='CAST5-CBC'
> $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'})</option>
> + <option value='DES-EDE3-CBC'
> $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'},
> $Lang::tr{'vpn weak'})</option>
> + <option value='DESX-CBC'
> $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'},
> $Lang::tr{'vpn weak'})</option>
> + <option value='DES-EDE-CBC'
> $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'},
> $Lang::tr{'vpn weak'})</option>
> + <option value='BF-CBC'
> $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn
> weak'})</option>
> + <option value='CAST5-CBC'
> $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'},
> $Lang::tr{'vpn weak'})</option>
> </select>
> </td>
> <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'comp-lzo'}</td>
prev parent reply other threads:[~2018-02-12 13:09 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-08 8:54 Erik Kapfer
2018-02-12 13:09 ` Michael Tremer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1518440953.2541.67.camel@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox