From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] OpenVPN: Mark unsecure ciphers and DH-parameter as 'weak'
 in WUI menu
Date: Mon, 12 Feb 2018 13:09:13 +0000
Message-ID: <1518440953.2541.67.camel@ipfire.org>
In-Reply-To: <1518080098-22100-1-git-send-email-erik.kapfer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0250889019368335235=="
List-Id: <development.lists.ipfire.org>

--===============0250889019368335235==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Merged.

On Thu, 2018-02-08 at 09:54 +0100, Erik Kapfer wrote:
> 64 bit block ciphers like Blowfish, TDEA and CAST5 are vulnerable to the so
> called 'Birthday attacks' .
>     Infos for 'Sweet32' Birthday attacks can be found in here
>         https://sweet32.info/ .
>     An Overview of 64 bit clock ciphers can also be found in here
>         http://en.citizendium.org/wiki/Block_cipher/Catalogs/Cipher_list#64=
-bi
> t_blocks
>=20
> 1024 bit Diffie-Hellman parameter has also been marked as weak causing the
> 'Logjam Attack' .
>    Infos for 'Logjam Attack' can be found in here
>         https://weakdh.org/ .
>=20
> Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
> ---
>  html/cgi-bin/ovpnmain.cgi | 24 ++++++++++++------------
>  1 file changed, 12 insertions(+), 12 deletions(-)
>=20
> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
> index 9f5e682..0fa1d04 100644
> --- a/html/cgi-bin/ovpnmain.cgi
> +++ b/html/cgi-bin/ovpnmain.cgi
> @@ -2002,7 +2002,7 @@ END
>  	    </select></td>
>  	<tr><td class=3D'base'>$Lang::tr{'ovpn dh'}:</td>
>  		<td class=3D'base'><select name=3D'DHLENGHT'>
> -				<option value=3D'1024'
> $selected{'DHLENGHT'}{'1024'}>1024 $Lang::tr{'bit'}</option>
> +				<option value=3D'1024'
> $selected{'DHLENGHT'}{'1024'}>1024 $Lang::tr{'bit'} ($Lang::tr{'vpn
> weak'}</option>
>  				<option value=3D'2048'
> $selected{'DHLENGHT'}{'2048'}>2048 $Lang::tr{'bit'}</option>
>  				<option value=3D'3072'
> $selected{'DHLENGHT'}{'3072'}>3072 $Lang::tr{'bit'}</option>
>  				<option value=3D'4096'
> $selected{'DHLENGHT'}{'4096'}>4096 $Lang::tr{'bit'}</option>
> @@ -4713,12 +4713,12 @@ if ($cgiparams{'TYPE'} eq 'net') {
>  				<option value=3D'AES-256-CBC' 	 =09
> $selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'},
> $Lang::tr{'default'})</option>
>  				<option value=3D'AES-192-CBC' 	 =09
> $selected{'DCIPHER'}{'AES-192-CBC'}>AES-CBC (192 $Lang::tr{'bit'})</option>
>  				<option value=3D'AES-128-CBC' 	 =09
> $selected{'DCIPHER'}{'AES-128-CBC'}>AES-CBC (128 $Lang::tr{'bit'})</option>
> -				<option value=3D'DES-EDE3-CBC'	 =09
> $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192
> $Lang::tr{'bit'})</option>
> -				<option value=3D'DESX-CBC' 		$sel
> ected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'})</option>
> -				<option value=3D'SEED-CBC' 		$sel
> ected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option>
> -				<option value=3D'DES-EDE-CBC' 		$
> selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'})</opti=
on>
> -				<option value=3D'BF-CBC' 		=09
> $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'})</option>
> -				<option value=3D'CAST5-CBC' 		$se
> lected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'})</option>
> +				<option value=3D'SEED-CBC' 		=09
> $selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option>
> +				<option value=3D'DES-EDE3-CBC'	 =09
> $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'},
> $Lang::tr{'vpn weak'})</option>
> +				<option value=3D'DESX-CBC' 		=09
> $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'},
> $Lang::tr{'vpn weak'})</option>
> +				<option value=3D'DES-EDE-CBC' 		$
> selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'},
> $Lang::tr{'vpn weak'})</option>
> +				<option value=3D'BF-CBC' 		=09
> 	$selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'},
> $Lang::tr{'vpn weak'})</option>
> +				<option value=3D'CAST5-CBC' 		=09
> $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'},
> $Lang::tr{'vpn weak'})</option>
>  			</select>
>  		</td>
> =20
> @@ -5210,12 +5210,12 @@ END
>  				<option value=3D'AES-256-CBC'
> $selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'})</option>
>  				<option value=3D'AES-192-CBC'
> $selected{'DCIPHER'}{'AES-192-CBC'}>AES-CBC (192 $Lang::tr{'bit'})</option>
>  				<option value=3D'AES-128-CBC'
> $selected{'DCIPHER'}{'AES-128-CBC'}>AES-CBC (128 $Lang::tr{'bit'})</option>
> -				<option value=3D'DES-EDE3-CBC'
> $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192
> $Lang::tr{'bit'})</option>
> -				<option value=3D'DESX-CBC'
> $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'})</option>
>  				<option value=3D'SEED-CBC'
> $selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option>
> -				<option value=3D'DES-EDE-CBC'
> $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128
> $Lang::tr{'bit'})</option>
> -				<option value=3D'BF-CBC'
> $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'})</option>
> -				<option value=3D'CAST5-CBC'
> $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'})</option>
> +				<option value=3D'DES-EDE3-CBC'
> $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'},
> $Lang::tr{'vpn weak'})</option>
> +				<option value=3D'DESX-CBC'
> $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'},
> $Lang::tr{'vpn weak'})</option>
> +				<option value=3D'DES-EDE-CBC'
> $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'},
> $Lang::tr{'vpn weak'})</option>
> +				<option value=3D'BF-CBC'
> $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn
> weak'})</option>
> +				<option value=3D'CAST5-CBC'
> $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'},
> $Lang::tr{'vpn weak'})</option>
>  			</select>
>  		</td>
>      <tr><td class=3D'boldbase' nowrap=3D'nowrap'>$Lang::tr{'comp-lzo'}</td>

--===============0250889019368335235==--