From mboxrd@z Thu Jan 1 00:00:00 1970 From: ummeegge To: development@lists.ipfire.org Subject: Re: [PATCH v3] OpenVPN: New AES-GCM cipher for N2N and RW Date: Tue, 27 Feb 2018 07:23:06 +0100 Message-ID: <1519712586.16669.20.camel@ipfire.org> In-Reply-To: <1519640690.5664.31.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2359539054028954050==" List-Id: --===============2359539054028954050== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Michael, Am Montag, den 26.02.2018, 10:24 +0000 schrieb Michael Tremer via Development: > Hi, >=20 > some ECC in OpenVPN would be really nice. We have that in IPsec for > quite a > while now and it makes the tunnels come up a lot faster and we can > assume that > it is more secure, too. I can confirm this here too, the key exchange on IPFires updated OpenVPN looks now like this Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 8192 bit RSA even i used 8192 bit in my testing scenario (normally 2048 bit) the connection build up and the key exchange is really fast. >=20 > ChaCha20-Poly1305 is quite interesting, too. It is an AEAD just like > AES-*-GCM. > It is supposed to be really fast on mobile devices and an alternative > to AES. We > only have one other alternative to AES which is Camellia. But that > one does not > seem to receive a lot of love these days. Seed is also available which did not marked as 'weak' but possibly not as wid= ely used as the others=C2=A0 i think. A modern cipher usage from Mozilla can be found in here -->=C2=A0 https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility whereby there are some limitations for IPFire since we do not have currently the possiblity for ECDSA instead of RSA, also OpenVPN limits at this time cha= racter lenght to=20 256 'Maximum optione line length (256) exceeded' which should be a known bug = and also a fixed one https://community.openvpn.net/openvpn/ticket/631 but it appears again in 2.4.4 . Checked it and this ipfire-server openvpnserver[16775]:=C2=A0=C2=A0=C2=A0cipher_list =3D 'TLS-ECD= HE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-EC= DHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-= SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256' was the maximum.=C2=A0 >=20 > In contrast to Camellia, AES is usually hardware-accelerated whereas > ChaCha20 > can be implemented very efficiently in software that it does not > consume too > much CPU time at all. Perfect for mobile to save battery life. >=20 > Probably there is not very good support for ChaCha20-Poly1305 out > there. So AES > will be the default, but we would have a very good alternative for > anyone who > know what they are doing. If someone wants to use ChaCha20-Poly1305 this should be no problem via via the "Additional configuration". May we should set also AES-256-GCM as default cipher instead of AES- 256-CBC in ovpnmain.cgi ?! ECDSA instead of RSA might be also worth to think about but as i said, this implies huge changes. >=20 > Best, > -Michael >=20 > On Mon, 2018-02-26 at 07:48 +0100, ummeegge wrote: > >=20 > > Hi Michael, > >=20 > > Am Sonntag, den 25.02.2018, 17:06 +0000 schrieb Michael Tremer via > > Development: > > >=20 > > > Hi, > > >=20 > > > I suppose this looks alright. > > OK > >=20 > > >=20 > > >=20 > > > Does OpenVPN 2.4 support ChaCha20-Poly1305, too? > > Yes, but i think only via the '--tls-cipher' directive which IPFire > > currently do not supports via WUI. Made a quick try over the > > server.conf.local and the additional configuration. > >=20 > > server.conf.local entries: > >=20 > > tls-version-min 1.2 > > tls-cipher TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256 > >=20 > > whereby the server logs points the following out:=C2=A0 > >=20 > > Feb 26 07:19:47 ipfire-prime openvpnserver[10190]:=C2=A0=C2=A0=C2=A0ciphe= r_list =3D > > 'TLS-ECDHE- > > RSA-WITH-CHACHA20-POLY1305-SHA256' > >=20 > > But in general we step into a new crypto era with OpenVPN since ECC > > is now > > fully integrated in OpenVPN. > >=20 > > Under the hood we will discover now also ECDHE for the control > > channel without > > changing anything so the EC crypto is now partly available=C2=A0 > > with Core 120. > >=20 > > But pure elliptic curve crypto is also possible e.g. > > https://forums.openvpn.net/viewtopic.php?t=3D23227 > > but this would be a huge amount of changes in ovpnmain.cgi but may > > it is worth > > it. Let=C2=B4s see... > >=20 > > >=20 > > >=20 > > > -Michael > > Greetings, > >=20 > > Erik > >=20 --===============2359539054028954050==--