From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: OpenVPN patchset from Erik's input
Date: Thu, 23 Feb 2023 16:16:02 +0000
Message-ID: <5FE78B6B-522C-4358-BE7F-31758B888F05@ipfire.org>
In-Reply-To: <a956baed-dce2-859d-1bb0-6bdb49ecd91a@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8287156918442705990=="
List-Id: <development.lists.ipfire.org>

--===============8287156918442705990==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello Adolf,

> On 22 Feb 2023, at 17:10, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
>=20
> Hi Michael,
>=20
> On 22/02/2023 17:17, Michael Tremer wrote:
>> Hello Adolf,
>>> On 22 Feb 2023, at 12:54, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
>>>=20
>>> Hi Michael,
>>>=20
>>> On 22/02/2023 12:21, Michael Tremer wrote:
>>>> Hello Adolf,
>>>>> On 17 Feb 2023, at 11:46, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
>>>>>=20
>>>>> Hi All,
>>>>>=20
>>>>>=20
>>>>> I got Erik's OpenVPN patchset from some time ago and have created an up=
dated patchset based on the current state of IPFire.
>>>> Okay. So I suppose it all applied well or you were able to fix any merge=
 conflicts.
>>> I had to end up applying all the patches manually. There were enough chan=
ges with the OTP stuff plus the change to the system commands that many Hunks=
 failed to apply plus I found one hunk that applied in the wrong place.
>>>=20
>>> So manual application just seemed the most secure if a bit long winded ap=
proach. That was why I created the new patch set because that is now based on=
 next so any changes can be done relative to that patch set.
>>>>> I applied those changes to ovpnmain.cgi and en.pl and installed them in=
to a vm clone on my testbed.
>>>>>=20
>>>>> Here are some images of the changes. Basically the ciphers are moved fr=
om the main page to an additional ciphers page.
>>>> Yes, this is something the user ideally does not need to change. I would=
 actually not hesitate too much to just hardcode something as 99% of people w=
ill be on the same settings.
>>>> However, I do not understand why there are different options for the con=
trol and data channel. I do not see any reason why I would want different set=
tings because I either support a certain cipher or I don=E2=80=99t. If I cons=
ider my data channel =E2=80=9Cless important=E2=80=9D or need more throughput=
 and use AES-128 instead of AES-256, then what is the benefit of keeping the =
control channel on AES-256?
>>>> Then there is labelling which isn=E2=80=99t clear to me. I suppose it wo=
rks as follows:
>>>> Data Channel is the new setting. It should in theory be possible to sele=
ct multiple options.
>>>> Data Channel fallback seems to be what used to be on the front page befo=
re and it should only allow to pick one option. If that is the case, then I b=
elieve that the UI suggests otherwise. This setting will then also go away wi=
th OpenVPN 2.6.0. Is that correct?
>>> That is what I would read it as. I will check if more than one option can=
 be selected in the fallback set.
>> Okay. Thank you.
> In the Data-Channel multiple ciphers can be selected. In the Data-Channel f=
allback only a single one can be selected so the same as we currently have.

That confirms my assumption.

> In the TLSv1.3 and TLSv1.2 boxes multiple options can be selected in both b=
ut interesting results found when I tested out various connections is that if=
 the boxes are left unselected then my Android Client negotiated the TLSv1.3 =
256 bit TLS-AES-GCM cipher. When I looked at the connection logs for the exis=
ting OpenVPN server connecting to my Android Phone with its existing connecti=
on profile it negotiated and connected with the same TLSv1.3 cipher on the Co=
ntrol Channel. So the Control Channel looks to be auto negotiated currently a=
nyway.
> This makes me wonder if we really need these options provided. If the Contr=
ol Channel is auto negotiated to the best available option for both server an=
d client that seems fine to me.

Yes, I believe this assumption is also true.

You could in theory limit what ciphers can be used, and there might be people=
 who don=E2=80=99t want to use anything with a key length of less than 128 bi=
ts or so.

> One thing I did find was that once an option in the Control Channel boxes h=
ad been selected then you can not unselect it.

As in the browser doesn=E2=80=99t allow you, or you get an error when you hit=
 the save button?

On Mac OS, you can hold the Command button if you want to deselect the last e=
ntry. If it is the first case, maybe Shift or Ctrl will do the same for you?

> That then means that auto negotiation no longer takes place but the option =
selected is chosen. If the TLSv1.3 options are unselected but one of the TLSv=
1.2 ones is selected then the client ignored the TLSv1.2 option and still aut=
o negotiated the best cipher for the connection.
>=20
> So seems to me that we could remove the control channel cipher option for b=
oth TLSv1.3 and 1.2 and leave it auto negotiate.

Hmm, I believe it probably really doesn=E2=80=99t matter what people select h=
ere. But since we know that some people might want to choose something other =
than the default, we might want to keep it - and it is already built already.

>>>> On the control channel the options are mislabeled. I suppose TLSv3 shoul=
d be TLSv1.3 and TLSv2 should be TLSv1.2 and possible less?!
>>> That sounds like what is intended.
>>>> I don=E2=80=99t really like it that there are two boxes, but since TLSv1=
.3 does not support many of the cipher suites that TLSv1.2 supports, there mi=
ght be no easy way around it. TLSv1.2 is on its way out, so we won=E2=80=99t =
need to support this for forever hopefully.
>>>> Authentication: If there is only one option, the <select> tag should not=
 look like it does currently where it suggests that multiple options can be s=
elected at the same time.
>>> I am also not sure if all are needed. I will need to check if TLS-Auth no=
 longer works with the TLSv1.3. TLS-Auth is what is currently working and I h=
aven't seen anything suggesting it is deprecated. SHA2 512 bit seems strong e=
nough for the moment and is not at risk from being broken as far as I am awar=
e. I would just remove the SHA1 has as that is definitely not recommended any=
 more.
>>> It would be simpler and easier if that stayed just with TLS-Auth if that =
works with TLSv1.3. I will check into that.
>> If we currently only support TLS-Auth I would like to keep it that way unt=
il we have rolled out this stuff as it should have priority.
> I tested out 5 different connection profiles with my Android phone. Everyon=
e of them worked. That includes the existing profile which just worked as exp=
ected using 256 bit AES-GCM with TLS=3DAuth with SHA2 512 bit without needing=
 to change anything in the Advanced Encryption Settings page.
>=20
> I ran the following combinations:-
>=20
> SHA2 512 bit with TLS-Auth (Existing Connection)
> SHA2 512 bit with TLS-Crypt
> SHA2 512 bit with TLS-Crypt-V2
> Blake2 512 bit with TLS-Auth
> Blake2 512 bit with TLS-Crypt-V2
> SHA3 512 bit with TLS-Auth
>=20
> With TLS-Crypt-V2, which gives profile specific Control Channel encryption =
keys, It looks like the Hash Algorithm may be fixed. At least it was 256 bit =
(probably SHA3 256 bit) in both cases I tested, i.e. ignoring the hash algori=
thm selected in the box. Not sure if that is the code or what should happen w=
ith Crypt-V2.
>=20
> So everything works, at least with my Android client, but starting with jus=
t TLS-Auth as we currently use seems to make sense and then we can later on a=
dd the TLS-Crypt option which encrypts the Control Channel before any communi=
cation starts at all.

Okay, this is really good to know.

But did you reload the configuration file from the web UI into your client ea=
ch time, or are you able to change all these options on the server and the cl=
ient will automatically negotiate only what you have configured?

I believe that TLS-Auth/-Crypt will require you to change the client configur=
ation as it includes another key?

> I will test a few connection profiles also with my Linux laptop to confirm =
no differences in how things work.

Luckily, OpenVPN has the same bugs on all platforms as it is the same code ba=
se. IPsec has different implementations with different features and bugs.

So hopefully, if it works on one OS, it should be fine on the others. Especia=
lly since we are dealing with low-level things and nothing that requires some=
 user interaction like OTP did recently.

>> This is all tedious enough already, so let=E2=80=99s not make it more comp=
licated, but rather roll out incremental changes that we can better build and=
 test.
>>>> What does 64-bit/8-32bit optimised mean for Blake2?
>>> I have no idea.
>>>> Why is there an extra button for the encryption settings? Why is this no=
t part of the advanced options?
>>> I don't know but putting it all on the advanced options page wouldn't be =
too difficult ( says he keeping he fingers well crossed).
>> I am sure it is less fun than creating a new clean page, but we cannot out=
source all of our problems to the user. A few maybe, but not all :)
> If my remaining tests with my laptop don't flag some unexpected issues then=
 I will have a look at the code and the patches and look at moving the encryp=
tion options to the Advanced Options page. Also I will look at only having TL=
S-Auth and, unless I hear back to the contrary, removing the Control Channel =
cipher selection boxes completely.

That sounds good, but I would vote for keeping the cipher suites. Well, to be=
 honest I don=E2=80=99t know. I don=E2=80=99t see how anyone wants anything e=
lse than AES-256-GCM/CBC.

But what is the reason for TLS-Auth going? I think I didn=E2=80=99t get this =
right.

> I will do it in stages and test out as I go along. Can't promise it will be=
 very fast but if I hit any roadblocks I will report back for help.

Absolutely come back here for help. The CGI is very fragile and it won=E2=80=
=99t be a fun job anyways, so get all the help you need and let=E2=80=99s sha=
re the pain.

-Michael

>=20
> Regards,
> Adolf
>>>>> 1st image is current status of the main page, 2nd image is the modified=
 main page and the 3rd is the Advanced Encryption settings page.
>>>>>=20
>>>>> I will also upload the updated patches to my ipfire git repo
>>>>>=20
>>>>> https://git.ipfire.org/?p=3Dpeople/bonnietwin/ipfire-2.x.git;a=3Dsummary
>>>> So this is a good start, but the UI is not making this process easy.
>>>> I had a brief look at the code and it looks okay. Our CGIs are quite mes=
sy anyways, so I do not think it is worth adding the most polished code here =
:) This should not mean that we can just do whatever because we are just maki=
ng future changes even more difficult for ourselves.
>>>> I didn=E2=80=99t apply this to my system and test. Did you do this? Does=
 it work with various client version of OpenVPN?
>>> I put it onto a vm clone on my system to get the screenshots. I haven't t=
ested various options yet as I have been a bit busy with clearing out some bu=
gs but I will do that and report back on it.
>>> My only problem with that is that all my clients are up to date so I don'=
t have any that would only work with older ciphers but at least I can check t=
hat everything works with my Android phone and my Linux laptop with various c=
iphers etc selected.
>> Okay, I just wanted to get a feeling with where we are at with this all be=
fore we talk too much about the UI.
>> -Michael
>>>=20
>>> Regards,
>>> Adolf
>>>> -Michael
>>>>>=20
>>>>>=20
>>>>> Regards,
>>>>>=20
>>>>> Adolf.
>>>>>=20
>>>>> <Screenshot - main page.png><Screenshot - modified main page.png><Scree=
nshot - advanced encryptions settings page.png>
>>>=20
>>> --=20
>>> Sent from my laptop



--===============8287156918442705990==--