From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] OpenVPN: mark CBC ciphers as weak in WebUI
Date: Mon, 10 Jun 2019 18:36:00 +0000
Message-ID: <5c5b7f38-c7c5-2c35-5f46-b4aca620d54b@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0496299193705199590=="
List-Id: <development.lists.ipfire.org>

--===============0496299193705199590==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

CBC a vulnerable to a bunch of vulnerabilities (MAC-then-encrypt,
Padding Oracle, ...) which were considered to be an academic threat.

However, research such as https://blog.qualys.com/technology/2019/04/22/zombi=
e-poodle-and-goldendoodle-vulnerabilities
indicates these issues are more serious. Thereof, this patch marks
remaining CBC ciphers (AES-CBC, SEED-CBC and CAMELLIA-CBC) as "weak";
they should be avoided in future.

It does not change the default, which is AES-256-CBC for compatibility
reasons. Whether this can be changed or not needs to be discussed.

Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
Cc: Erik Kapfer <ummeegge(a)ipfire.org>
---
 html/cgi-bin/ovpnmain.cgi | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 439390228..ae1fe8e77 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -2,7 +2,7 @@
 ############################################################################=
###
 #                                                                           =
  #
 # IPFire.org - A linux based firewall                                       =
  #
-# Copyright (C) 2007-2014  IPFire Team  <info(a)ipfire.org>                 =
    #
+# Copyright (C) 2007-2019  IPFire Team  <info(a)ipfire.org>                 =
    #
 #                                                                           =
  #
 # This program is free software: you can redistribute it and/or modify      =
  #
 # it under the terms of the GNU General Public License as published by      =
  #
@@ -4516,7 +4516,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
     $selected{'DCIPHER'}{'CAST5-CBC'} =3D '';
     $selected{'DCIPHER'}{'BF-CBC'} =3D '';
     $selected{'DCIPHER'}{'DES-CBC'} =3D '';
-    # If no cipher has been chossen yet, select
+    # If no cipher has been chosen yet, select
     # the old default (AES-256-CBC) for compatiblity reasons.
     if ($cgiparams{'DCIPHER'} eq '') {
 	$cgiparams{'DCIPHER'} =3D 'AES-256-CBC';
@@ -4668,13 +4668,13 @@ if ($cgiparams{'TYPE'} eq 'net') {
 				<option value=3D'AES-256-GCM'		$selected{'DCIPHER'}{'AES-256-GCM'}>AES-G=
CM (256 $Lang::tr{'bit'})</option>
 				<option value=3D'AES-192-GCM'		$selected{'DCIPHER'}{'AES-192-GCM'}>AES-G=
CM (192 $Lang::tr{'bit'})</option>
 				<option value=3D'AES-128-GCM'		$selected{'DCIPHER'}{'AES-128-GCM'}>AES-G=
CM (128 $Lang::tr{'bit'})</option>
-				<option value=3D'CAMELLIA-256-CBC'	$selected{'DCIPHER'}{'CAMELLIA-256-CB=
C'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option>
-				<option value=3D'CAMELLIA-192-CBC'	$selected{'DCIPHER'}{'CAMELLIA-192-CB=
C'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option>
-				<option value=3D'CAMELLIA-128-CBC'	$selected{'DCIPHER'}{'CAMELLIA-128-CB=
C'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option>
-				<option value=3D'AES-256-CBC' 	 	$selected{'DCIPHER'}{'AES-256-CBC'}>AES=
-CBC (256 $Lang::tr{'bit'}, $Lang::tr{'default'})</option>
-				<option value=3D'AES-192-CBC' 	 	$selected{'DCIPHER'}{'AES-192-CBC'}>AES=
-CBC (192 $Lang::tr{'bit'})</option>
-				<option value=3D'AES-128-CBC' 	 	$selected{'DCIPHER'}{'AES-128-CBC'}>AES=
-CBC (128 $Lang::tr{'bit'})</option>
-				<option value=3D'SEED-CBC' 			$selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC =
(128 $Lang::tr{'bit'})</option>
+				<option value=3D'CAMELLIA-256-CBC'	$selected{'DCIPHER'}{'CAMELLIA-256-CB=
C'}>CAMELLIA-CBC (256 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
+				<option value=3D'CAMELLIA-192-CBC'	$selected{'DCIPHER'}{'CAMELLIA-192-CB=
C'}>CAMELLIA-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
+				<option value=3D'CAMELLIA-128-CBC'	$selected{'DCIPHER'}{'CAMELLIA-128-CB=
C'}>CAMELLIA-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
+				<option value=3D'AES-256-CBC' 	 	$selected{'DCIPHER'}{'AES-256-CBC'}>AES=
-CBC (256 $Lang::tr{'bit'}, $Lang::tr{'default'}, $Lang::tr{'vpn weak'})</opt=
ion>
+				<option value=3D'AES-192-CBC' 	 	$selected{'DCIPHER'}{'AES-192-CBC'}>AES=
-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
+				<option value=3D'AES-128-CBC' 	 	$selected{'DCIPHER'}{'AES-128-CBC'}>AES=
-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
+				<option value=3D'SEED-CBC' 			$selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC =
(128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
 				<option value=3D'DES-EDE3-CBC'	 	$selected{'DCIPHER'}{'DES-EDE3-CBC'}>DE=
S-EDE3-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
 				<option value=3D'DESX-CBC' 			$selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC =
(192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
 				<option value=3D'DES-EDE-CBC' 		$selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-=
EDE-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
@@ -5052,7 +5052,7 @@ END
 		}
     }
    =20
-#default setzen
+# set default values
     if ($cgiparams{'DCIPHER'} eq '') {
 		$cgiparams{'DCIPHER'} =3D  'AES-256-CBC';
     }
--=20
2.16.4

--===============0496299193705199590==--