From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] openvpn: Warning for broken algorithms .
Date: Mon, 21 Nov 2022 11:27:08 +0000
Message-ID: <6B0AE798-D529-4174-8735-35EA790A61A4@ipfire.org>
In-Reply-To: <20221121102221.13486-1-erik.kapfer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3154901966816387239=="
List-Id: <development.lists.ipfire.org>

--===============3154901966816387239==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello Erik,

Nice to see you on this list again :)

> On 21 Nov 2022, at 10:22, Erik Kapfer <erik.kapfer(a)ipfire.org> wrote:
>=20
> Since OpenSSL-3.x will remove all 64 bit block-cipher but also OpenVPNs cha=
ngelog
> for version 2.5.8 gives hints to get rid of BF-CBC for default configuation=
s,
> a warning will be displayed in the WUI if the user is running
> BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-EDE3-CBC but also SHA1 to change
> as soon as possible to another more secure algorithm.

Well, this does not sound like good news. It is yet another change that would=
 break *lots* of existing OpenVPN setups.

Although the patch looks fine, I am not sure if this is the best way to go, b=
ecause if we tell people that their setup won=E2=80=99t be supported much lon=
ger, what alternatives are there?

Resetting to the default options, throwing away their CA and start from scrat=
ch is not an option. Even 20 connections are too many to manually update.

If they would actually do this, we will be back to square one really soon, be=
cause we still don=E2=80=99t have cipher negotiation.

We are also just accumulating warning messages at the top of the page which c=
annot be fixed. For years, we are showing some certificate warning and I am n=
ot sure why that actually is and what people can do about it?!

So, I fear that we will have to keep supporting those really outdated (and ye=
s, potentially dangerously insecure) setups for the lifetime of IPFire 2. If =
it isn=E2=80=99t an option to move forward to the latest version of OpenVPN w=
e would be in *very* big trouble.

Best,
-Michael

>=20
> The call of the pkiconfigcheck function is now located in the status page s=
ection.
>=20
> Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
> ---
> html/cgi-bin/ovpnmain.cgi | 38 ++++++++++++++++++++++++++++++++++++--
> langs/de/cgi-bin/de.pl    |  3 +++
> langs/en/cgi-bin/en.pl    |  3 +++
> 3 files changed, 42 insertions(+), 2 deletions(-)
>=20
> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
> index dc429d90c..5c34a5f4d 100644
> --- a/html/cgi-bin/ovpnmain.cgi
> +++ b/html/cgi-bin/ovpnmain.cgi
> @@ -101,8 +101,6 @@ $cgiparams{'DCIPHER'} =3D '';
> $cgiparams{'DAUTH'} =3D '';
> $cgiparams{'TLSAUTH'} =3D '';
> $routes_push_file =3D "${General::swroot}/ovpn/routes_push";
> -# Perform crypto and configration test
> -&pkiconfigcheck;
>=20
> # Add CCD files if not already presant
> unless (-e $routes_push_file) {
> @@ -240,6 +238,39 @@ sub pkiconfigcheck
> }
> }
>=20
> + # Warning for Roadwarrior if deprecated 64-bit-block ciphers or weak HMAC=
 is in usage
> + if (-f "${General::swroot}/ovpn/server.conf") {
> + my $oldciphers =3D "${General::swroot}/ovpn/server.conf";
> + open(FH, $oldciphers);
> + while(my $cipherstring =3D <FH>) {
> + if ($cipherstring =3D~ /BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-EDE3-CB=
C|SHA1/) {
> + my @tempcipherstring =3D split(" ", $cipherstring);
> + $cryptowarning =3D "<br>$Lang::tr{'ovpn warning algorithm'}: <font color=
=3D'red'>$tempcipherstring[1]</font></br>$Lang::tr{'ovpn warning 64 bit block=
 cipher'}";
> + goto CRYPTO_WARNING;
> + }
> + }
> + close(FH);
> + }
> +
> + # Warning for Net-to-Net connections if deprecated 64-bit-block ciphers o=
r HMAC is in usage
> + if (-f "${General::swroot}/ovpn/ovpnconfig") {
> + my $oldciphers =3D "${General::swroot}/ovpn/ovpnconfig";
> + open(FH, $oldciphers);
> + while(my $cipherstring =3D <FH>) {
> + if ($cipherstring =3D~ /BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-EDE3-CB=
C/) {
> + my @tempcipherstring =3D split(",", $cipherstring);
> + $cryptowarning =3D "<br>$Lang::tr{'ovpn warning algorithm'}: <font color=
=3D'red'>$tempcipherstring[41]</font></br>$Lang::tr{'ovpn warning algorithm n=
2n'}<font color=3D'red'> $tempcipherstring[2]</font><br>$Lang::tr{'ovpn warni=
ng 64 bit block cipher'}</br>";
> + goto CRYPTO_WARNING;
> + }
> + if ($cipherstring =3D~ /SHA1/) {
> + my @tempcipherstring =3D split(",", $cipherstring);
> + $cryptowarning =3D "<br>$Lang::tr{'ovpn warning algorithm'}: <font color=
=3D'red'>$tempcipherstring[40]</font></br>$Lang::tr{'ovpn warning algorithm n=
2n'}<font color=3D'red'> $tempcipherstring[2]</font><br>$Lang::tr{'ovpn warni=
ng 64 bit block cipher'}</br>";
> + goto CRYPTO_WARNING;
> + }
> + }
> + }
> +
> +
> CRYPTO_WARNING:
> }
>=20
> @@ -5056,6 +5087,9 @@ END
>     my @status =3D <FILE>;
>     close(FILE);
>=20
> + # Perform crypto and configration test
> + &pkiconfigcheck;
> +
>     if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") {
> if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) {
>    my $ipaddr =3D <IPADDR>;
> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
> index abfba5d5e..bb675ec34 100644
> --- a/langs/de/cgi-bin/de.pl
> +++ b/langs/de/cgi-bin/de.pl
> @@ -1982,6 +1982,9 @@
> 'ovpn subnet is invalid' =3D> 'Das OpenVPN-Subnetz ist ung=C3=BCltig.',
> 'ovpn subnet overlap' =3D> 'OpenVPNSubnetz =C3=BCberschneidet sich mit  ',
> 'ovpn tls auth' =3D> 'TLS-Kanalabsicherung:',
> +'ovpn warning 64 bit block cipher' =3D> 'Dieser Algorithmus ist unsicher u=
nd wird bald entfernt. <br>Bitte =C3=84ndern Sie dies auf beiden Seiten (Serv=
er und Client) so schnell wie m=C3=B6glich!</br>',
> +'ovpn warning algorithm' =3D> 'Folgender Algorithmus wurde konfiguriert',
> +'ovpn warning algorithm n2n' =3D> 'F=C3=BCr die Netz-zu-Netz Verbindung',
> 'ovpn warning rfc3280' =3D> 'Das Host Zertifikat ist nicht RFC3280 Regelkon=
form. <br>Bitte IPFire auf die letzte Version updaten und generieren sie ein =
neues Root und Host Zertifikat so bald wie m=C3=B6glich.</br><br>Es m=C3=BCss=
en dann alle OpenVPN clients erneuert werden!</br>',
> 'ovpn_fastio' =3D> 'Fast-IO',
> 'ovpn_fragment' =3D> 'Fragmentgr=C3=B6sse',
> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
> index bf18b22a2..9aaf3e765 100644
> --- a/langs/en/cgi-bin/en.pl
> +++ b/langs/en/cgi-bin/en.pl
> @@ -2035,6 +2035,9 @@
> 'ovpn subnet is invalid' =3D> 'OpenVPN subnet is invalid.',
> 'ovpn subnet overlap' =3D> 'OpenVPN Subnet overlaps with : ',
> 'ovpn tls auth' =3D> 'TLS Channel Protection:',
> +'ovpn warning 64 bit block cipher' =3D> 'This encryption algorithm is brok=
en and will soon be removed. <br>Please change this on both sides (server and=
 client) as soon as possible!</br>',
> +'ovpn warning algorithm' =3D> 'The following algorithm was configured',
> +'ovpn warning algorithm n2n' =3D> 'For the Net-to-Net connection',
> 'ovpn warning rfc3280' =3D> 'Your host certificate is not RFC3280 compliant=
. <br>Please update to the latest IPFire version and generate as soon as poss=
ible a new root and host certificate.</br><br>All OpenVPN clients needs then =
to be renewed!</br>',
> 'ovpn_fastio' =3D> 'Fast-IO',
> 'ovpn_mssfix' =3D> 'MSSFIX Size',
> --=20
> 2.35.1
>=20


--===============3154901966816387239==--