From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: Re: Status update on openvpn work Date: Mon, 09 Oct 2023 19:26:09 +0200 Message-ID: <6c851037-58d6-45c9-99a1-0ee5f6074aa8@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4826237687983418664==" List-Id: --===============4826237687983418664== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi All, I thought it was too good to be true. Before creating a client connection with something like BlowFish I thought I = would just test the server settings with selecting BF in the data-ciphers-fal= lback selection box. Then pressed Start OpenVPN Server and nothing happened. Checked the logs and = there is the openssl error OpenSSL: error:0308010C:digital envelope routines::unsupported which occurs because Openssl-3.x doesn't support the older ciphers like BF un= less legacy is selected. In this case I think it is the OpenVPN server conf f= ile that requires the providers legacy default to be included, rather than the client conf file. Still it does feel like two steps forward and one backwards so overall still = making progress. Regards, Adolf. On 09/10/2023 14:05, Adolf Belka wrote: > Hi All, > > > Over the last week I have been working on the openvpn update using Erik's p= revious patches as my starting point. > > My first attempt to try and be able to understand the changes from each pat= ch to figure out what I needed to do proved difficult for me to work with. > > What I then did was take the current ovpnmain.cgi and apply all of Erik's p= atches to it. > > Then I have gone through that new version of ovpnmain.cgi and made the chan= ges based on previous discussions with Michael. > > So I have removed the b2sum options that were present for the Data and Chan= nel Authentication. > > I also moved all the cryptographic options from an additional advanced cryp= tographic options button into the Advanced Server options button. > > I was successful in doing all the above and then tested the ovpnmain.cgi ou= t with a vm using the existing openvpn-2.5.9 version for openvpn. > > My old profile for my laptop which had a ciphers entry worked without any p= roblem. My laptop was working withy openvpn-2.6.6 > > I then created a new profile using the new ovpnmain.cgi using the negotiati= on option which ended up with a data-ciphers line. That also worked in making= a successful openvpn tunnel with my laptop without any issues. > > I then downgraded my laptop to openvpn-2.4.8 and had to install openvpn-1.1= .1 to make that work. > > With that client version on my laptop both the old and new profiles connect= ed with a tunnel with no problems. > > I then tried downgrading my laptop to openvpn-2.3.14 but to make this work = I would have had to downgrade the laptop to openssl-1.0.0 which I was not wil= ling to do as that is very old and very insecure. > > The oldest openvpn version working with openssl-1.1.1 is 2.4.0 which is nea= rly 7 years old. > > That version also worked with both the old and new laptop profiles. > > I then tested out the openvpn server on my IPFire vm with a 2.6.0 and 2.6.6= version of openvpn. > > Both these openvpn versions worked with both the old and new laptop connect= ion profiles with my laptop on version 2.4.0 and on 2.6.6 > > All the above was using network manager with its openvpn plugin option on t= he laptop for making the openvpn tunnel connections. > > As far as I can tell everything is working fine when negotiation is specifi= ed on the server. Old profiles that just use the cipher option also work fine= . Therefore my plan is to only use the negotiation option and not make it sel= ectable for older clients. The data-ciphers-fallback option in the server see= ms to be doing its job. > > The negotiation option on the server was able to connect to a 2.4.0 client = on my laptop. > > According to the OpenVPN wiki on cipher negotiation the data-ciphers-fallba= ck option will work with 2.4.x and 2.3.x clients. As the 2.3.x clients need t= o be using openssl-1.0.0 then I think if those clients work then fine but not= hing further back. > > Overall, I am very happy with what I have succeeded in doing so far. I achi= eved things much quicker than I had expected. > > I will now try and see about creating a profile on a CU 179 based system th= at uses one of the old insecure ciphers such as Blow Fish and restore that in= to my evaluation vm and see how that works with my laptop when I have it down= graded to openvpn-2.4.0 > > I already know that if the laptop is at openvpn-2.6.6 then it will not acce= pt a blowfish cipher (or another weak cipher such as DES) as that is somethin= g I tested in the past. > > If that also works then my plan will be to take the updated ovpnmain.cgi an= d split the changes into a new range of patches and then submit them for cons= ideration. > > That will probably end up later in November as I will be busy with personal= things at the end of October / beginning of November. > > > Regards, > > Adolf. > --===============4826237687983418664==--