Ooops, my mail client goes wild and fires some more mails of the same content :-| . Am Montag, dem 21.11.2022 um 14:41 +0000 schrieb Michael Tremer: > Hey, > > > On 21 Nov 2022, at 14:09, ummeegge wrote: > > > > Hi Michael, > > > > Am Montag, dem 21.11.2022 um 11:27 +0000 schrieb Michael Tremer: > > > Hello Erik, > > > > > > Nice to see you on this list again :) > > Good to see some answers again from you :-) > > > > > > > > > On 21 Nov 2022, at 10:22, Erik Kapfer > > > > wrote: > > > > > > > > Since OpenSSL-3.x will remove all 64 bit block-cipher but also > > > > OpenVPNs changelog > > > > for version 2.5.8 gives hints to get rid of BF-CBC for default > > > > configuations, > > > > a warning will be displayed in the WUI if the user is running > > > > BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-EDE3-CBC but also > > > > SHA1 to > > > > change > > > > as soon as possible to another more secure algorithm. > > > > > > Well, this does not sound like good news. It is yet another > > > change > > > that would break *lots* of existing OpenVPN setups. > > It would need work from user side to change the cipher/HMAC in the > > WUI > > and on client.ovpn if not already AES, Camelia or Seed has been > > chosen. > > Exactly. That would require every single client to be changed, too. No other way to deliver the (un)trust which projects like OpenSSL have in their own development. > > > > > > > Although the patch looks fine, I am not sure if this is the best > > > way > > > to go, because if we tell people that their setup won’t be > > > supported > > > much longer, what alternatives are there? > > I think with the Sweet32 birthday attacks a lot of things has been > > changed where even OpenSSL started with fundamental changes and i > > think > > /hope it will go further in the crypto world which is also not that > > far > > away with things like PQC so things are changing here more or less > > rapidly. > > I am not in favour of not moving forward. People should absolutely > *not* be using Blowfish. Yes, even a cipher renegotiation for 64 bit block-ciphers will be forced with a reneg-bytes 64000000 per default from OpenVPN! > > However, fact is, that plenty of people are using this out there. How > many? We don’t know. > > But we need a migration path no matter what. Have you an idea what should be done or how to proceed further ? > > > > > > > Resetting to the default options, throwing away their CA and > > > start > > > from scratch is not an option. Even 20 connections are too many > > > to > > > manually update. > > This patch does not focus the CA, changes needs to be done with the > > cipher/HMAC selection on server.conf and client.ovpn . > > > > > > > > If they would actually do this, we will be back to square one > > > really > > > soon, because we still don’t have cipher negotiation. > > Am pretty alone on testing side and resonance in general with this > > but > > the negotiation works here for me --> > > https://github.com/ummeegge/ovpn_dev but do need OpenVPN clients > > with > > version >= 2.5.0 . > > Hmm, it is not surprising if development happens off list. > > Coordination, looking for help and so on should happen here, because > this is where the people are :) Lot´s of stuff here as before but may in much smaller portions ? > > > > > > > We are also just accumulating warning messages at the top of the > > > page > > > which cannot be fixed. For years, we are showing some certificate > > > warning and I am not sure why that actually is and what people > > > can do > > > about it?! > > Generating a new PKI was the intention with this which should be > > made > > in my opinion otherwise all that might be a kind of security by > > obscurity. > > We throwed already away the DH warning messages with Peter´s DH > > Patch, > > the MD5 message should be showed as you mentioned it, long enough > > and > > should be ready to be deleted maybe ? Changes might be hard in that > > topic but as in life, sometimes important ;-) ? > > Showing a warning does not change a lot for us: > > We will still have to support the old ciphers/etc. because they are > in use. > > And we will have to do that because there is no way for users to > migrate. Are there plans how to operate with OpenSSL-3.x ? If the wheel is turning in this way there will be a long rat-tail as time goes by... > > > > So, I fear that we will have to keep supporting those really > > > outdated > > > (and yes, potentially dangerously insecure) setups for the > > > lifetime > > > of IPFire 2. If it isn’t an option to move forward to the latest > > > version of OpenVPN we would be in *very* big trouble. > > It is mainly OpenSSL not that much OpenVPN as one can see already > > with > > the PKCS#12 decryption problem... with the legacy mode it might > > also be > > a possibility to ride a dead horse. > > I would *really* like for OpenVPN to be a dead horse, because it is a > pain. It is one of the largest CGI files we have; we have plenty of > glue-code that is using very interesting hacks for implementing > things like 2FA. > > But the alternatives like Wireguard do not seem to be taking off > either. So, OpenVPN is and remains the de-facto standard solution to > connect mobile devices to IPFire. And that will probably remain the > case for a very long time to come. > > So, we will need to find a way how we can support OpenVPN well. Right > now it really feels like a pile of work whenever there is a new > release out there. We still rely on many deprecated features and we > will need to make sure to get rid of them if we want to have a chance > to maintain this with reasonable effort. I feel you as you can imagine :-) but here again, first steps ? There are really lot´s of ideas and of already done work but it makes no sense to went here on as a lone warrior even the work has been far beyond a reasonable effort spoken for myself! > > Best, > -Michael > > > > > > > Best, > > > -Michael > > > > All the best, > > > > Erik > > > > > > > > > > > > > The call of the pkiconfigcheck function is now located in the > > > > status page section. > > > > > > > > Signed-off-by: Erik Kapfer > > > > --- > > > > html/cgi-bin/ovpnmain.cgi | 38 > > > > ++++++++++++++++++++++++++++++++++++-- > > > > langs/de/cgi-bin/de.pl    |  3 +++ > > > > langs/en/cgi-bin/en.pl    |  3 +++ > > > > 3 files changed, 42 insertions(+), 2 deletions(-) > > > > > > > > diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi- > > > > bin/ovpnmain.cgi > > > > index dc429d90c..5c34a5f4d 100644 > > > > --- a/html/cgi-bin/ovpnmain.cgi > > > > +++ b/html/cgi-bin/ovpnmain.cgi > > > > @@ -101,8 +101,6 @@ $cgiparams{'DCIPHER'} = ''; > > > > $cgiparams{'DAUTH'} = ''; > > > > $cgiparams{'TLSAUTH'} = ''; > > > > $routes_push_file = "${General::swroot}/ovpn/routes_push"; > > > > -# Perform crypto and configration test > > > > -&pkiconfigcheck; > > > > > > > > # Add CCD files if not already presant > > > > unless (-e $routes_push_file) { > > > > @@ -240,6 +238,39 @@ sub pkiconfigcheck > > > > } > > > > } > > > > > > > > + # Warning for Roadwarrior if deprecated 64-bit-block ciphers > > > > or > > > > weak HMAC is in usage > > > > + if (-f "${General::swroot}/ovpn/server.conf") { > > > > + my $oldciphers = "${General::swroot}/ovpn/server.conf"; > > > > + open(FH, $oldciphers); > > > > + while(my $cipherstring = ) { > > > > + if ($cipherstring =~ /BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE- > > > > CBC|DES- > > > > EDE3-CBC|SHA1/) { > > > > + my @tempcipherstring = split(" ", $cipherstring); > > > > + $cryptowarning = "
$Lang::tr{'ovpn warning algorithm'}: > > > > > > > color='red'>$tempcipherstring[1]
$Lang::tr{'ovpn > > > > warning > > > > 64 bit block cipher'}"; > > > > + goto CRYPTO_WARNING; > > > > + } > > > > + } > > > > + close(FH); > > > > + } > > > > + > > > > + # Warning for Net-to-Net connections if deprecated 64-bit- > > > > block > > > > ciphers or HMAC is in usage > > > > + if (-f "${General::swroot}/ovpn/ovpnconfig") { > > > > + my $oldciphers = "${General::swroot}/ovpn/ovpnconfig"; > > > > + open(FH, $oldciphers); > > > > + while(my $cipherstring = ) { > > > > + if ($cipherstring =~ /BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE- > > > > CBC|DES- > > > > EDE3-CBC/) { > > > > + my @tempcipherstring = split(",", $cipherstring); > > > > + $cryptowarning = "
$Lang::tr{'ovpn warning algorithm'}: > > > > > > > color='red'>$tempcipherstring[41]
$Lang::tr{'ovpn > > > > warning algorithm n2n'} > > > > $tempcipherstring[2]
$Lang::tr{'ovpn warning 64 bit > > > > block > > > > cipher'}
"; > > > > + goto CRYPTO_WARNING; > > > > + } > > > > + if ($cipherstring =~ /SHA1/) { > > > > + my @tempcipherstring = split(",", $cipherstring); > > > > + $cryptowarning = "
$Lang::tr{'ovpn warning algorithm'}: > > > > > > > color='red'>$tempcipherstring[40]
$Lang::tr{'ovpn > > > > warning algorithm n2n'} > > > > $tempcipherstring[2]
$Lang::tr{'ovpn warning 64 bit > > > > block > > > > cipher'}
"; > > > > + goto CRYPTO_WARNING; > > > > + } > > > > + } > > > > + } > > > > + > > > > + > > > > CRYPTO_WARNING: > > > > } > > > > > > > > @@ -5056,6 +5087,9 @@ END > > > >     my @status = ; > > > >     close(FILE); > > > > > > > > + # Perform crypto and configration test > > > > + &pkiconfigcheck; > > > > + > > > >     if ($cgiparams{'VPN_IP'} eq '' && -e > > > > "${General::swroot}/red/active") { > > > > if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) { > > > >    my $ipaddr = ; > > > > diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl > > > > index abfba5d5e..bb675ec34 100644 > > > > --- a/langs/de/cgi-bin/de.pl > > > > +++ b/langs/de/cgi-bin/de.pl > > > > @@ -1982,6 +1982,9 @@ > > > > 'ovpn subnet is invalid' => 'Das OpenVPN-Subnetz ist > > > > ungültig.', > > > > 'ovpn subnet overlap' => 'OpenVPNSubnetz überschneidet sich > > > > mit  ', > > > > 'ovpn tls auth' => 'TLS-Kanalabsicherung:', > > > > +'ovpn warning 64 bit block cipher' => 'Dieser Algorithmus ist > > > > unsicher und wird bald entfernt.
Bitte Ändern Sie dies auf > > > > beiden Seiten (Server und Client) so schnell wie > > > > möglich!
', > > > > +'ovpn warning algorithm' => 'Folgender Algorithmus wurde > > > > konfiguriert', > > > > +'ovpn warning algorithm n2n' => 'Für die Netz-zu-Netz > > > > Verbindung', > > > > 'ovpn warning rfc3280' => 'Das Host Zertifikat ist nicht > > > > RFC3280 > > > > Regelkonform.
Bitte IPFire auf die letzte Version updaten > > > > und > > > > generieren sie ein neues Root und Host Zertifikat so bald wie > > > > möglich.

Es müssen dann alle OpenVPN clients erneuert > > > > werden!
', > > > > 'ovpn_fastio' => 'Fast-IO', > > > > 'ovpn_fragment' => 'Fragmentgrösse', > > > > diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl > > > > index bf18b22a2..9aaf3e765 100644 > > > > --- a/langs/en/cgi-bin/en.pl > > > > +++ b/langs/en/cgi-bin/en.pl > > > > @@ -2035,6 +2035,9 @@ > > > > 'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.', > > > > 'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ', > > > > 'ovpn tls auth' => 'TLS Channel Protection:', > > > > +'ovpn warning 64 bit block cipher' => 'This encryption > > > > algorithm > > > > is broken and will soon be removed.
Please change this on > > > > both > > > > sides (server and client) as soon as possible!
', > > > > +'ovpn warning algorithm' => 'The following algorithm was > > > > configured', > > > > +'ovpn warning algorithm n2n' => 'For the Net-to-Net > > > > connection', > > > > 'ovpn warning rfc3280' => 'Your host certificate is not RFC3280 > > > > compliant.
Please update to the latest IPFire version and > > > > generate as soon as possible a new root and host > > > > certificate.

All OpenVPN clients needs then to be > > > > renewed!
', > > > > 'ovpn_fastio' => 'Fast-IO', > > > > 'ovpn_mssfix' => 'MSSFIX Size', > > > > -- > > > > 2.35.1 > >