From: ummeegge <ummeegge@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] openvpn: Warning for broken algorithms .
Date: Mon, 21 Nov 2022 15:09:40 +0100 [thread overview]
Message-ID: <8e202db1c4a70af46b408aa4d10a6ded4358eabd.camel@ipfire.org> (raw)
In-Reply-To: <6B0AE798-D529-4174-8735-35EA790A61A4@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 8521 bytes --]
Hi Michael,
Am Montag, dem 21.11.2022 um 11:27 +0000 schrieb Michael Tremer:
> Hello Erik,
>
> Nice to see you on this list again :)
Good to see some answers again from you :-)
>
> > On 21 Nov 2022, at 10:22, Erik Kapfer <erik.kapfer(a)ipfire.org>
> > wrote:
> >
> > Since OpenSSL-3.x will remove all 64 bit block-cipher but also
> > OpenVPNs changelog
> > for version 2.5.8 gives hints to get rid of BF-CBC for default
> > configuations,
> > a warning will be displayed in the WUI if the user is running
> > BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-EDE3-CBC but also SHA1 to
> > change
> > as soon as possible to another more secure algorithm.
>
> Well, this does not sound like good news. It is yet another change
> that would break *lots* of existing OpenVPN setups.
It would need work from user side to change the cipher/HMAC in the WUI
and on client.ovpn if not already AES, Camelia or Seed has been chosen.
>
> Although the patch looks fine, I am not sure if this is the best way
> to go, because if we tell people that their setup won’t be supported
> much longer, what alternatives are there?
I think with the Sweet32 birthday attacks a lot of things has been
changed where even OpenSSL started with fundamental changes and i think
/hope it will go further in the crypto world which is also not that far
away with things like PQC so things are changing here more or less
rapidly.
>
> Resetting to the default options, throwing away their CA and start
> from scratch is not an option. Even 20 connections are too many to
> manually update.
This patch does not focus the CA, changes needs to be done with the
cipher/HMAC selection on server.conf and client.ovpn .
>
> If they would actually do this, we will be back to square one really
> soon, because we still don’t have cipher negotiation.
Am pretty alone on testing side and resonance in general with this but
the negotiation works here for me -->
https://github.com/ummeegge/ovpn_dev but do need OpenVPN clients with
version >= 2.5.0 .
>
> We are also just accumulating warning messages at the top of the page
> which cannot be fixed. For years, we are showing some certificate
> warning and I am not sure why that actually is and what people can do
> about it?!
Generating a new PKI was the intention with this which should be made
in my opinion otherwise all that might be a kind of security by
obscurity.
We throwed already away the DH warning messages with Peter´s DH Patch,
the MD5 message should be showed as you mentioned it, long enough and
should be ready to be deleted maybe ? Changes might be hard in that
topic but as in life, sometimes important ;-) ?
>
> So, I fear that we will have to keep supporting those really outdated
> (and yes, potentially dangerously insecure) setups for the lifetime
> of IPFire 2. If it isn’t an option to move forward to the latest
> version of OpenVPN we would be in *very* big trouble.
It is mainly OpenSSL not that much OpenVPN as one can see already with
the PKCS#12 decryption problem... with the legacy mode it might also be
a possibility to ride a dead horse.
>
> Best,
> -Michael
All the best,
Erik
>
> >
> > The call of the pkiconfigcheck function is now located in the
> > status page section.
> >
> > Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
> > ---
> > html/cgi-bin/ovpnmain.cgi | 38
> > ++++++++++++++++++++++++++++++++++++--
> > langs/de/cgi-bin/de.pl | 3 +++
> > langs/en/cgi-bin/en.pl | 3 +++
> > 3 files changed, 42 insertions(+), 2 deletions(-)
> >
> > diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
> > index dc429d90c..5c34a5f4d 100644
> > --- a/html/cgi-bin/ovpnmain.cgi
> > +++ b/html/cgi-bin/ovpnmain.cgi
> > @@ -101,8 +101,6 @@ $cgiparams{'DCIPHER'} = '';
> > $cgiparams{'DAUTH'} = '';
> > $cgiparams{'TLSAUTH'} = '';
> > $routes_push_file = "${General::swroot}/ovpn/routes_push";
> > -# Perform crypto and configration test
> > -&pkiconfigcheck;
> >
> > # Add CCD files if not already presant
> > unless (-e $routes_push_file) {
> > @@ -240,6 +238,39 @@ sub pkiconfigcheck
> > }
> > }
> >
> > + # Warning for Roadwarrior if deprecated 64-bit-block ciphers or
> > weak HMAC is in usage
> > + if (-f "${General::swroot}/ovpn/server.conf") {
> > + my $oldciphers = "${General::swroot}/ovpn/server.conf";
> > + open(FH, $oldciphers);
> > + while(my $cipherstring = <FH>) {
> > + if ($cipherstring =~ /BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-
> > EDE3-CBC|SHA1/) {
> > + my @tempcipherstring = split(" ", $cipherstring);
> > + $cryptowarning = "<br>$Lang::tr{'ovpn warning algorithm'}: <font
> > color='red'>$tempcipherstring[1]</font></br>$Lang::tr{'ovpn warning
> > 64 bit block cipher'}";
> > + goto CRYPTO_WARNING;
> > + }
> > + }
> > + close(FH);
> > + }
> > +
> > + # Warning for Net-to-Net connections if deprecated 64-bit-block
> > ciphers or HMAC is in usage
> > + if (-f "${General::swroot}/ovpn/ovpnconfig") {
> > + my $oldciphers = "${General::swroot}/ovpn/ovpnconfig";
> > + open(FH, $oldciphers);
> > + while(my $cipherstring = <FH>) {
> > + if ($cipherstring =~ /BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-
> > EDE3-CBC/) {
> > + my @tempcipherstring = split(",", $cipherstring);
> > + $cryptowarning = "<br>$Lang::tr{'ovpn warning algorithm'}: <font
> > color='red'>$tempcipherstring[41]</font></br>$Lang::tr{'ovpn
> > warning algorithm n2n'}<font color='red'>
> > $tempcipherstring[2]</font><br>$Lang::tr{'ovpn warning 64 bit block
> > cipher'}</br>";
> > + goto CRYPTO_WARNING;
> > + }
> > + if ($cipherstring =~ /SHA1/) {
> > + my @tempcipherstring = split(",", $cipherstring);
> > + $cryptowarning = "<br>$Lang::tr{'ovpn warning algorithm'}: <font
> > color='red'>$tempcipherstring[40]</font></br>$Lang::tr{'ovpn
> > warning algorithm n2n'}<font color='red'>
> > $tempcipherstring[2]</font><br>$Lang::tr{'ovpn warning 64 bit block
> > cipher'}</br>";
> > + goto CRYPTO_WARNING;
> > + }
> > + }
> > + }
> > +
> > +
> > CRYPTO_WARNING:
> > }
> >
> > @@ -5056,6 +5087,9 @@ END
> > my @status = <FILE>;
> > close(FILE);
> >
> > + # Perform crypto and configration test
> > + &pkiconfigcheck;
> > +
> > if ($cgiparams{'VPN_IP'} eq '' && -e
> > "${General::swroot}/red/active") {
> > if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) {
> > my $ipaddr = <IPADDR>;
> > diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
> > index abfba5d5e..bb675ec34 100644
> > --- a/langs/de/cgi-bin/de.pl
> > +++ b/langs/de/cgi-bin/de.pl
> > @@ -1982,6 +1982,9 @@
> > 'ovpn subnet is invalid' => 'Das OpenVPN-Subnetz ist ungültig.',
> > 'ovpn subnet overlap' => 'OpenVPNSubnetz überschneidet sich mit ',
> > 'ovpn tls auth' => 'TLS-Kanalabsicherung:',
> > +'ovpn warning 64 bit block cipher' => 'Dieser Algorithmus ist
> > unsicher und wird bald entfernt. <br>Bitte Ändern Sie dies auf
> > beiden Seiten (Server und Client) so schnell wie möglich!</br>',
> > +'ovpn warning algorithm' => 'Folgender Algorithmus wurde
> > konfiguriert',
> > +'ovpn warning algorithm n2n' => 'Für die Netz-zu-Netz Verbindung',
> > 'ovpn warning rfc3280' => 'Das Host Zertifikat ist nicht RFC3280
> > Regelkonform. <br>Bitte IPFire auf die letzte Version updaten und
> > generieren sie ein neues Root und Host Zertifikat so bald wie
> > möglich.</br><br>Es müssen dann alle OpenVPN clients erneuert
> > werden!</br>',
> > 'ovpn_fastio' => 'Fast-IO',
> > 'ovpn_fragment' => 'Fragmentgrösse',
> > diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
> > index bf18b22a2..9aaf3e765 100644
> > --- a/langs/en/cgi-bin/en.pl
> > +++ b/langs/en/cgi-bin/en.pl
> > @@ -2035,6 +2035,9 @@
> > 'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.',
> > 'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ',
> > 'ovpn tls auth' => 'TLS Channel Protection:',
> > +'ovpn warning 64 bit block cipher' => 'This encryption algorithm
> > is broken and will soon be removed. <br>Please change this on both
> > sides (server and client) as soon as possible!</br>',
> > +'ovpn warning algorithm' => 'The following algorithm was
> > configured',
> > +'ovpn warning algorithm n2n' => 'For the Net-to-Net connection',
> > 'ovpn warning rfc3280' => 'Your host certificate is not RFC3280
> > compliant. <br>Please update to the latest IPFire version and
> > generate as soon as possible a new root and host
> > certificate.</br><br>All OpenVPN clients needs then to be
> > renewed!</br>',
> > 'ovpn_fastio' => 'Fast-IO',
> > 'ovpn_mssfix' => 'MSSFIX Size',
> > --
> > 2.35.1
> >
>
next prev parent reply other threads:[~2022-11-21 14:09 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-21 10:22 Erik Kapfer
2022-11-21 11:27 ` Michael Tremer
2022-11-21 14:05 ` ummeegge
2022-11-21 14:09 ` ummeegge [this message]
2022-11-21 14:41 ` Michael Tremer
2022-11-21 15:36 ` ummeegge
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8e202db1c4a70af46b408aa4d10a6ded4358eabd.camel@ipfire.org \
--to=ummeegge@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox