From mboxrd@z Thu Jan  1 00:00:00 1970
From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: OpenVPN patchset from Erik's input
Date: Wed, 22 Feb 2023 18:10:19 +0100
Message-ID: <a956baed-dce2-859d-1bb0-6bdb49ecd91a@ipfire.org>
In-Reply-To: <618509F0-367D-419B-93FE-9750132F2C9B@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8222602966656783138=="
List-Id: <development.lists.ipfire.org>

--===============8222602966656783138==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi Michael,

On 22/02/2023 17:17, Michael Tremer wrote:
> Hello Adolf,
>=20
>> On 22 Feb 2023, at 12:54, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
>>
>> Hi Michael,
>>
>> On 22/02/2023 12:21, Michael Tremer wrote:
>>> Hello Adolf,
>>>> On 17 Feb 2023, at 11:46, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
>>>>
>>>> Hi All,
>>>>
>>>>
>>>> I got Erik's OpenVPN patchset from some time ago and have created an upd=
ated patchset based on the current state of IPFire.
>>> Okay. So I suppose it all applied well or you were able to fix any merge =
conflicts.
>> I had to end up applying all the patches manually. There were enough chang=
es with the OTP stuff plus the change to the system commands that many Hunks =
failed to apply plus I found one hunk that applied in the wrong place.
>>
>> So manual application just seemed the most secure if a bit long winded app=
roach. That was why I created the new patch set because that is now based on =
next so any changes can be done relative to that patch set.
>>>> I applied those changes to ovpnmain.cgi and en.pl and installed them int=
o a vm clone on my testbed.
>>>>
>>>> Here are some images of the changes. Basically the ciphers are moved fro=
m the main page to an additional ciphers page.
>>> Yes, this is something the user ideally does not need to change. I would =
actually not hesitate too much to just hardcode something as 99% of people wi=
ll be on the same settings.
>>> However, I do not understand why there are different options for the cont=
rol and data channel. I do not see any reason why I would want different sett=
ings because I either support a certain cipher or I don=E2=80=99t. If I consi=
der my data channel =E2=80=9Cless important=E2=80=9D or need more throughput =
and use AES-128 instead of AES-256, then what is the benefit of keeping the c=
ontrol channel on AES-256?
>>> Then there is labelling which isn=E2=80=99t clear to me. I suppose it wor=
ks as follows:
>>> Data Channel is the new setting. It should in theory be possible to selec=
t multiple options.
>>> Data Channel fallback seems to be what used to be on the front page befor=
e and it should only allow to pick one option. If that is the case, then I be=
lieve that the UI suggests otherwise. This setting will then also go away wit=
h OpenVPN 2.6.0. Is that correct?
>> That is what I would read it as. I will check if more than one option can =
be selected in the fallback set.
>=20
> Okay. Thank you.
In the Data-Channel multiple ciphers can be selected. In the Data-Channel fal=
lback only a single one can be selected so the same as we currently have.

In the TLSv1.3 and TLSv1.2 boxes multiple options can be selected in both but=
 interesting results found when I tested out various connections is that if t=
he boxes are left unselected then my Android Client negotiated the TLSv1.3 25=
6 bit TLS-AES-GCM cipher. When I looked at the connection logs for the existi=
ng OpenVPN server connecting to my Android Phone with its existing connection=
 profile it negotiated and connected with the same TLSv1.3 cipher on the Cont=
rol Channel. So the Control Channel looks to be auto negotiated currently any=
way.
This makes me wonder if we really need these options provided. If the Control=
 Channel is auto negotiated to the best available option for both server and =
client that seems fine to me.

One thing I did find was that once an option in the Control Channel boxes had=
 been selected then you can not unselect it. That then means that auto negoti=
ation no longer takes place but the option selected is chosen. If the TLSv1.3=
 options are unselected but one of the TLSv1.2 ones is selected then the clie=
nt ignored the TLSv1.2 option and still auto negotiated the best cipher for t=
he connection.

So seems to me that we could remove the control channel cipher option for bot=
h TLSv1.3 and 1.2 and leave it auto negotiate.
>=20
>>> On the control channel the options are mislabeled. I suppose TLSv3 should=
 be TLSv1.3 and TLSv2 should be TLSv1.2 and possible less?!
>> That sounds like what is intended.
>>> I don=E2=80=99t really like it that there are two boxes, but since TLSv1.=
3 does not support many of the cipher suites that TLSv1.2 supports, there mig=
ht be no easy way around it. TLSv1.2 is on its way out, so we won=E2=80=99t n=
eed to support this for forever hopefully.
>>> Authentication: If there is only one option, the <select> tag should not =
look like it does currently where it suggests that multiple options can be se=
lected at the same time.
>> I am also not sure if all are needed. I will need to check if TLS-Auth no =
longer works with the TLSv1.3. TLS-Auth is what is currently working and I ha=
ven't seen anything suggesting it is deprecated. SHA2 512 bit seems strong en=
ough for the moment and is not at risk from being broken as far as I am aware=
. I would just remove the SHA1 has as that is definitely not recommended any =
more.
>> It would be simpler and easier if that stayed just with TLS-Auth if that w=
orks with TLSv1.3. I will check into that.
>=20
> If we currently only support TLS-Auth I would like to keep it that way unti=
l we have rolled out this stuff as it should have priority.
I tested out 5 different connection profiles with my Android phone. Everyone =
of them worked. That includes the existing profile which just worked as expec=
ted using 256 bit AES-GCM with TLS=3DAuth with SHA2 512 bit without needing t=
o change anything in the Advanced Encryption Settings page.

I ran the following combinations:-

SHA2 512 bit with TLS-Auth (Existing Connection)
SHA2 512 bit with TLS-Crypt
SHA2 512 bit with TLS-Crypt-V2
Blake2 512 bit with TLS-Auth
Blake2 512 bit with TLS-Crypt-V2
SHA3 512 bit with TLS-Auth

With TLS-Crypt-V2, which gives profile specific Control Channel encryption ke=
ys, It looks like the Hash Algorithm may be fixed. At least it was 256 bit (p=
robably SHA3 256 bit) in both cases I tested, i.e. ignoring the hash algorith=
m selected in the box. Not sure if that is the code or what should happen wit=
h Crypt-V2.

So everything works, at least with my Android client, but starting with just =
TLS-Auth as we currently use seems to make sense and then we can later on add=
 the TLS-Crypt option which encrypts the Control Channel before any communica=
tion starts at all.

I will test a few connection profiles also with my Linux laptop to confirm no=
 differences in how things work.
>=20
> This is all tedious enough already, so let=E2=80=99s not make it more compl=
icated, but rather roll out incremental changes that we can better build and =
test.
>=20
>>> What does 64-bit/8-32bit optimised mean for Blake2?
>> I have no idea.
>>> Why is there an extra button for the encryption settings? Why is this not=
 part of the advanced options?
>> I don't know but putting it all on the advanced options page wouldn't be t=
oo difficult ( says he keeping he fingers well crossed).
>=20
> I am sure it is less fun than creating a new clean page, but we cannot outs=
ource all of our problems to the user. A few maybe, but not all :)
If my remaining tests with my laptop don't flag some unexpected issues then I=
 will have a look at the code and the patches and look at moving the encrypti=
on options to the Advanced Options page. Also I will look at only having TLS-=
Auth and, unless I hear back to the contrary, removing the Control Channel ci=
pher selection boxes completely.

I will do it in stages and test out as I go along. Can't promise it will be v=
ery fast but if I hit any roadblocks I will report back for help.

Regards,
Adolf
>=20
>>>> 1st image is current status of the main page, 2nd image is the modified =
main page and the 3rd is the Advanced Encryption settings page.
>>>>
>>>> I will also upload the updated patches to my ipfire git repo
>>>>
>>>> https://git.ipfire.org/?p=3Dpeople/bonnietwin/ipfire-2.x.git;a=3Dsummary
>>> So this is a good start, but the UI is not making this process easy.
>>> I had a brief look at the code and it looks okay. Our CGIs are quite mess=
y anyways, so I do not think it is worth adding the most polished code here :=
) This should not mean that we can just do whatever because we are just makin=
g future changes even more difficult for ourselves.
>>> I didn=E2=80=99t apply this to my system and test. Did you do this? Does =
it work with various client version of OpenVPN?
>> I put it onto a vm clone on my system to get the screenshots. I haven't te=
sted various options yet as I have been a bit busy with clearing out some bug=
s but I will do that and report back on it.
>> My only problem with that is that all my clients are up to date so I don't=
 have any that would only work with older ciphers but at least I can check th=
at everything works with my Android phone and my Linux laptop with various ci=
phers etc selected.
>=20
> Okay, I just wanted to get a feeling with where we are at with this all bef=
ore we talk too much about the UI.
>=20
> -Michael
>=20
>>
>> Regards,
>> Adolf
>>> -Michael
>>>>
>>>>
>>>> Regards,
>>>>
>>>> Adolf.
>>>>
>>>> <Screenshot - main page.png><Screenshot - modified main page.png><Screen=
shot - advanced encryptions settings page.png>
>>
>> --=20
>> Sent from my laptop
>=20

--===============8222602966656783138==--