From mboxrd@z Thu Jan 1 00:00:00 1970 From: ummeegge To: development@lists.ipfire.org Subject: Re: [PATCH] openvpn: Warning for broken algorithms . Date: Mon, 21 Nov 2022 15:05:30 +0100 Message-ID: In-Reply-To: <6B0AE798-D529-4174-8735-35EA790A61A4@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1035940155435223342==" List-Id: --===============1035940155435223342== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Hi Michael, Am Montag, dem 21.11.2022 um 11:27 +0000 schrieb Michael Tremer: > Hello Erik, > > Nice to see you on this list again :) Good to see some answers again from you :-) > > > On 21 Nov 2022, at 10:22, Erik Kapfer > > wrote: > > > > Since OpenSSL-3.x will remove all 64 bit block-cipher but also > > OpenVPNs changelog > > for version 2.5.8 gives hints to get rid of BF-CBC for default > > configuations, > > a warning will be displayed in the WUI if the user is running > > BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-EDE3-CBC but also SHA1 to > > change > > as soon as possible to another more secure algorithm. > > Well, this does not sound like good news. It is yet another change > that would break *lots* of existing OpenVPN setups. It would need work from user side to change the cipher/HMAC in the WUI and on client.ovpn if not already AES, Camelia or Seed has been chosen. > > Although the patch looks fine, I am not sure if this is the best way > to go, because if we tell people that their setup won’t be supported > much longer, what alternatives are there? I think with the Sweet32 birthday attacks a lot of things has been changed where even OpenSSL started with fundamental changes and i think /hope it will go further in the crypto world which is also not that far away with things like PQC so things are changing here more or less rapidly. > > Resetting to the default options, throwing away their CA and start > from scratch is not an option. Even 20 connections are too many to > manually update. This patch does not focus the CA, changes needs to be done with the cipher/HMAC selection on server.conf and client.ovpn . > > If they would actually do this, we will be back to square one really > soon, because we still don’t have cipher negotiation. Am pretty alone on testing side and resonance in general with this but the negotiation works here for me --> https://github.com/ummeegge/ovpn_dev but do need OpenVPN clients with version >= 2.5.0 . > > We are also just accumulating warning messages at the top of the page > which cannot be fixed. For years, we are showing some certificate > warning and I am not sure why that actually is and what people can do > about it?! Generating a new PKI was the intention with this which should be made in my opinion otherwise all that might be a kind of security by obscurity. We throwed already away the DH warning messages with Peter´s DH Patch, the MD5 message should be showed as you mentioned it, long enough and should be ready to be deleted maybe ? Changes might be hard in that topic but as in life, sometimes important ;-) ? > > So, I fear that we will have to keep supporting those really outdated > (and yes, potentially dangerously insecure) setups for the lifetime > of IPFire 2. If it isn’t an option to move forward to the latest > version of OpenVPN we would be in *very* big trouble. It is mainly OpenSSL not that much OpenVPN... with the legacy mode it might also be a possibility to ride a dead horse. > > Best, > -Michael All the best, Erik > > > > > The call of the pkiconfigcheck function is now located in the > > status page section. > > > > Signed-off-by: Erik Kapfer > > --- > > html/cgi-bin/ovpnmain.cgi | 38 > > ++++++++++++++++++++++++++++++++++++-- > > langs/de/cgi-bin/de.pl    |  3 +++ > > langs/en/cgi-bin/en.pl    |  3 +++ > > 3 files changed, 42 insertions(+), 2 deletions(-) > > > > diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi > > index dc429d90c..5c34a5f4d 100644 > > --- a/html/cgi-bin/ovpnmain.cgi > > +++ b/html/cgi-bin/ovpnmain.cgi > > @@ -101,8 +101,6 @@ $cgiparams{'DCIPHER'} = ''; > > $cgiparams{'DAUTH'} = ''; > > $cgiparams{'TLSAUTH'} = ''; > > $routes_push_file = "${General::swroot}/ovpn/routes_push"; > > -# Perform crypto and configration test > > -&pkiconfigcheck; > > > > # Add CCD files if not already presant > > unless (-e $routes_push_file) { > > @@ -240,6 +238,39 @@ sub pkiconfigcheck > > } > > } > > > > + # Warning for Roadwarrior if deprecated 64-bit-block ciphers or > > weak HMAC is in usage > > + if (-f "${General::swroot}/ovpn/server.conf") { > > + my $oldciphers = "${General::swroot}/ovpn/server.conf"; > > + open(FH, $oldciphers); > > + while(my $cipherstring = ) { > > + if ($cipherstring =~ /BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES- > > EDE3-CBC|SHA1/) { > > + my @tempcipherstring = split(" ", $cipherstring); > > + $cryptowarning = "
$Lang::tr{'ovpn warning algorithm'}: > color='red'>$tempcipherstring[1]
$Lang::tr{'ovpn warning > > 64 bit block cipher'}"; > > + goto CRYPTO_WARNING; > > + } > > + } > > + close(FH); > > + } > > + > > + # Warning for Net-to-Net connections if deprecated 64-bit-block > > ciphers or HMAC is in usage > > + if (-f "${General::swroot}/ovpn/ovpnconfig") { > > + my $oldciphers = "${General::swroot}/ovpn/ovpnconfig"; > > + open(FH, $oldciphers); > > + while(my $cipherstring = ) { > > + if ($cipherstring =~ /BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES- > > EDE3-CBC/) { > > + my @tempcipherstring = split(",", $cipherstring); > > + $cryptowarning = "
$Lang::tr{'ovpn warning algorithm'}: > color='red'>$tempcipherstring[41]
$Lang::tr{'ovpn > > warning algorithm n2n'} > > $tempcipherstring[2]
$Lang::tr{'ovpn warning 64 bit block > > cipher'}
"; > > + goto CRYPTO_WARNING; > > + } > > + if ($cipherstring =~ /SHA1/) { > > + my @tempcipherstring = split(",", $cipherstring); > > + $cryptowarning = "
$Lang::tr{'ovpn warning algorithm'}: > color='red'>$tempcipherstring[40]
$Lang::tr{'ovpn > > warning algorithm n2n'} > > $tempcipherstring[2]
$Lang::tr{'ovpn warning 64 bit block > > cipher'}
"; > > + goto CRYPTO_WARNING; > > + } > > + } > > + } > > + > > + > > CRYPTO_WARNING: > > } > > > > @@ -5056,6 +5087,9 @@ END > >     my @status = ; > >     close(FILE); > > > > + # Perform crypto and configration test > > + &pkiconfigcheck; > > + > >     if ($cgiparams{'VPN_IP'} eq '' && -e > > "${General::swroot}/red/active") { > > if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) { > >    my $ipaddr = ; > > diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl > > index abfba5d5e..bb675ec34 100644 > > --- a/langs/de/cgi-bin/de.pl > > +++ b/langs/de/cgi-bin/de.pl > > @@ -1982,6 +1982,9 @@ > > 'ovpn subnet is invalid' => 'Das OpenVPN-Subnetz ist ungültig.', > > 'ovpn subnet overlap' => 'OpenVPNSubnetz überschneidet sich mit  ', > > 'ovpn tls auth' => 'TLS-Kanalabsicherung:', > > +'ovpn warning 64 bit block cipher' => 'Dieser Algorithmus ist > > unsicher und wird bald entfernt.
Bitte Ändern Sie dies auf > > beiden Seiten (Server und Client) so schnell wie möglich!
', > > +'ovpn warning algorithm' => 'Folgender Algorithmus wurde > > konfiguriert', > > +'ovpn warning algorithm n2n' => 'Für die Netz-zu-Netz Verbindung', > > 'ovpn warning rfc3280' => 'Das Host Zertifikat ist nicht RFC3280 > > Regelkonform.
Bitte IPFire auf die letzte Version updaten und > > generieren sie ein neues Root und Host Zertifikat so bald wie > > möglich.

Es müssen dann alle OpenVPN clients erneuert > > werden!
', > > 'ovpn_fastio' => 'Fast-IO', > > 'ovpn_fragment' => 'Fragmentgrösse', > > diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl > > index bf18b22a2..9aaf3e765 100644 > > --- a/langs/en/cgi-bin/en.pl > > +++ b/langs/en/cgi-bin/en.pl > > @@ -2035,6 +2035,9 @@ > > 'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.', > > 'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ', > > 'ovpn tls auth' => 'TLS Channel Protection:', > > +'ovpn warning 64 bit block cipher' => 'This encryption algorithm > > is broken and will soon be removed.
Please change this on both > > sides (server and client) as soon as possible!
', > > +'ovpn warning algorithm' => 'The following algorithm was > > configured', > > +'ovpn warning algorithm n2n' => 'For the Net-to-Net connection', > > 'ovpn warning rfc3280' => 'Your host certificate is not RFC3280 > > compliant.
Please update to the latest IPFire version and > > generate as soon as possible a new root and host > > certificate.

All OpenVPN clients needs then to be > > renewed!
', > > 'ovpn_fastio' => 'Fast-IO', > > 'ovpn_mssfix' => 'MSSFIX Size', > > -- > > 2.35.1 > > > --===============1035940155435223342==--