Hi all, i wanted to report a cross-site scripting vulnerability problem for OpenVPN and possibly also IPSec via the "SWEET32: Birthday attacks on 64-bit block ciphers which concerns the DES cipher incl. the 3DES variants but also the Blowfish cipher. The only way to fix it which i have currently recognized is to use other ciphers then those and another way for a faster implementation for OpenVPN is to renegotiate new keys more often. An example can be to use '--reneg-bytes 64000' in the configuration.
So my question is should we delete those ciphers from the OpenVPN/IPsec cipher lists and announce this problem to the community may via the Planet (have announced it already in the IPFire forum for OpenVPN) ?
Some deeper insides causing this problem can be found in here:
- https://sweet32.info/ - https://community.openvpn.net/openvpn/wiki/SWEET32
Greetings,
Erik