Hi Michael,
Am Montag, dem 21.11.2022 um 11:27 +0000 schrieb Michael Tremer:
Hello Erik,
Nice to see you on this list again :)
Good to see some answers again from you :-)
On 21 Nov 2022, at 10:22, Erik Kapfer erik.kapfer@ipfire.org wrote:
Since OpenSSL-3.x will remove all 64 bit block-cipher but also OpenVPNs changelog for version 2.5.8 gives hints to get rid of BF-CBC for default configuations, a warning will be displayed in the WUI if the user is running BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-EDE3-CBC but also SHA1 to change as soon as possible to another more secure algorithm.
Well, this does not sound like good news. It is yet another change that would break *lots* of existing OpenVPN setups.
It would need work from user side to change the cipher/HMAC in the WUI and on client.ovpn if not already AES, Camelia or Seed has been chosen.
Although the patch looks fine, I am not sure if this is the best way to go, because if we tell people that their setup won’t be supported much longer, what alternatives are there?
I think with the Sweet32 birthday attacks a lot of things has been changed where even OpenSSL started with fundamental changes and i think /hope it will go further in the crypto world which is also not that far away with things like PQC so things are changing here more or less rapidly.
Resetting to the default options, throwing away their CA and start from scratch is not an option. Even 20 connections are too many to manually update.
This patch does not focus the CA, changes needs to be done with the cipher/HMAC selection on server.conf and client.ovpn .
If they would actually do this, we will be back to square one really soon, because we still don’t have cipher negotiation.
Am pretty alone on testing side and resonance in general with this but the negotiation works here for me --> https://github.com/ummeegge/ovpn_dev but do need OpenVPN clients with version >= 2.5.0 .
We are also just accumulating warning messages at the top of the page which cannot be fixed. For years, we are showing some certificate warning and I am not sure why that actually is and what people can do about it?!
Generating a new PKI was the intention with this which should be made in my opinion otherwise all that might be a kind of security by obscurity. We throwed already away the DH warning messages with Peter´s DH Patch, the MD5 message should be showed as you mentioned it, long enough and should be ready to be deleted maybe ? Changes might be hard in that topic but as in life, sometimes important ;-) ?
So, I fear that we will have to keep supporting those really outdated (and yes, potentially dangerously insecure) setups for the lifetime of IPFire 2. If it isn’t an option to move forward to the latest version of OpenVPN we would be in *very* big trouble.
It is mainly OpenSSL not that much OpenVPN as one can see already with the PKCS#12 decryption problem... with the legacy mode it might also be a possibility to ride a dead horse.
Best, -Michael
All the best,
Erik
The call of the pkiconfigcheck function is now located in the status page section.
Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org
html/cgi-bin/ovpnmain.cgi | 38 ++++++++++++++++++++++++++++++++++++-- langs/de/cgi-bin/de.pl | 3 +++ langs/en/cgi-bin/en.pl | 3 +++ 3 files changed, 42 insertions(+), 2 deletions(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index dc429d90c..5c34a5f4d 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -101,8 +101,6 @@ $cgiparams{'DCIPHER'} = ''; $cgiparams{'DAUTH'} = ''; $cgiparams{'TLSAUTH'} = ''; $routes_push_file = "${General::swroot}/ovpn/routes_push"; -# Perform crypto and configration test -&pkiconfigcheck;
# Add CCD files if not already presant unless (-e $routes_push_file) { @@ -240,6 +238,39 @@ sub pkiconfigcheck } }
- # Warning for Roadwarrior if deprecated 64-bit-block ciphers or
weak HMAC is in usage
- if (-f "${General::swroot}/ovpn/server.conf") {
- my $oldciphers = "${General::swroot}/ovpn/server.conf";
- open(FH, $oldciphers);
- while(my $cipherstring = <FH>) {
- if ($cipherstring =~ /BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-
EDE3-CBC|SHA1/) {
- my @tempcipherstring = split(" ", $cipherstring);
- $cryptowarning = "<br>$Lang::tr{'ovpn warning algorithm'}: <font
color='red'>$tempcipherstring[1]</font></br>$Lang::tr{'ovpn warning 64 bit block cipher'}";
- goto CRYPTO_WARNING;
- }
- }
- close(FH);
- }
- # Warning for Net-to-Net connections if deprecated 64-bit-block
ciphers or HMAC is in usage
- if (-f "${General::swroot}/ovpn/ovpnconfig") {
- my $oldciphers = "${General::swroot}/ovpn/ovpnconfig";
- open(FH, $oldciphers);
- while(my $cipherstring = <FH>) {
- if ($cipherstring =~ /BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-
EDE3-CBC/) {
- my @tempcipherstring = split(",", $cipherstring);
- $cryptowarning = "<br>$Lang::tr{'ovpn warning algorithm'}: <font
color='red'>$tempcipherstring[41]</font></br>$Lang::tr{'ovpn warning algorithm n2n'}<font color='red'> $tempcipherstring[2]</font><br>$Lang::tr{'ovpn warning 64 bit block cipher'}</br>";
- goto CRYPTO_WARNING;
- }
- if ($cipherstring =~ /SHA1/) {
- my @tempcipherstring = split(",", $cipherstring);
- $cryptowarning = "<br>$Lang::tr{'ovpn warning algorithm'}: <font
color='red'>$tempcipherstring[40]</font></br>$Lang::tr{'ovpn warning algorithm n2n'}<font color='red'> $tempcipherstring[2]</font><br>$Lang::tr{'ovpn warning 64 bit block cipher'}</br>";
- goto CRYPTO_WARNING;
- }
- }
- }
CRYPTO_WARNING: }
@@ -5056,6 +5087,9 @@ END my @status = <FILE>; close(FILE);
- # Perform crypto and configration test
- &pkiconfigcheck;
if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") { if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) { my $ipaddr = <IPADDR>; diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index abfba5d5e..bb675ec34 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1982,6 +1982,9 @@ 'ovpn subnet is invalid' => 'Das OpenVPN-Subnetz ist ungültig.', 'ovpn subnet overlap' => 'OpenVPNSubnetz überschneidet sich mit ', 'ovpn tls auth' => 'TLS-Kanalabsicherung:', +'ovpn warning 64 bit block cipher' => 'Dieser Algorithmus ist unsicher und wird bald entfernt. <br>Bitte Ändern Sie dies auf beiden Seiten (Server und Client) so schnell wie möglich!</br>', +'ovpn warning algorithm' => 'Folgender Algorithmus wurde konfiguriert', +'ovpn warning algorithm n2n' => 'Für die Netz-zu-Netz Verbindung', 'ovpn warning rfc3280' => 'Das Host Zertifikat ist nicht RFC3280 Regelkonform. <br>Bitte IPFire auf die letzte Version updaten und generieren sie ein neues Root und Host Zertifikat so bald wie möglich.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>', 'ovpn_fastio' => 'Fast-IO', 'ovpn_fragment' => 'Fragmentgrösse', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index bf18b22a2..9aaf3e765 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -2035,6 +2035,9 @@ 'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.', 'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ', 'ovpn tls auth' => 'TLS Channel Protection:', +'ovpn warning 64 bit block cipher' => 'This encryption algorithm is broken and will soon be removed. <br>Please change this on both sides (server and client) as soon as possible!</br>', +'ovpn warning algorithm' => 'The following algorithm was configured', +'ovpn warning algorithm n2n' => 'For the Net-to-Net connection', 'ovpn warning rfc3280' => 'Your host certificate is not RFC3280 compliant. <br>Please update to the latest IPFire version and generate as soon as possible a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>', 'ovpn_fastio' => 'Fast-IO', 'ovpn_mssfix' => 'MSSFIX Size', -- 2.35.1