Hi,
On Thu, 2018-08-30 at 12:31 +0200, ummeegge wrote:
Hi, it is also a question if the life is not more worst to use broken stuff which is in the case of MD5 not only a problem of OpenVPN. The backwards compatibility stands sometimes diametral to security so using the good old way includes regular not much work (for administration but also for implementation) but leads especially for VPNs to an apparent security.
Oh, nobody disagrees here. Broken crypto should not be used for obvious reasons.
The problem is only, that there is no migration path and that the OpenVPN project is setting the time for when migration is being done. That is what is making this so painful.
Beneath the 64bit block cipher desaster where more than 50% of the ciphers on IPFires OpenVPN are affected will surely comes in a closer future a question if 2048 bit key lenghts (which we have in the host certificates) are long enough, where again all needs to be setup again if this should be changed. ECC crypto, also a nice one, new, fast, secure, but again all needs to be setup again if it should be used (there is more..). From my point of view i wanted to bring new stuff as early as possible into the forum to inform but also to test it as good as possible and tried to find ways to make the life of the users easy but sometimes it is simply not possible to go new ways without work/user_interaction. If i also try to consider every use case (backwards compatibility, configuration, setup) i can leave my feed on the ground and don´t need to make steps forward cause with 100% someone needs to fix something on it´s setup.
I think there should always be an option for backwards-compatibility unless it is a very very very bad idea. For example: we still support MD5 for IPsec. It is marked as broken, but it is there in case someone has some old equipment to connect.
OpenVPN makes currently a lot new which makes it really tough for me to implement all that without breaking something for someone since the manpage do not delivers all the truth i need also to make tests whereby the whole 2.4 update of OpenVPN and implementation into IPFire goes into weeks of work to be a little safer of what works and what not.
So in summary, if IPFire will drop OpenVPN with 3.x and the life of the admins are as worst as described in here it is a possiblity to change the VPNs now to IPSec, i can spare my time with implementing all that unfunny changes and the current state (which is OK in my opinion) can be left as it is, i know developing such things for free is a kind of thankless cause mostly only the bugs a reported back but am currently a little motivless to make more in here with this background knowledge.
You stated above why this is a good idea to implement all those things.
A very long discussion has been had about whether we should continue supporting OpenVPN and the majority of the arguments were against OpenVPN. On paper, it is just too broken; in the wrong hands and there were other reasons like "one VPN implementation is enough for a start", too.
Best, -Michael
Best,
Erik
Am Donnerstag, den 30.08.2018, 08:35 +0100 schrieb Michael Tremer:
Hi,
this is indeed on the lower side of some bigger users.
It is quite common to have hundreds of RW connections. >= 200 is not very rare.
Replacing them because of the MD5 change was troubling for them and that is why I am stressing backwards-compatibility so much with the latest changes. It makes the difference between OpenVPN being usable or making life a lot worse for the admins.
Best, -Michael
On Wed, 2018-08-29 at 23:49 +0200, ummeegge wrote:
Hi Michael and Alex,
Am Mittwoch, den 29.08.2018, 11:33 +0100 schrieb Michael Tremer:
Yes, needed also some braingoo for all that and it seems that it is not finished at all...
Just because this is quite topical today: Alex just told me how long it took him to replace 20 N2N connections and 80 RW connections. Poor him.
There is a very good reason why we don't have OpenVPN in IPFire 3.
100 connections are a lot. Can we use this knowlegdge for bugreports on OpenPVN or is this topic (OpenVPN) just obsolet ?
Best,
Erik