Hi Michael, thanks for looking into this.
Am Montag, dem 14.12.2020 um 14:43 +0100 schrieb Michael Tremer:
Hello Erik,
Yes, I am very much interested in this.
And I have spent pretty much an hour to make sense out of all of this, and unfortunately have to report that I failed.
that´s not good to hear. OK, let me explain... I tried to come up with a solution where we already have spoken more times about in the past, i tried to follow up your suggestions, the latest about that topic was here --> https://lists.ipfire.org/pipermail/development/2020-October/008441.html in Oktober to bring up "a select box where multiple algorithms can be chosen (like in IPsec)". Since --cipher is deprectaed and will be replaced by --data-ciphers which is a >=2.5.0 option we need another selection field for the --data-ciphers-fallback which is a replacement for --cipher and the server uses this directive to talk also to client which are <2.5.0 . OpenVPN presses to use cipher negotiation which we have avoid since the release of 2.4 with --ncp-disable, this option is no also deprecated so we need to take action on this.
We need to have then two new options, two seletion boxes which are odd to see in the global section. I tried it in the advanced server section too and it looks even more confusing with all the other already existing options, nothing i wanted to do. So i thought your above linked suggestions are pretty straight forward and the best solution to build an own crypto section which do have already defaults, nobody needs to do there anyting, the global section has been cleaned up and it should be even easier for everone to overview.
It made for me no sense to leave parts of the crypto (TLS-auth and HMACs) in the global section, especially because there are also even more algorithms, but also new options for the TLS authentication which i have all integrated so i moved them also into that place (patch 6/7 and 7/7).
The control-channel cipher selection (patch 5/7) is new and should be really a part for the advanced ones, therefor no defaults has been set, it simply won´t appear if nothing has been configured.
I have the problem that I cannot get on top of these things. You are submitting *massive* patchsets, in this case I even believe that the whole things has been submitted a second time, although I do not know if there are any changes. Yes there are. Old and deprecated ciphers will now be detected and a warning comes up in the global section to change them as soon as possible (patch 3/7), also all languages has been translated and has been included. Also i wanted to split it in more specific topics for better overview but it seems that i have been failed.
I could not even find out *what* you are actually trying to do. There are more and more buttons being added and I have not the slightest idea what I am supposed to do with them. I have given my thoughts about the cipher selection and I felt that I have not been heard. One intention was that you do not need anything to do except you want to do some advanced crypto stuff. The rest should have already been made...
I fear that this is all way too complicated. I cannot review what I do not even understand what the desired outcome is. And failing to understand that either means that it is either way too complicated or I have not read enough anywhere about all of this. Please check out the above linked topic where you have wrote suggestions that i simply tried to achieve but again, it seems that i was not successfull with this...
So, could you please summarise for me what you want to achieve here? Hope i have it done above.
Is this supposed to make OpenVPN more compatible, secure, or anything else? Yes both but also easier since the user do not need to do anything but he should become more security under the hood, the backward and the forward compatibility should be in a better standing than before and if someone wants to go into the depth, this is even also possible.
Why do we not talk about this before things are being implemented, or did I just miss the discussion? Yes i think you missed some of that, hopefully i could remind you on some points.
-Michael
Best,
Erik
On 14 Dec 2020, at 14:03, ummeegge ummeegge@ipfire.org wrote:
Hi all, just wanted to ask if there is still interest in this patch series ?
Best,
Erik