What about the idea of using the dropdown to populate --data-ciphers-fallback instead of whatever it populates now. Then you can enable autonegotiation at the same time, if I've read the doc correctly.

Re compression, you can ignore the settings in the raodwarriors by setting:

compress stub-v2
push "compress stub-v2"

in the server. I did that years ago for the ClearOS server. It effectively ignores what is set in the client unless the client uses the settings to disallow pushes but that would not be normal.

On 17/03/2024 15:25, Adolf Belka wrote:

Hi Nick,

On 17/03/2024 15:56, Nick Howitt wrote:

Crumbs. Still supporting 2.3? That should be a no-no. Anyone with an explicit cipher in their roadwarriors will have problems if they are old, whatever you do. The oldest version at openvpn.net is 2.4.6 dating back to 2018. Even then plenty of water has passed under the bridge e.g SWEET32 etc. Compression should have been disabled and stubbed a long time ago. The minute you allow cipher negotiation, you risk breakage if the client uses a cipher which is not currently supported. Are you going to allow the cipher to be unset (default) in the GUI?

No not now but when the ncp-disable was added 6 years ago when openvpn was at version 2.4.5 things were very different.

There isn't really an upgrade path if you have a number of clients using explicit ciphers, because the minute you upgrade the server, clients will break. If you update the client before the server, the client will break as well. I have not studied the effect of that document, but can you use the fallback cipher (--data-ciphers-fallback) as the parameter you change from the GUI? Then you will have auto negotiation enabled as well. Then you give the users a fixed timeline to update their clients software and/or configs after which you can remove it again. This may work.

There is a migration path now with the move to cipher negotiation on the basis that all clients are 2.4.x or newer, which should now be a reasonable assumption but would not have been 6 years ago.
The question would also be is it our role to break users systems because we think they are using too old or too insecure ciphers. I would say that is not our role. So we need to find a path forward that allows users to make that upgrade on a client by client basis.

We also need to ensure that all changes are dealt with in one go and not ask users to update their clients for ciphers now and then later on for compressions settings etc.

The path forward I have looked at would also deal with the changes in compression settings. If people currently have compression set in their clients then compression is not used, just the headers are implemented but no compression.
However in future openvpn updates if compression is specified the client will fail to operate because it will be considered an error. So again with the change from openvpn-2.5.x to 2.6.x there is a compression migration path and we need to combine both the compression and cipher migration paths so that users are asked to update their client settings on a client by client basis only once.

Regards,

Adolf.

On 17/03/2024 14:05, Adolf Belka wrote:

Hi Nick,

On 17/03/2024 13:34, Nick Howitt wrote:

Can I ask a question? Why are we playing around with Cipher strings and hashes? The minute you do that you make things much harder to get a good connection. The reason is because, if they are not specified, OpenVPN chooses a good safe set that allows multiple strong ciphers. This gives a high chance of the remote end matching you with strong ciphers. If you specify a cipher, then you restrict all connections to that single cipher as you don't have any form of multi-select. Then, if you ever want to change your choice, perhaps because what you have chosen is no longer recommended, you have a nightmare on your hands because you will have to update every remote client config where it has also been specified.

When the cipher negotiation was introduced by OpenVPN it was not backwards compatible. If we had changed to cipher negotiation at that time then users with older clients would have just failed. This was not acceptable, especially as to update every client would have had to been updated at the same time, not acceptable for users with 200 or more clients running with their systems but maybe with older defined ciphers.

Therefore we had to move to a situation where we had the ncp-disable option, so preventing cipher negotiation.

At a minimum, the dropdowns should have an option which says "default" when nothing is put in the config, and this should be the default option. Anyone who then wants to specify an option, then can, but they are going down their own blind alley. If it were me, I would not even give the user a choice. If I had to, I would give them a choice to exclude ciphers, but not set them.

No we are looking at moving from the ncp-disable situation to one where cipher negotiation is enabled. The previous issue with older clients no longer holds as users would have to be still using clients at version 2.3 or older. Cipher negotiation came in with version 2.4

So any users still using version 2.3 will have to update but that should be a very small number now, especially as that older version only worked with openssl-1.0.1x. So anyone still using it must be minimal now and very insecure.

So now we can move to cipher negotiation but we still need to enable cipher selection for those users that have clients with older ciphers. These may be insecure but again we need to allow users to update their clients one at a time, not require them to update all clients at the same time.

Once we have cipher negotiation in place, the users will be able to have a mixed situation of some clients with newer ciphers specified and others still with the older ones so they can update on a client by client basis over time. Currently we are on OpenVPN-2.5.9. With cipher negotiation enabled we would be able to move to the openvpn-2.6.x series. We then would have to stay on OpenVPN-2.6.x for a specified period to allow users to update any clients that are using the much older ciphers.

Once the period is past we could then consider updating to openvpn-2.7 series which is likely to come somewhere during this year but that will actively prevent any older ciphers being used so all users must have updated all clients by that time.

Also, by specifying the options you get a maintenance issue where the dropdowns need to be maintained to stay in line with every update to the underlying openvpn code.

There is a possibly useful document at https://community.openvpn.net/openvpn/wiki/CipherNegotiation.

Yes, I am aware of that document and that has been the basis of deciding how to move forward to allow the cipher negotiation to be enabled while making sure we impact existing users the least and move to a position where the users can update their clients one at a time, rather than a big bang update where all clients stop working and all have to be updated at the same time during which no users of the organisation are able to use their roadwarrior connections.

The next challenge is how to make all these changes in the ovpnmain.cgi code, in a way that does allow the existing systems to continue and to be able to test this out in some way, to be sure we are not creating a breaking IPFire for users when the update is released to Testing and then Full Release.

That is where I have been trying to work on, while at the same time trying to understand the code, as I am relatively new into what currently exists and I have found it a big challenge. I have made progress but not quick enough and have been diverted by other things.

Has the non-breaking, backwards compatible approach we have used historically been the best option. I don't know, but it is what has been used and so we now have to find a way to move forward from that current status to the next step, again without creating a breaking, backwards incompatible approach.

Always open to alternative approaches, if they are easier to implement and maintain the non-breaking, backwards compatible policy and give a migration path to move forward on a client by client update basis.

Regards,

Adolf.

Regards,

Nick

On 17/03/2024 11:35, Adolf Belka wrote:

Hi Michael,

I am afraid I don't have a patch set. It is just a single diff change.

I took Erik's original patch set and applied it to the latest ovpnmain.cgi version at that time and then removed some of the items that I decided could wait till later or were not needed.

This created a single diff file, which I was able to apply and test out to confirm it did what I expected it to do, which it seemed to do.

The next step I then had intended to do was to break that single diff into multiple patches but I found this very difficult to do as I could not easily figure out which bits needed to go together in different patches. Trying to understand all the changes and what each were related to I struggled to make sense of.

My next step was therefore going to be to go back to an unmodified ovpnmain.cgi file and make the changes a step at a time, to match what I had previously done and therefore end up with a patch set of small self consistent changes.

However to do this I had to go back to the start and figure out which of Erik's changes to apply and what parts of those changes and every time I did something else in IPFire for a week or so I was having to go back to square one in trying to remember what I had been going to do next.

The diff patch file I created is at

https://git.ipfire.org/?p=people/bonnietwin/ipfire-2.x.git;a=commit;h=4fbf17f4a10fbf2a0ddeae1aa436cf26f6b3a035

Hopefully you can use this as a basis to extract just the bits needed for the cipher negotiation.

I will also go back and start again to work on it but focus on it without diverting to anything else, after I have dealt with the wsdd patch modification.

Regards,

Adolf.
-- 
Sent from my laptop