Hi Adolf, and thanks for your feedback.
Am Montag, den 23.11.2020, 12:41 +0100 schrieb Adolf Belka:
Hi Erik,
Thanks for all your work on OpenVPN. Much appreciated, especially in these challenging times of many changes.
thank you too.
Am I correct in my presumption that in the advanced encryption settings GUI we will be able to select multiple entries, which will then be made into a list in order that the entries are in the tables.
Yes, the negotiation was already introduced in 2.4. The server check via 'IV_NCP=2' if and then which ciphers the client does support and uses the first in place then e.g. AES-256-GCM:AES-256-CBC . Same with - -tls-ciphers and tls-ciphersuites. Every client above 2.4.0 does not recognize the renegotiation, therefor --data-ciphers-fallback .
From the advanced encryption settings page I see that you have removed the old insecure options, which is good.
Yes i would really love to do this as soon as possible but since we introduce the negotiation not before, older configurations does not have had the possibility to migrate. My idea is now to leave the old ciphers for the first in --data-ciphers-fallback, but give the user a message in the WUI and may also in IPFire blog that he should change as soon as possible since those (64 bit block ciphers) will be removed very soon. We can handle this via &pkiconfigcheck function e.g. .
For the Data-Channel fallback do you have to have a default or can you unselect everything. There could be people who only want to connect to systems that have the strongest ciphers and just refuse to connect with weaker ones.
We can make there a checkbox to disable data-channel-fallback but for the first time it might be better to leave it there in my opinion for the above described migration possiblity. It is the substitute for -- cipher. Nevertheless, if you use --data-ciphers and the clients are OpenVPN >= 2.4.0 or if system library >= OpenSSL-1.1.0 they will use the --data- ciphers algorithm before --data-cipher-fallback.
For the Control-Channel sections I would suggest swapping the order of TLSv2 and TLSv3 on the screen. The Data-Channel goes from most secure to least secure from left to right. I think that the Control-Channel should do the same.
Gret, good idea. Done.
I don't have any comments about the defaults. They seem reasonable to me.
Yes, the cipher listing takes also care of the order i think.
Excellent work, it's looking very nice.
Thanks for the flowers always good to hear :-) .
Regards, Adolf.
Best,
Erik
P.S. Short update. I moved now the --cipher and --auth part from the global to the advanced encryption page. I think the defaults should handle it for not so experience users so they do not need to bother around with all that. Am not sure if the layout looks good, for a short look --> https://people.ipfire.org/~ummeegge/OpenVPN-2.5.0/screenshots/ovpn_advanced_... or should we leave it as a flip menu ?
On 22/11/2020 17:30, ummeegge wrote:
Hi all, i am currently in the update process of the already realeased OpenVPN- 2.5.0 --> https://openvpn.net/community-downloads-2/ . The update has been tested and worked so far also with the old default client configuration (tested with 2.4.9 client). There are two warnings -->
- DEPRECATED OPTION: ncp-disable. Disabling dynamic cipher
negotiation is a deprecated debug feature that will be removed in OpenVPN 2.6
- WARNING: --topology net30 support for server configs with IPv4
pools will be removed in a future release. Please migrate to --topology subnet as soon as possible.
in the server log but it nevertheless works flawlessly.
Am working currently on an "Advanced Encryption Settings" page which includes currently four new directives --data-ciphers (data channel encryption), --data-ciphers-fallback (data-channel encryption for clients <= OpenVPN-2.3.9), --tls-ciphers (control channel TLSv2 only) and --tls-ciphersuites (control channel >= TLSv3) all options are explained in here --> https://build.openvpn.net/man/openvpn-2.5/openvpn.8.html , which works here currently and looks like this:
Button to belong to this page:
https://people.ipfire.org/~ummeegge/OpenVPN-2.5.0/screenshots/ovpn_advanced_...
And the page itself:
https://people.ipfire.org/~ummeegge/OpenVPN-2.5.0/screenshots/ovpn_advanced_...
You can see also the default settings, were i need also your ideas and comments for may better defaults. On the page itself is also more planned but to not overload this here now, i wanted to go now a two step procedure with this update.
- Push OpenVPN-2.5.0 update with the new ciphers and HMACs for
regukar global settings for RW and N2N. A overview of the new crypto can be found in here --> https://community.ipfire.org/t/openvpn-2-5-development-version/2173
.
- I would push the "Advanced Encryption settings" development as
seen above then as one patch <-- this would also eliminate the first warning causing --ncp-disable since we can delete this option then.
Everything else would come detached from this.
Some feedback might be nice.
Best,
Erik