Hi Michael, and thanks for the Q&A which is important for me to clear things up, try to make it as short as possible...
Am 15.01.2018 um 12:58 schrieb Michael Tremer:
wow, long email…
sorry for that ;-) ...
I have had no problems building OpenVPN-2.4.4 --> https://swupdate.openvpn.org/community/releases/openvpn-2.4.4.tar.xz without any further modifications of the LFS (except the md5 and version number), there was also no need for the LZ4 lib ? What problems appears for you ?
None, I just haven't tried to build it because you are the maintainer of OpenVPN :)
Oh OK, didn´t know that :D .
To my current knowledge MySQL (possibly only an updated one) can also use LZ4 may there are more candidates in IPFire which can participate from this compression lib...
Not sure if people are using MySQL too much on IPFire. Hopefully they don't do that for any performance-critical applications.
I guess the only other useful application for LZ4 would be backups.
Do you have an idea where to place lz4 in make.sh ? Have placed it currently before MySQL.
Another point in here is IPFire uses currently the level 3 of --script- security for the RW " 3 -- Allow passwords to be passed to scripts via environmental variables (potentially unsafe)" which is important for some kinds of authentication methods but which has also been marked as unsafe and have also be again pointed out while the QuarkLabs and Cryptography Engineering LCC audit --> https://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineerA... its --> under "OVPN-08-1: OpenVPN configuration risks: --script-security 3" you can find there also OpenVPNs statements causing this topic.
AFAIK we don't use any of those authentication methods. Or are we?
Possibly all people which uses OpenVPN as a client on IPFire are rely to this auth method cause their VPN Provider sets usually "auth-user-pass-verify" directives. Since this option is not officially supported, i think their on their own...
The ON/OFF switch should be there to deactivate the automatic cipher negotiation not the HWRNG. As far as i remember some crypto accelerators can only be used with certain types of encryption e.g. --> https://doc.pfsense.or g/index.php/Are_cryptographic_accelerators_supported . So in my understanding if OpenVPN negotiates for example AES-256-GCM with the client cause the appropriate OpenSSL lib do supports it some potential existing accelerators like e.g. the "AMD Geode LX Security Block" won´t be used. If i get that right this might be one case where the automatic cipher negotiation should be deactivated ? Another one might be setups with vast amounts of clients where possible less computing power with smaller key lengths is wanted. That´s why i disabled the cipher negotiation per default and if wanted one click via checkbox can be used to enable it for all clients whereby the CCD option can be used to deactivate the cipher negotiation for specific clients. Not sure if this is the best practice and it might be great if someone can give me feedback for this since this has not been debated since now !!!
OpenSSL choses to activate these things automatically when they are available. There is no need to do anything. Even apache and things like that use them because they use OpenSSL.
However, that is not an HWRNG. That is just a random number generator like RDRAND on Intel processors.
AESNI is not called a HWRNG.
Thanks for clarification on that, wasn´t sure causing this topic !
I do not see a reason why people would want to disable this. They work and if someone wants to disable them (because they are malfunctioning), that should be possible system-wide.
We should not have too many switches. It makes the web UI complicated.
So should i leave the the switch for '--ncp-disable' option out of the WUI ? In that case we will reduce the ciphers on IPFire significant since OpenVPN will then use only AES-256-CBC or AES-256GCM if the clients are >=2.4.0 (which mostly are meanwhile i think) !
What are you thinking about to leave the cipher-negotiation checkbox out of the global section (in that case is all like before) but i think we should deliver at least one possibility in CCD section to disable the cipher-negotiation which would then looks like in here --> https://people.ipfire.org/~ummeegge/screenshoots/OpenVPN-2.4_beta2/Disable-N... and is only located in the "Advanced client options" in the CCD section ?
Since the choice of the cipher is an important setting it might be great in my opinion the give the users at least a possibility (in the advanced settings section) to configure this for each client if wanted ?
Above all, there are currently only 3 algorithms left on IPFire which are not affected by the Sweet32 problem (AES, Camellia and Seed which are 128 bit block ciphers).
but the server.conf serves --ncp-ciphers but also --cipher and --auth -->
#OpenVPN Server conf
daemon openvpnserver writepid /var/run/openvpn.pid #DAN prepare OpenVPN for listening on blue and orange ;local ue.*.org dev tun proto udp port 1194 script-security 3 ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600 client-config-dir /var/ipfire/ovpn/ccd tls-server ca /var/ipfire/ovpn/ca/cacert.pem cert /var/ipfire/ovpn/certs/servercert.pem key /var/ipfire/ovpn/certs/serverkey.pem dh /var/ipfire/ovpn/ca/dh1024.pem server 10.2.17.0 255.255.255.0 tun-mtu 1400 mssfix 0 route 10.1.4.0 255.255.255.252 keepalive 10 60 status-version 1 status /var/run/ovpnserver.log 30 ncp-ciphers AES-256-GCM:AES-256-CBC:CAMELLIA-256-CBC cipher AES-256-CBC auth SHA512 tls-auth /var/ipfire/ovpn/certs/ta.key max-clients 100 tls-verify /usr/lib/openvpn/verify crl-verify /var/ipfire/ovpn/crls/cacrl.pem user nobody group nobody persist-key persist-tun verb 3
so i think this should be no problem.
So we need to add the ncp-ciphers. If we didn't we would have some sort of functionality just like OpenVPN 2.3. Which is fine with me for the moment, too.
Yes we would need "--ncp-ciphers ALGs" for this new feature. Generally i think this could be a security/performance gain for a lot´s of people out there especially if they are using the old and deprecated ciphers like Blowfish (old default) or the whole 3DES collection.
Shouldn´t i test OpenVPN with the new OpenSSL before pushing this, if the iso is working i can make an installation in my testing environment to break down the most important steps ?
I thought that was tested already. However, the OpenSSL is branch is somewhat unstable and won't be released with the next core update. So if you send it now, it wouldn't break anyone's system.
All tests has been done with the old OpenSSL lib. One concern for me with the new lib is if the old ovpn.cnf (OpenVPNs OpenSSL conf) is OK or if there needs to be something done too. But i´am calmed a little down if this changes are not released with the next Core update.
I forgot also one important point to mention which we discovered really late. OpenVPN-2.4.x refactors the CRL handling --> https://github.com/OpenVPN/openvp n/commit/160504a2955c4478cd2c0323452929e07016a336 which is a problem cause the CRL will now be checked in the "validBefore" and "validAfter" fields. Since "default_crl_days" are set to 30 days we can run into a problem if the CRL has been expired. Error message looks like this:
Nov 22 22:56:26 OpenVPN-2-4 openvpnserver[16368]: a.b.c.d:46227 VERIFY ERROR: depth=0, error=CRL has expired: C=US, O=Tatoine, CN=LGG3 Nov 22 22:56:26 OpenVPN-2-4 openvpnserver[16368]: a.b.c.d:46227 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed Nov 22 22:56:26 OpenVPN-2-4 openvpnserver[16368]: a.b.c.d:46227 TLS_ERROR: BIO read tls_read_plaintext error Nov 22 22:56:26 OpenVPN-2-4 openvpnserver[16368]: a.b.c.d:46227 TLS Error: TLS object -> incoming plaintext read error Nov 22 22:56:26 OpenVPN-2-4 openvpnserver[16368]: a.b.c.d:46227 TLS Error: TLS handshake failed Nov 22 22:56:26 OpenVPN-2-4 openvpnserver[16368]: a.b.c.d:46227 Fatal TLS error (check_tls_errors_co), restarting Nov 22 22:56:26 OpenVPN-2-4 openvpnserver[16368]: a.b.c.d:46227 SIGUSR1[soft,tls-error] received, client-instance restarting
The CRL has a valid before and after date? In that case we just need to regenerate it.
If the CA or some client certificates have expired, this is what we would expect, isn't it?
Exactly.
A more detailed discussion in the IPFire forum is here --> https://forum.ipfire.org/viewtopic.php?f=50&t=18067&start=30#p112529 located, the Debian discussion --> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=84 9909 and OpenVPN --> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849909 . An idea there was to set the "nextUpdate" value in a far future as the CA expiry date is, we decided in the forum to leave this idea behind and started to develop a first idea for an CRL updater, please check this in here --> https://forum.ipfire.org/viewtopic.php?f=50&t=18067&sid=e623c9c726b7... . In that case we would need a script which checks periodically when a CRL update needs to be done.
Not a fan of cron jobs for things like this, but I guess we have no other choice. This looks good.
Am also not really happy with this but have found so far no better solutions. Should i place the script to /etc/fcron.daily/ ? Would make sense i think.
If you have better ideas for this or another script it might be really helpful.
No not really. We have to make sure that the CRL is up to date even when the system is not being rebooted in a while. So it has to be checked regularly which requires a cron job.
This is exactly the point. If clients are deleted via ovpnmain.cgi the CRL will automatically be renewed via ovpnmain.cgi but if the systems runs without some specific interactions, the CRL expires and all connections are over and done until the CRL has been renewed.
Setting the expiry date to infinity would slightly ruin the idea of a CRL.
Yes this would make no sense at all.
Peter has proposed a patch recently with improved crypto, please work together with him.
We can do this, no problem. @Peter would you write me to ummeegge at ipfire.org ?
It is here https://patchwork.ipfire.org/patch/1594/
Thanks for pointing that out. I did also changes regarding the "vpn weak" warnings but this changes includes more then the DH-parameter. As above mentioned 6 from 12 the currently available on IPFires OpenVPN are deprecated cause there can be attacked via Sweet32. OpenVPN implemented "reneg-bytes 64000000" with v. 2.3.13 which forces frequent rekeying after 64 MB data transfer, this can lead to a lot more rekeying cycles then the one hour cycle which is the regular behavior. All that can somehow be neglected with the cipher-negotiaion and newer clients since there will then be used anyways AES-256 which is a 128 bit block cipher.
The SHA512 default setting changes from Peter are for N2N defaults which should be OK in my opinion since every new connection needs to be created for both sides (TLS-server and TLS-client), this should´t crash anything.
One more important thing. If we update to OpenVPN-2.4.x there is the need that the changes will be written to the server.conf (save button) otherwise the server do not start (causing the script-security entry), after i manually updated the files i needed to stop the server, hit the save button and only after then the server can be started again. openvpnctrl do provides only stop|start but no save option do you know solve this via command line parameter while the update ?
Again thanks for your feedback and help.
Greetings,
Erik