Hi,
On Wed, 2018-02-14 at 20:11 +0100, ummeegge wrote:
As a version 3 idea, or might it be possibly a better idea to delete the '--auth *' directive in N2N.conf if AES-GCM has been chosen ? i think it might also be better to integrate '--tls-crypt' --> https://www.mail-archive.com/openvpn- devel@lists.sourceforge.net/msg12357.html
I do not get any of those arguments in that email. I find that highly useless for a legitimate use of VPNs.
instead of '--tls-auth' to N2N connections which uses a static AES-256-CTR whereby a HMAC can not be selected ?
The counter mode does not provide authentication like GCM does.
But also it might be time to delete SHA1 complete from Net-to-Net HMAC selection since this won´t harm old connections but brings a little more security per default ?
SHA1 is fine when used as a HMAC. Even MD5 is considered secure in that context.
Sorry for the back and forth but the way is the goal :D .
Some feedback might be nevertheless nice and important.
Greetings,
Erik
Am Mittwoch, den 14.02.2018, 15:40 +0100 schrieb Erik Kapfer:
AES-GCM 128, 196 and 256 bit has been added to Net-to-Net and Roadwarrior section.
Cipher menu description has been changed for N2N and RW since AES-GCM uses own authentication encryption (GMAC). More information can be found in here https://tools.ietf.org/html /rfc5288 . Added java script snipped to disable HMAC selection for N2N if AES- GCM has been selected. 'auth *' line in N2N.conf won´t be deleted even if AES-GCM is used so possible individual '--tls-auth' configurations won´t broke. 'auth *' line in N2N.conf will also be ignored if AES-GCM is used and no '--tls-auth' are configured. Left HMAC selection menu for Roadwarriors as it was since the WUI do provides '--tls-auth' which uses the configuered HMAC even AES-GCM has been applied.
Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org
html/cgi-bin/ovpnmain.cgi | 32 ++++++++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 9f5e682..0a18ec7 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -4543,6 +4543,9 @@ if ($cgiparams{'TYPE'} eq 'net') { } $checked{'PMTU_DISCOVERY'}{$cgiparams{'PMTU_DISCOVERY'}} = 'checked='checked'';
- $selected{'DCIPHER'}{'AES-256-GCM'} = '';
- $selected{'DCIPHER'}{'AES-192-GCM'} = '';
- $selected{'DCIPHER'}{'AES-128-GCM'} = ''; $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = ''; $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = ''; $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
@@ -4706,7 +4709,10 @@ if ($cgiparams{'TYPE'} eq 'net') {
</tr>
<tr><td class='boldbase'>$Lang::tr{'cipher'}</td> - <td><select name='DCIPHER'> + <td><select name='DCIPHER' id="n2ncipher" required> + <option value='AES-256-GCM' $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'}) with SHA384</option> + <option value='AES-192-GCM' $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'}) with SHA256</option> + <option value='AES-128-GCM' $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'}) with SHA256</option> <option value='CAMELLIA-256-CBC' $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option> <option value='CAMELLIA-192-CBC' $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option> <option value='CAMELLIA-128-CBC' $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option> @@ -4723,7 +4729,7 @@ if ($cgiparams{'TYPE'} eq 'net') { </td>
<td class='boldbase'>$Lang::tr{'ovpn ha'}:</td>
<td><select name='DAUTH'>
<td><select name='DAUTH' id="n2nhmac"> <option value='whirlpool'$selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option> <option value='SHA512' $selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option> <option value='SHA384' $selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option> @@ -4737,6 +4743,22 @@ if ($cgiparams{'TYPE'} eq 'net') { END ; }
+#### JAVA SCRIPT #### +# Validate N2N cipher. If GCM is used, disable HMAC menu +print<<END;
<script>
var disable_options = false;document.getElementById('n2ncipher').onchange =function () {
if((this.value == "AES-256-GCM"||this.value== "AES-192-GCM"||this.value == "AES-128-GCM")) {
document.getElementById('n2nhmac').setAttribute('disabled', true);
} else {document.getElementById('n2nhmac').removeAttribute('disabled');
}}- </script>
+END
#jumper print "<tr><td class='boldbase'>$Lang::tr{'remark title'}</td>"; print "<td colspan='3'><input type='text' name='REMARK' value='$cgiparams{'REMARK'}' size='55' maxlength='50' /></td></tr></table>"; @@ -5108,6 +5130,9 @@ END $selected{'DPROTOCOL'}{'tcp'} = ''; $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED';
- $selected{'DCIPHER'}{'AES-256-GCM'} = '';
- $selected{'DCIPHER'}{'AES-192-GCM'} = '';
- $selected{'DCIPHER'}{'AES-128-GCM'} = ''; $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = ''; $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = ''; $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
@@ -5204,6 +5229,9 @@ END
<td class='boldbase'nowrap='nowrap'>$Lang::tr{'cipher'}</td> <td><select name='DCIPHER'>
<option value='AES-256-GCM'$selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'}) with SHA384</option>
<option value='AES-192-GCM'$selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'}) with SHA256</option>
<option value='AES-128-GCM'$selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'}) with SHA256</option> <option value='CAMELLIA-256-CBC' $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option> <option value='CAMELLIA-192-CBC' $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option> <option value='CAMELLIA-128-CBC' $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option>