Hi all, am currently working with the current OpenVPN-2.6_dev version and have had three questions in mind.
1) Is a OpenSSL update to 3.x currently in plan ? As far as i can see all needed updates for related software are meanwhile ready.
2) The current *.p12 archiv format on IPFire´s OpenVPN uses for PKCS7 encryption 'pbeWithSHA1And40BitRC2' which can only be used with the "- provider legacy" option otherwise RC2-40-CBC won´t be accepted. On my both machines -->
No LSB modules are available. Distributor ID: Kali Description: Kali GNU/Linux Rolling Release: 2022.3 Codename: kali-rolling OpenSSL 3.0.4 21 Jun 2022 (Library: OpenSSL 3.0.4 21 Jun 2022)
LSB Version: :core-4.1-amd64:core-4.1-noarch Distributor ID: Fedora Description: Fedora release 36 (Thirty Six) Release: 36 Codename: ThirtySix OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022)
OpenSSL-3.x is menwhile in usage and by decrypting the *.p12 files the in here described errors --> https://community.ipfire.org/t/ovpn-cert-creation-algo/7911 appear. Without any further interventions, the regular authentication (PWD) process won´t work.
3) Before OpenSSL 3.x will be updated in IPFire, makes it sense to bring up some warnings if BF, CAST and DES* (may also SHA1) are in usage ? Otherwise, the OpenSSL update can also be a show stopper for OpenVPN connections on systems which uses the above mentioned ciphers or should the ‘-provider legacy’ flag handle this ?
Best,
Erik
Hello Erik,
On 16 Sep 2022, at 15:17, ummeegge ummeegge@ipfire.org wrote:
Hi all, am currently working with the current OpenVPN-2.6_dev version and have had three questions in mind.
- Is a OpenSSL update to 3.x currently in plan ? As far as i can see
all needed updates for related software are meanwhile ready.
Yes. Peter is pretty much done with that, but the monitoring plugins are the only blocker that is left.
- The current *.p12 archiv format on IPFire´s OpenVPN uses for PKCS7
encryption 'pbeWithSHA1And40BitRC2' which can only be used with the "- provider legacy" option otherwise RC2-40-CBC won´t be accepted. On my both machines -->
No LSB modules are available. Distributor ID: Kali Description: Kali GNU/Linux Rolling Release: 2022.3 Codename: kali-rolling OpenSSL 3.0.4 21 Jun 2022 (Library: OpenSSL 3.0.4 21 Jun 2022)
LSB Version: :core-4.1-amd64:core-4.1-noarch Distributor ID: Fedora Description: Fedora release 36 (Thirty Six) Release: 36 Codename: ThirtySix OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022)
OpenSSL-3.x is menwhile in usage and by decrypting the *.p12 files the in here described errors --> https://community.ipfire.org/t/ovpn-cert-creation-algo/7911 appear. Without any further interventions, the regular authentication (PWD) process won´t work.
Meaning? Can we replace this format by anything else and keep the password protection?
- Before OpenSSL 3.x will be updated in IPFire, makes it sense to
bring up some warnings if BF, CAST and DES* (may also SHA1) are in usage ? Otherwise, the OpenSSL update can also be a show stopper for OpenVPN connections on systems which uses the above mentioned ciphers or should the ‘-provider legacy’ flag handle this ?
I suppose we will need to enable this since we have too many installations on the old settings out there.
We still don’t have cipher negotiation.
-Michael
Best,
Erik
Hi Michael,
Am Freitag, dem 16.09.2022 um 15:19 +0200 schrieb Michael Tremer:
Hello Erik,
On 16 Sep 2022, at 15:17, ummeegge ummeegge@ipfire.org wrote:
Hi all, am currently working with the current OpenVPN-2.6_dev version and have had three questions in mind.
- Is a OpenSSL update to 3.x currently in plan ? As far as i can
see all needed updates for related software are meanwhile ready.
Yes. Peter is pretty much done with that, but the monitoring plugins are the only blocker that is left.
Is it the nagios_nrpe monitoring plugin ? If so, there should be meanwhile with version 4.1.0 a solution --> https://github.com/NagiosEnterprises/nrpe/commit/f09162880017d8e84bfd64b874d...
- The current *.p12 archiv format on IPFire´s OpenVPN uses for
PKCS7 encryption 'pbeWithSHA1And40BitRC2' which can only be used with the "- provider legacy" option otherwise RC2-40-CBC won´t be accepted. On my both machines -->
No LSB modules are available. Distributor ID: Kali Description: Kali GNU/Linux Rolling Release: 2022.3 Codename: kali-rolling OpenSSL 3.0.4 21 Jun 2022 (Library: OpenSSL 3.0.4 21 Jun 2022)
LSB Version: :core-4.1-amd64:core-4.1-noarch Distributor ID: Fedora Description: Fedora release 36 (Thirty Six) Release: 36 Codename: ThirtySix OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022)
OpenSSL-3.x is menwhile in usage and by decrypting the *.p12 files the in here described errors --> https://community.ipfire.org/t/ovpn-cert-creation-algo/7911 appear. Without any further interventions, the regular authentication (PWD) process won´t work.
Meaning? Can we replace this format by anything else and keep the password protection?
Yes this should be possible also without OpenSSL-3.x . We tried it with this patch --> https://community.ipfire.org/t/ovpn-cert-creation-algo/7911/4 and got a better encryption with AES-256-CBC but only with SHA1 which was a problem to configure via '-macalg digest' . OpenSSL-3.0 did that per default but also with SHA256 as MAC --> https://community.ipfire.org/t/ovpn-cert-creation-algo/7911/13
- Before OpenSSL 3.x will be updated in IPFire, makes it sense to
bring up some warnings if BF, CAST and DES* (may also SHA1) are in usage ? Otherwise, the OpenSSL update can also be a show stopper for OpenVPN connections on systems which uses the above mentioned ciphers or should the ‘-provider legacy’ flag handle this ?
I suppose we will need to enable this since we have too many installations on the old settings out there.
Might that --> https://gitlab.com/ummeegge/openvpn-2.5.x/-/commit/52e49c8bef040d5ca21a23c80... be OK ?
We still don’t have cipher negotiation.
Have started from the beginning with the meanwhile available OpenVPN- 2.6_dev version without the current IPFire server.conf. The only error on server side was '--ncp-disable' so the cipher negotiation was indeed needed. Have used this patch --> https://gitlab.com/ummeegge/openvpn-2.5.x/-/commit/920f91806293a927a1e88e2cd... and beneath a lot of deprecation warnings OpenVPN started again with OpenVPN-2.6_dev . This patch can be made may tighter (no jQuery) and may there are some other ideas around but at that time i went some more steps further in the "Advanced server" section. Some explanations, ideas and screenshot can be found in here --> https://gitlab.com/ummeegge/openvpn-2.5.x/-/wikis/Explanation-of-the-OpenVPN...
The release date for 2.6 is Dezember at this time as far as i know.
-Michael
Best,
Erik
-
Michael Tremer -
ummeegge