[PATCH] OpenVPN: mark CBC ciphers as weak in WebUI

Michael Tremer michael.tremer at ipfire.org
Mon Jun 10 19:47:17 BST 2019


Hi,

I think I can ACK this although we definitely should change the default. I have raised that a couple of times before.

I also do not like having a very long list of ciphers that are weak. There are not too many left which are “strong”. But yeah, what can you do?

I will wait for Erik to ack this, too.

-Michael

> On 10 Jun 2019, at 19:36, Peter Müller <peter.mueller at ipfire.org> wrote:
> 
> CBC a vulnerable to a bunch of vulnerabilities (MAC-then-encrypt,
> Padding Oracle, ...) which were considered to be an academic threat.
> 
> However, research such as https://blog.qualys.com/technology/2019/04/22/zombie-poodle-and-goldendoodle-vulnerabilities
> indicates these issues are more serious. Thereof, this patch marks
> remaining CBC ciphers (AES-CBC, SEED-CBC and CAMELLIA-CBC) as "weak";
> they should be avoided in future.
> 
> It does not change the default, which is AES-256-CBC for compatibility
> reasons. Whether this can be changed or not needs to be discussed.
> 
> Signed-off-by: Peter Müller <peter.mueller at ipfire.org>
> Cc: Erik Kapfer <ummeegge at ipfire.org>
> ---
> html/cgi-bin/ovpnmain.cgi | 20 ++++++++++----------
> 1 file changed, 10 insertions(+), 10 deletions(-)
> 
> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
> index 439390228..ae1fe8e77 100644
> --- a/html/cgi-bin/ovpnmain.cgi
> +++ b/html/cgi-bin/ovpnmain.cgi
> @@ -2,7 +2,7 @@
> ###############################################################################
> #                                                                             #
> # IPFire.org - A linux based firewall                                         #
> -# Copyright (C) 2007-2014  IPFire Team  <info at ipfire.org>                     #
> +# Copyright (C) 2007-2019  IPFire Team  <info at ipfire.org>                     #
> #                                                                             #
> # This program is free software: you can redistribute it and/or modify        #
> # it under the terms of the GNU General Public License as published by        #
> @@ -4516,7 +4516,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
>     $selected{'DCIPHER'}{'CAST5-CBC'} = '';
>     $selected{'DCIPHER'}{'BF-CBC'} = '';
>     $selected{'DCIPHER'}{'DES-CBC'} = '';
> -    # If no cipher has been chossen yet, select
> +    # If no cipher has been chosen yet, select
>     # the old default (AES-256-CBC) for compatiblity reasons.
>     if ($cgiparams{'DCIPHER'} eq '') {
> 	$cgiparams{'DCIPHER'} = 'AES-256-CBC';
> @@ -4668,13 +4668,13 @@ if ($cgiparams{'TYPE'} eq 'net') {
> 				<option value='AES-256-GCM'		$selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
> 				<option value='AES-192-GCM'		$selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
> 				<option value='AES-128-GCM'		$selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
> -				<option value='CAMELLIA-256-CBC'	$selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option>
> -				<option value='CAMELLIA-192-CBC'	$selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option>
> -				<option value='CAMELLIA-128-CBC'	$selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option>
> -				<option value='AES-256-CBC' 	 	$selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'}, $Lang::tr{'default'})</option>
> -				<option value='AES-192-CBC' 	 	$selected{'DCIPHER'}{'AES-192-CBC'}>AES-CBC (192 $Lang::tr{'bit'})</option>
> -				<option value='AES-128-CBC' 	 	$selected{'DCIPHER'}{'AES-128-CBC'}>AES-CBC (128 $Lang::tr{'bit'})</option>
> -				<option value='SEED-CBC' 			$selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option>
> +				<option value='CAMELLIA-256-CBC'	$selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
> +				<option value='CAMELLIA-192-CBC'	$selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
> +				<option value='CAMELLIA-128-CBC'	$selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
> +				<option value='AES-256-CBC' 	 	$selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'}, $Lang::tr{'default'}, $Lang::tr{'vpn weak'})</option>
> +				<option value='AES-192-CBC' 	 	$selected{'DCIPHER'}{'AES-192-CBC'}>AES-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
> +				<option value='AES-128-CBC' 	 	$selected{'DCIPHER'}{'AES-128-CBC'}>AES-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
> +				<option value='SEED-CBC' 			$selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
> 				<option value='DES-EDE3-CBC'	 	$selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
> 				<option value='DESX-CBC' 			$selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
> 				<option value='DES-EDE-CBC' 		$selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
> @@ -5052,7 +5052,7 @@ END
> 		}
>     }
> 
> -#default setzen
> +# set default values
>     if ($cgiparams{'DCIPHER'} eq '') {
> 		$cgiparams{'DCIPHER'} =  'AES-256-CBC';
>     }
> -- 
> 2.16.4



More information about the Development mailing list