[PATCH] OpenVPN: mark CBC ciphers as weak in WebUI

Michael Tremer michael.tremer at ipfire.org
Mon Jun 10 20:12:54 BST 2019


Hi,

> On 10 Jun 2019, at 20:08, Peter Müller <peter.mueller at ipfire.org> wrote:
> 
> Hello Michael,
> 
> thanks for your comments.
> 
>> Hi,
>> 
>> I think I can ACK this although we definitely should change the default. I have raised that a couple of times before.
> Yes. This is true for IPsec as well... Patch is in my pipeline…

Okay. Can we try to make a patchset out of things like this in the future?

That keeps things together and we can coordinate better when we merge this.

We have closed the last Core Update technically last week. Now we have some big changes here and I would prefer to not break the update but have it rather shipped as soon as possible.

>> 
>> I also do not like having a very long list of ciphers that are weak. There are not too many left which are “strong”. But yeah, what can you do?
> As far as I am concerned, there is little "strong" cryptography left indeed.
> It's basically only TLS >= 1.2 with AEAD (e.g. GCM) ciphers and Forward Secrecy.
> 
> Speaking about RFC 8446, this is more or less what survived discussions before
> standardizing TLS 1.3 ... :-)

Yeah I picked up on that too, but we have to make sure that we ensure compatibility.

OpenVPN is hard to update. People cannot migrate from a cipher to another one and not all versions support GCM.

-Michael

>> 
>> I will wait for Erik to ack this, too.
>> 
>> -Michael
> Thanks, and best regards,
> Peter Müller
> -- 
> The road to Hades is easy to travel.
> 	-- Bion of Borysthenes



More information about the Development mailing list