OpenVPN INSECURE cipher with block size less than 128 bit (64 bit)

flatspin · 2018-09-10 08:55:30 UTC

It’s a minor thing, not really a bug, but with the original config-file downloaded from roadwarrior accounts, this messages appears in openvpn log:

WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).

When I manually add cipher BF-CBC to the config file, the message disappers. No warning anymore.

To harden openvpn and to avoid this warning, I think the cipher should be automatically added to the openvpn-config-file.

What do you think @giacomo ?

EDIT: Or should the cipher be changed to AES-256-CBC or change from 128bit to a higher value in case of BF-CBC to harden OPENVPN at all?

pike · 2018-09-10 13:06:28 UTC

Well… There are more modern cypher suite/algorithm than AES…

giacomo · 2018-09-10 13:39:44 UTC

AFAIK you’re now encouraged from the UI to choose a better cipher which should be reported inside the client configuration.

Take a look at this: https://github.com/NethServer/dev/issues/5498

@stephdl do you confirm it?

stephdl · 2018-09-10 14:13:11 UTC

AFAIK we harden the tunnel side but not the roadwarrior one, so indeed the default cipher is chosen for the roadwarrior side and it warns in logs

flatspin · 2018-09-10 14:16:50 UTC

My package is 1.6.15, but I can’t find something about a cipher to choose in roadwarrior config.
I now use tls-version-min 1.2 and cipher AES-256-GCM via template-custom.

flatspin · 2018-09-10 14:29:04 UTC

You are right:

This would be wonderfull to have also for roadwarrior!

stephdl · 2018-09-10 15:47:23 UTC

Project card created https://github.com/orgs/NethServer/projects/1#card-12859259

giacomo · 2018-09-11 07:10:06 UTC

Thank you for pointing it out, we will implement it directly on Cockpit.

I’m changing the category to “Feature”