OpenVPN INSECURE cipher with block size less than 128 bit (64 bit)

It’s a minor thing, not really a bug, but with the original config-file downloaded from roadwarrior accounts, this messages appears in openvpn log:

WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).

When I manually add cipher BF-CBC to the config file, the message disappers. No warning anymore.

To harden openvpn and to avoid this warning, I think the cipher should be automatically added to the openvpn-config-file.

What do you think @giacomo ?

EDIT: Or should the cipher be changed to AES-256-CBC or change from 128bit to a higher value in case of BF-CBC to harden OPENVPN at all?


Well… There are more modern cypher suite/algorithm than AES…

AFAIK you’re now encouraged from the UI to choose a better cipher which should be reported inside the client configuration.

Take a look at this:

@stephdl do you confirm it?

AFAIK we harden the tunnel side but not the roadwarrior one, so indeed the default cipher is chosen for the roadwarrior side and it warns in logs

My package is 1.6.15, but I can’t find something about a cipher to choose in roadwarrior config.
I now use tls-version-min 1.2 and cipher AES-256-GCM via template-custom.

You are right:


This would be wonderfull to have also for roadwarrior! :pray: :slightly_smiling_face:

1 Like

Project card created

1 Like

Thank you for pointing it out, we will implement it directly on Cockpit. :wink:

I’m changing the category to “Feature”


New issue created for 7.6: