OpenVPN INSECURE cipher with block size less than 128 bit (64 bit)


(Ralf Jeckel) #1

It’s a minor thing, not really a bug, but with the original config-file downloaded from roadwarrior accounts, this messages appears in openvpn log:

WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).

When I manually add cipher BF-CBC to the config file, the message disappers. No warning anymore.

To harden openvpn and to avoid this warning, I think the cipher should be automatically added to the openvpn-config-file.

What do you think @giacomo ?

EDIT: Or should the cipher be changed to AES-256-CBC or change from 128bit to a higher value in case of BF-CBC to harden OPENVPN at all?

(Michael Kicks) #2

Well… There are more modern cypher suite/algorithm than AES…

(Giacomo Sanchietti) #3

AFAIK you’re now encouraged from the UI to choose a better cipher which should be reported inside the client configuration.

Take a look at this:

@stephdl do you confirm it?

(Stéphane de Labrusse) #4

AFAIK we harden the tunnel side but not the roadwarrior one, so indeed the default cipher is chosen for the roadwarrior side and it warns in logs

(Ralf Jeckel) #5

My package is 1.6.15, but I can’t find something about a cipher to choose in roadwarrior config.
I now use tls-version-min 1.2 and cipher AES-256-GCM via template-custom.

(Ralf Jeckel) #6

You are right:


This would be wonderfull to have also for roadwarrior! :pray: :slightly_smiling_face:

(Stéphane de Labrusse) #7

Project card created

(Giacomo Sanchietti) #8

Thank you for pointing it out, we will implement it directly on Cockpit. :wink:

I’m changing the category to “Feature”

(Giacomo Sanchietti) #9

New issue created for 7.6: