OpenVPN INSECURE cipher with block size less than 128 bit (64 bit)

openvpn

(Ralf Jeckel) #1

It’s a minor thing, not really a bug, but with the original config-file downloaded from roadwarrior accounts, this messages appears in openvpn log:

WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).

When I manually add cipher BF-CBC to the config file, the message disappers. No warning anymore.

To harden openvpn and to avoid this warning, I think the cipher should be automatically added to the openvpn-config-file.

What do you think @giacomo ?

EDIT: Or should the cipher be changed to AES-256-CBC or change from 128bit to a higher value in case of BF-CBC to harden OPENVPN at all?


(Michael Kicks) #2

Well… There are more modern cypher suite/algorithm than AES…


(Giacomo Sanchietti) #3

AFAIK you’re now encouraged from the UI to choose a better cipher which should be reported inside the client configuration.

Take a look at this: https://github.com/NethServer/dev/issues/5498

@stephdl do you confirm it?


(Stéphane de Labrusse) #4

AFAIK we harden the tunnel side but not the roadwarrior one, so indeed the default cipher is chosen for the roadwarrior side and it warns in logs


(Ralf Jeckel) #5

My package is 1.6.15, but I can’t find something about a cipher to choose in roadwarrior config.
I now use tls-version-min 1.2 and cipher AES-256-GCM via template-custom.


(Ralf Jeckel) #6

You are right:

image

This would be wonderfull to have also for roadwarrior! :pray: :slightly_smiling_face:


(Stéphane de Labrusse) #7

Project card created https://github.com/orgs/NethServer/projects/1#card-12859259


(Giacomo Sanchietti) #8

Thank you for pointing it out, we will implement it directly on Cockpit. :wink:

I’m changing the category to “Feature”