Re: [Openvpn-devel] [PATCH v2] Rework NCP compability logic and drop BF-CBC support by default

Tue, 04 Aug 2020 23:44:38 -0700 

HI,

On Wed, Aug 05, 2020 at 12:20:54AM +0200, Arne Schwabe wrote:
> > Is that intentional?
> 
> Yes. That is intentional. If you do not have any cipher option in the
> config, there is nowadays a very high change that you allow BF-CBC by
> "accident". I encountered this first-hand ("I do want to put as few
> option in a config as possible").

OK, I can see that line of reasoning.  This needs to be put very
prominently into the release notes.


Updating on server test success - with the core dump fix, but still
*no* "--cipher" in the server configs, I get

22...
Test sets succeeded: 8.
Test sets failed: 1 2 3 4 6.
23.small...
Test sets succeeded: none.
Test sets failed: 1 2 3 4.
23...
Test sets succeeded: 8 8a 9.
Test sets failed: 1 1a 1b 1d 2 2a 2b 2c 2d 3 4 5 6.
24...
Test sets succeeded: 1 1a 1b 1c 1d 1e 2 2b 2d 2e 3 5 6 8 8a 9.
Test sets failed: 2a 2c 4 4a.
master...
Test sets succeeded: 1 1a 1b 1c 1d 1e 2 2b 2c 2d 2e 3 5 5a 5b 5c 5d 5v1 5v2 5v3 
5w1 5w2 5w3 5w4 5x1 5x2 5x3 5x4 6 7 7x 8 8a 9 2f.
Test sets failed: 2a 4 4b.

so the 2.2/2.3-small/2.3 failures are expected.

2a and 2c (for 2.4) is expected, because that's "--ncp-disable"


4 got broken somewhat accidently - this is tap tests, relying on a 
secondary client to be connected to ping "across the tap".  That client
is using pushed ccd ciphers, which fails in interesting ways

Aug  5 08:39:33 gentoo tap-udp-p2mp[2418]: 
freebsd-74-amd64/2001:608:0:814::f000:3 PUSH: No common cipher between server 
and client. Server data-ciphers: 'CAMELLIA-128-CBC', client supported ciphers 
'AES-256-GCM:AES-128-GCM'

but this error message is misleading - the client has 

  ncp-ciphers CAMELLIA-128-CBC:AES-256-GCM:AES-128-GCM

in its config, but it's a 2.4 client so cannot signal this to the master.


So we *will* break pushed ciphers to 2.4 client swith non-AEAD ciphers 
here.  Any idea how to tackle this?


Test run with "cipher bf-cbc" in all server configs next...

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             g...@greenie.muc.de

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel






















					Reply via email to