Hi, On Fri, Dec 10, 2021 at 02:06:51PM +0100, Arne Schwabe wrote: > Patch v3: fix errors with mbed TLS without having md_kt to const char * patch > also applied, fix logic inversion in tls_crypt_tk
Thanks, this is much better than v2 - now all client-side tests pass
that led to "openvpn exiting" previously, or SIGSEGV'ing.
*BUT* - it totally fails to work on a connection that negotiates BF-CBC,
though, both with mbedTLS 2.27.0 and with OpenSSL 1.1.1l - I did not see
it in the client side tests first (because I only ran a limited subset),
but it is easily triggered by connecting to a 2.3 server, requiring
fallback to BF-CBC.
It also fails all server side tests that end up in trying to use BF-CBC
(long e-mail cut short).
Most notable indication is: with an older binary, I get these lines
in the log:
2021-12-10 15:53:14 us=406619 cron2-freebsd-tc-amd64-24/194.97.140.21:40161
Outgoing Data Channel: Cipher 'BF-CBC' initialized with 128 bit key
2021-12-10 15:53:14 us=406645 cron2-freebsd-tc-amd64-24/194.97.140.21:40161
WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit).
This allows attacks like SWEET32. Mitigate by using a --cipher with a larger
block size (e.g. AES-256-CBC). Support for these insecure ciphers will be
removed in OpenVPN 2.6.
which are totally missing (!) for master + 7/9v3.
On further study, this is not so much "NCP" failing here, but "BF-CBC",
I think. If I call up a client with "--data-ciphers BF-CBC", I see
on the server
2021-12-10 16:00:25 us=273260 194.97.140.21:42770 peer info: IV_VER=2.6_git
2021-12-10 16:00:25 us=273293 194.97.140.21:42770 peer info: IV_PLAT=freebsd
2021-12-10 16:00:25 us=273307 194.97.140.21:42770 peer info: IV_CIPHERS=BF-CBC
2021-12-10 16:00:25 us=273322 194.97.140.21:42770 peer info: IV_PROTO=30
...
2021-12-10 16:00:25 us=283465 Outgoing Data Channel: Using 160 bit message hash
'SHA1' for HMAC authentication
2021-12-10 16:00:25 us=283527 Incoming Data Channel: Using 160 bit message hash
'SHA1' for HMAC authentication
2021-12-10 16:00:25 us=283561 WARNING: cipher with small block size in use,
reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
2021-12-10 16:00:25 us=283622 SENT CONTROL [cron2-freebsd-tc-amd64]:
'PUSH_REPLY,route 10.204.0.0 255.255.0.0,route-ipv6
fd00:abcd:204::/48,tun-ipv6,route 10.204.2.0 255.255.255.0,topology net30,ping
10,ping-restart 30,compress lz4,ifconfig-ipv6 fd00:abcd:204:2::1000/64
fd00:abcd:204:2::1,ifconfig 10.204.2.6 10.204.2.5,peer-id 0,cipher
BF-CBC,key-derivation tls-ekm' (status=1)
... but it is also never initializing BF-CBC for the data channel...
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany [email protected]
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
