On Sun, Nov 27, 2022 at 09:32:28PM +0100, Arne Schwabe wrote:
> We expect a number of configuration to no longer work with OpenVPN
> 2.6 and OpenSSL 3.0. This section tries to explain the most common
> errors that will come up and how to work around them.
>
> Signed-off-by: Arne Schwabe <a...@rfc2549.org>
> ---
> Changes.rst | 84 +++++++++++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 84 insertions(+)
>
> diff --git a/Changes.rst b/Changes.rst
> index c532d47f0..c470efa6e 100644
> --- a/Changes.rst
> +++ b/Changes.rst
> @@ -196,6 +196,90 @@ User-visible Changes
> software that enumerates interfaces, looking for "broadcast capable?" and
> expecting certain results. Normal uses should not see any difference.
>
> +- The default configuration will no longer allow connection to OpenVPN 2.3.x
> + or earlier, use the new ``--compat-mode`` option if you need compatibility
> + with older version. See the manual page for details.
"versions"?
> +
> +Common errors with OpenSSL 3.0 and OpenVPN 2.6
> +----------------------------------------------
> +Both OpenVPN 2.6 and OpenSSL 3.0 tighten the security considerable, so some
> +configuration will no longer work. This section will cover the most common
> +error we have seen and explain their reason and temporary workarounds. You
"errors"
"reason" -> "cause" ?
> +should fix the problems since these workaround are not secure and will
"problems" -> "underlying problems as soon as possible"
> +eventually stop working in a future update.
> +
> +- weak SHA1 or MD5 signature on certificates
> +
> + This will happen on either loading of certificates or on connection
> + to a server::
> +
> + OpenSSL: error:0A00018E:SSL routines::ca md too weak
> + Cannot load certificate file cert.crt
> + Exiting due to fatal error
> +
> + OpenSSL 3.0 no longer allows weak singatures on certificates. You can
> + downgrade your security to allow by using ``--tls-cert-profile insecure``
"allow" -> "allow them"
> + but should replace/regenerate these certificates as soon as possible.
> +
> +
> +- 1024 bit RSA certificates, 1024 bit DH parameters, other weak keys
> +
> + This happens if you private keys or other cryptographic material that
"you" -> "you use"
> + does not meet today's cryptographic standards anymore. Messages are
> + similar to::
> +
> + OpenSSL: error:0A00018F:SSL routines::ee key too small
> + OpenSSL: error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small
> +
> + DH parameters (``--dh``) can be regenerated them with
remove "them"
> + ``openssl dhparam 2048``. For other cryptographic keys, these keys
> + and certificates need to regnerate. TLS Security level can be temporarily
"regnerate" -> "be regenerated". But the sentence is still bad due to the
repetition of "regenerate". Don't have a good replacement, though.
> + lowered until the problem is addressed with ``tls-cert-profile legacy`` or
remove "until the problem is addressed", it is implied anyway.
"--tls-cert-profile" for consistency.
> + even ``tls-cert-profile insecure``.
> +
> +- Connecting to a OpenVPN 2.3.x server or allowing OpenVPN 2.3.x or earlier
> + clients
> +
> + This will normally result in messages like::
> +
> + OPTIONS ERROR: failed to negotiate cipher with server. Add the
> server's cipher ('AES-128-CBC') to --data-ciphers (currently
> 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305') if you want to connect to this
> server.
> +
> + or
> +
> + client/127.0.0.1:49954 SENT CONTROL [client]: 'AUTH_FAILED,Data channel
> cipher negotiation failed (no shared cipher)' (status=1)
> +
> + You can manually add the missing cipher to the ``--data-ciphers`` or use
> + the ``--compat-mode`` option. Note that these message can also indicate
"messages", or "this"
> + other cipher configuration. See the data channel cipher negotiation manual
missing "problems"?
> + for more details (Available online under
> +
> https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/cipher-negotiation.rst)
Might want to use
https://build.openvpn.net/man/openvpn-2.6/openvpn.8.html#data-channel-cipher-negotiation
instead?
Doesn't exist yet, but will be created on Alpha release.
> +
> +- Use of a legacy 64bit block ciphers or another deprecated cipher
"another" -> "other"
"cipher" -> "ciphers"
> +
> + OpenSSL 3.0 no longer a number of insecure and outdated ciphers. Some of
missing "supports"?
> + these cipehrs are known vulnerable (SWEET32 attack).
"ciphers"
> +
> + This will typically manifest itself in messages like::
> +
> + OpenSSL: error:0308010C:digital envelope routines::unsupported
> + Cipher algorithm 'BF-CBC' not found
> + Unsupported cipher in --data-ciphers: BF-CBC
> +
> + If your OpenSSL distribution comes with the legacy provider, it will allow
> to
> + load a legacy provider that contains the old providers. In this case you
> can
"it will allow ..." -> "you can load it to enable support for the old ciphers".
Remove "In this case".
> + use ``--providers legacy default`` to load the legacy cipher provider.
> +
> +- OpenVPN version not supporting TLS 1.2 or later
> +
> + The default in OpenVPN 2.6 and also in many distributions is now TLS 1.2.
> + Connecting to peer that does not support this will results in messages
> like::
"a peer"
> +
> + TLS error: Unsupported protocol. This typically indicates that client
> and server have no common TLS version enabled. This can be caused by
> mismatched tls-version-min and tls-version-max options on client and server.
> If your OpenVPN client is between v2.3.6 and v2.3.2 try adding
> tls-version-min 1.0 to the client configuration to use TLS 1.0+ instead of
> TLS 1.0 only
Line breaks?
> + OpenSSL: error:0A000102:SSL routines::unsupported protocol
> +
> + This can be an OpenVPN 2.3.6 or earlier version. ``compat-version 2.3.0``
> will
> + enable TLS 1.0 support if supported by the OpenSSL distribution. Note that
> + on some Linux distributions enabling TLS 1.1 or 1.0 is not possible.
>
> Overview of changes in 2.5
> ==========================
Regards,
--
Frank Lichtenheld
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
