Hi,
On 15/12/17 11:07, Walter H. via Openvpn-users wrote:
Hi folks,
WinXP uses the latest package from here:
https://openvpn.net/index.php/download/community-downloads.html
( OpenVPN 2.3.18 )
and the Linux box is a CentOS 6 that uses the RPM package from EPEL
( OpenVPN 2.4.4 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL
(OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep
26 2017 )
the linux box is configured as a server
every hour I get this in the logs on server side
... client/WINXP:2319 TLS: soft reset sec=0 bytes=19303/67108864 pkts=358/0
... client/WINXP:2319 VERIFY OK: depth=1, ###
... client/WINXP:2319 VERIFY OK: depth=0, ###
... client/WINXP:2319 peer info: IV_VER=2.3.18
... client/WINXP:2319 peer info: IV_PLAT=win
... client/WINXP:2319 peer info: IV_PROTO=2
... client/WINXP:2319 peer info: IV_GUI_VER=OpenVPN_GUI_10
... client/WINXP:2319 Outgoing Data Channel: Cipher 'DES-EDE3-CBC'
initialized with 192 bit key
... client/WINXP:2319 WARNING: INSECURE cipher with block size less than
128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a
--cipher with a larger block size (e.g. AES-256-CBC).
... client/WINXP:2319 Outgoing Data Channel: Using 160 bit message hash
'SHA1' for HMAC authentication
... client/WINXP:2319 Incoming Data Channel: Cipher 'DES-EDE3-CBC'
initialized with 192 bit key
... client/WINXP:2319 WARNING: INSECURE cipher with block size less than
128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a
--cipher with a larger block size (e.g. AES-256-CBC).
... client/WINXP:2319 Incoming Data Channel: Using 160 bit message hash
'SHA1' for HMAC authentication
... client/WINXP:2319 Control Channel: TLSv1.2, cipher TLSv1/SSLv3
ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
the tunnel works, and both have in its config 'cipher=DES-EDE3-CBC'
but when I change this cipher= entry to 'cipher=AES-256-CBC' as mentioned
in the warning on both sides, it fails to get a connection, why?
I tested with CAMELLIA, AES, ... -> no connection; this 3DES seems to be
the only cipher with a block size of more than 64(?) bit, that works, why?
on server side I have this config:
port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh2048.pem
server 10.1.1.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 9.9.9.9"
duplicate-cn
cipher DES-EDE3-CBC
keepalive 20 60
comp-lzo
persist-key
persist-tun
#daemon
log-append /var/log/openvpn.log
verb 3
I hope you changed it to
cipher aes-256-cbc
and not
cipher=aes-256-cbc
as otherwise it would not work. I've just tested your config in my setup
(CentOS 6 server w/ OpenVPN 2.4.4, WinXP client w/ OpenVPN 2.3.18) and
it "just works".
I'd also recommend adding a stronger HMAC algo e.g. add
cipher aes-256-cbc
auth sha256
on both ends.
HTH,
JJK
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-users
