*** This bug is a security vulnerability *** Public security bug reported:
On xenial: ~$ openvpn --show-tls Available TLS Ciphers, listed in order of preference: TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384 TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384 TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA TLS-SRP-SHA-RSA-WITH-AES-256-CBC-SHA SRP-AES-256-CBC-SHA (No IANA name known to OpenVPN, use OpenSSL name.) DH-DSS-AES256-GCM-SHA384 (No IANA name known to OpenVPN, use OpenSSL name.) TLS-DHE-DSS-WITH-AES-256-GCM-SHA384 DH-RSA-AES256-GCM-SHA384 (No IANA name known to OpenVPN, use OpenSSL name.) TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 TLS-DHE-DSS-WITH-AES-256-CBC-SHA256 DH-RSA-AES256-SHA256 (No IANA name known to OpenVPN, use OpenSSL name.) DH-DSS-AES256-SHA256 (No IANA name known to OpenVPN, use OpenSSL name.) TLS-DHE-RSA-WITH-AES-256-CBC-SHA TLS-DHE-DSS-WITH-AES-256-CBC-SHA DH-RSA-AES256-SHA (No IANA name known to OpenVPN, use OpenSSL name.) DH-DSS-AES256-SHA (No IANA name known to OpenVPN, use OpenSSL name.) TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA DH-RSA-CAMELLIA256-SHA (No IANA name known to OpenVPN, use OpenSSL name.) DH-DSS-CAMELLIA256-SHA (No IANA name known to OpenVPN, use OpenSSL name.) TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384 TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384 TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384 TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384 TLS-ECDH-RSA-WITH-AES-256-CBC-SHA TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA TLS-RSA-WITH-AES-256-GCM-SHA384 TLS-RSA-WITH-AES-256-CBC-SHA256 TLS-RSA-WITH-AES-256-CBC-SHA TLS-RSA-WITH-CAMELLIA-256-CBC-SHA TLS-PSK-WITH-AES-256-CBC-SHA TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256 TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA TLS-SRP-SHA-DSS-WITH-AES-128-CBC-SHA TLS-SRP-SHA-RSA-WITH-AES-128-CBC-SHA SRP-AES-128-CBC-SHA (No IANA name known to OpenVPN, use OpenSSL name.) DH-DSS-AES128-GCM-SHA256 (No IANA name known to OpenVPN, use OpenSSL name.) TLS-DHE-DSS-WITH-AES-128-GCM-SHA256 DH-RSA-AES128-GCM-SHA256 (No IANA name known to OpenVPN, use OpenSSL name.) TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 TLS-DHE-DSS-WITH-AES-128-CBC-SHA256 DH-RSA-AES128-SHA256 (No IANA name known to OpenVPN, use OpenSSL name.) DH-DSS-AES128-SHA256 (No IANA name known to OpenVPN, use OpenSSL name.) TLS-DHE-RSA-WITH-AES-128-CBC-SHA TLS-DHE-DSS-WITH-AES-128-CBC-SHA DH-RSA-AES128-SHA (No IANA name known to OpenVPN, use OpenSSL name.) DH-DSS-AES128-SHA (No IANA name known to OpenVPN, use OpenSSL name.) TLS-DHE-RSA-WITH-SEED-CBC-SHA TLS-DHE-DSS-WITH-SEED-CBC-SHA TLS-DH-RSA-WITH-SEED-CBC-SHA TLS-DH-DSS-WITH-SEED-CBC-SHA TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA DH-RSA-CAMELLIA128-SHA (No IANA name known to OpenVPN, use OpenSSL name.) DH-DSS-CAMELLIA128-SHA (No IANA name known to OpenVPN, use OpenSSL name.) TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256 TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256 TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256 TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256 TLS-ECDH-RSA-WITH-AES-128-CBC-SHA TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA TLS-RSA-WITH-AES-128-GCM-SHA256 TLS-RSA-WITH-AES-128-CBC-SHA256 TLS-RSA-WITH-AES-128-CBC-SHA TLS-RSA-WITH-SEED-CBC-SHA TLS-RSA-WITH-CAMELLIA-128-CBC-SHA TLS-PSK-WITH-AES-128-CBC-SHA TLS-ECDHE-RSA-WITH-RC4-128-SHA TLS-ECDHE-ECDSA-WITH-RC4-128-SHA TLS-ECDH-RSA-WITH-RC4-128-SHA TLS-ECDH-ECDSA-WITH-RC4-128-SHA TLS-RSA-WITH-RC4-128-SHA TLS-RSA-WITH-RC4-128-MD5 TLS-PSK-WITH-RC4-128-SHA TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA TLS-SRP-SHA-DSS-WITH-3DES-EDE-CBC-SHA TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA SRP-3DES-EDE-CBC-SHA (No IANA name known to OpenVPN, use OpenSSL name.) TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA DH-RSA-DES-CBC3-SHA (No IANA name known to OpenVPN, use OpenSSL name.) DH-DSS-DES-CBC3-SHA (No IANA name known to OpenVPN, use OpenSSL name.) TLS-ECDH-RSA-WITH-3DES-EDE-CBC-SHA TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA TLS-RSA-WITH-3DES-EDE-CBC-SHA TLS-PSK-WITH-3DES-EDE-CBC-SHA I suspect everything after the first mention of RC4 should be removed (inclusive of rc4, of course). Thanks ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: openvpn 2.3.10-1ubuntu2 ProcVersionSignature: User Name 4.4.0-16.32-generic 4.4.6 Uname: Linux 4.4.0-16-generic x86_64 ApportVersion: 2.20-0ubuntu3 Architecture: amd64 Date: Thu Apr 7 18:18:12 2016 InstallationDate: Installed on 2016-02-11 (57 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Alpha amd64 (20160210) ProcEnviron: TERM=rxvt-unicode PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: openvpn UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: openvpn (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1567717 Title: openvpn supports many cipher suites that it probably shouldn't To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1567717/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs