Hi Seth, I think you are right to to remove exploitable ciphers. But then there is also the (bad) need of some to be able to connect e.g. legacy systems.
I wouldn't mind so much about supporting the bad ciphers if one has to shoot (configure) himself to get them. The manpage isn't to shy what it implies changing the default: "Warning! --tls-cipher is an expert feature, which - if used correcly - can improve the security of your VPN connection. But it is also easy to unwittingly use it to carefully align a gun with your foot, or just break your connection. Use with care!" But as the openvpn people pointed out on the linked bug: "AFAIK that's a list of available ciphers, not usable or default. For example, there's even SRP ciphers which can't be used in OpenVPN." Ok, I can accept that, but the man page about --tls-cipher states only: The default for --tls-cipher [...] "DEFAULT:!EXP:!PSK:!SRP:!kRSA" when using OpenSSL. It seems almost impossible to get the list what really is accepted from anybody. So I wanted to know what that "Default" might be so that we can make better decisions here. Also a good chance to debug our openvpn guide for 16.04 https://help.ubuntu.com/lts/serverguide/openvpn.html Eventually for debugging not used the service, but extra verbose direct calls: sudo /usr/sbin/openvpn --verb 11 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/server.conf sudo /usr/sbin/openvpn --verb 11 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/client.conf The default of a 16.04<->16.04 connection seems to be: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Seth, would you consider that as a default "safe" - SHA1 is "only" used for HMAC authentication? I had hopes I'd see something like an handshake exchange between client and server of really supported ciphers and picking one in the log. But there was none. So I did a loop over all ciphers in "show-tls" to check which ones really would work. for cipher in $(openvpn --show-tls | awk '{gsub("\\(.*\\)",""); print $0}' | grep -- '-' | grep -v -- '--' | grep '^TLS' | sort); do echo "Testing: ${cipher}"; sudo /usr/sbin/openvpn --tls-cipher ${cipher} --verb 11 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/client.conf; done A few notes: the DH couldn't be translated to IANA names, if changing DH to DHE they were equivalent to the TLS-DHE-... so I removed them. As expected quite some ended up in: TLS_ERROR: BIO read tls_read_plaintext error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher or for the SRP/PSK cases TLS_ERROR: BIO read tls_read_plaintext error: error:140740B5:SSL routines:SSL23_CLIENT_HELLO:no ciphers available Full log: client: http://paste.ubuntu.com/15777811/ server: http://paste.ubuntu.com/15777817/ The reduced list of really "working" ciphers as it comes out-of-the-box thereby is: Always TLSv1.2, cipher TLSv1/SSLv3, 2048 bit RSA EDH-RSA-DES-CBC3-SHA DHE-RSA-AES128-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-CAMELLIA128-SHA DHE-RSA-CAMELLIA256-SHA DHE-RSA-SEED-SHA DES-CBC3-SHA AES128-SHA AES128-SHA256 AES128-GCM-SHA256 AES256-SHA AES256-SHA256 AES256-GCM-SHA384 CAMELLIA128-SHA CAMELLIA256-SHA RC4-MD5 RC4-SHA SEED-SHA While at it I also checked for digests and ciphers. for digest in $(openvpn --show-digests | awk '{gsub("\\(.*\\)",""); print $1}' | grep -- '-' | grep -v -- '--' | sort); do echo "Tes ting: ${digest}"; sudo /usr/sbin/openvpn --auth ${digest} --verb 11 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/client.conf; done for cipher in $(openvpn --show-ciphers | awk '{print $1}' | grep -- '-' | grep -v -- '--' | sort); do echo "Testing ${cipher}"; sudo /usr/sbin/openvpn --cipher ${cipher} --verb 11 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/client.conf; done Note: The settings for the data encryption and authentication "auth" and "cipher" must be set to the same value on the server to let it really "work" but that done all could initialize. So the full list of HMAC digests work: DSA-SHA DSA-SHA1 DSA-SHA1-old RSA-MD4 RSA-MD5 RSA-RIPEMD160 RSA-SHA RSA-SHA1 RSA-SHA1-2 RSA-SHA224 RSA-SHA256 RSA-SHA384 RSA-SHA512 ecdsa-with-SHA1 As well as the full list of ciphers for Data transfer: AES-128-CBC AES-128-CFB AES-128-CFB1 AES-128-CFB8 AES-128-OFB AES-192-CBC AES-192-CFB AES-192-CFB1 AES-192-CFB8 AES-192-OFB AES-256-CBC AES-256-CFB AES-256-CFB1 AES-256-CFB8 AES-256-OFB BF-CBC BF-CFB BF-OFB CAMELLIA-128-CBC CAMELLIA-128-CFB CAMELLIA-128-CFB1 CAMELLIA-128-CFB8 CAMELLIA-128-OFB CAMELLIA-192-CBC CAMELLIA-192-CFB CAMELLIA-192-CFB1 CAMELLIA-192-CFB8 CAMELLIA-192-OFB CAMELLIA-256-CBC CAMELLIA-256-CFB CAMELLIA-256-CFB1 CAMELLIA-256-CFB8 CAMELLIA-256-OFB CAST5-CBC CAST5-CFB CAST5-OFB DES-CBC DES-CFB DES-CFB1 DES-CFB8 DES-EDE-CBC DES-EDE-CFB DES-EDE-OFB DES-EDE3-CBC DES-EDE3-CFB DES-EDE3-CFB1 DES-EDE3-CFB8 DES-EDE3-OFB DES-OFB DESX-CBC RC2-40-CBC RC2-64-CBC RC2-CBC RC2-CFB RC2-OFB SEED-CBC SEED-CFB SEED-OFB So overall we now know the "effective" list includes critical ones. TLS: RC4-MD5, RC4-SHA, EDH-RSA-DES-CBC3-SHA, DES-CBC3-SHA Digests: Sha1 - is that also critical in this use? Ciphers: DES* Seth - it is your call what should be considered dangerous. Would you be so kind and go back with that info to the OpenVPN community on the ticket you opened there? ** Changed in: openvpn (Ubuntu) Status: New => Confirmed ** Changed in: openvpn (Ubuntu) Importance: Undecided => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1567717 Title: openvpn supports many cipher suites that it probably shouldn't To manage notifications about this bug go to: https://bugs.launchpad.net/openvpn/+bug/1567717/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
