openvpn supports many cipher suites that it probably shouldn't
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenVPN |
Unknown
|
Unknown
|
|||
openvpn (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Xenial |
Won't Fix
|
Medium
|
Unassigned |
Bug Description
On xenial:
~$ openvpn --show-tls
Available TLS Ciphers,
listed in order of preference:
TLS-ECDHE-
TLS-ECDHE-
TLS-ECDHE-
TLS-ECDHE-
TLS-ECDHE-
TLS-ECDHE-
TLS-SRP-
TLS-SRP-
SRP-AES-256-CBC-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
DH-DSS-
TLS-DHE-
DH-RSA-
TLS-DHE-
TLS-DHE-
TLS-DHE-
DH-RSA-
DH-DSS-
TLS-DHE-
TLS-DHE-
DH-RSA-AES256-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
DH-DSS-AES256-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
TLS-DHE-
TLS-DHE-
DH-RSA-
DH-DSS-
TLS-ECDH-
TLS-ECDH-
TLS-ECDH-
TLS-ECDH-
TLS-ECDH-
TLS-ECDH-
TLS-RSA-
TLS-RSA-
TLS-RSA-
TLS-RSA-
TLS-PSK-
TLS-ECDHE-
TLS-ECDHE-
TLS-ECDHE-
TLS-ECDHE-
TLS-ECDHE-
TLS-ECDHE-
TLS-SRP-
TLS-SRP-
SRP-AES-128-CBC-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
DH-DSS-
TLS-DHE-
DH-RSA-
TLS-DHE-
TLS-DHE-
TLS-DHE-
DH-RSA-
DH-DSS-
TLS-DHE-
TLS-DHE-
DH-RSA-AES128-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
DH-DSS-AES128-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
TLS-DHE-
TLS-DHE-
TLS-DH-
TLS-DH-
TLS-DHE-
TLS-DHE-
DH-RSA-
DH-DSS-
TLS-ECDH-
TLS-ECDH-
TLS-ECDH-
TLS-ECDH-
TLS-ECDH-
TLS-ECDH-
TLS-RSA-
TLS-RSA-
TLS-RSA-
TLS-RSA-
TLS-RSA-
TLS-PSK-
TLS-ECDHE-
TLS-ECDHE-
TLS-ECDH-
TLS-ECDH-
TLS-RSA-
TLS-RSA-
TLS-PSK-
TLS-ECDHE-
TLS-ECDHE-
TLS-SRP-
TLS-SRP-
SRP-3DES-
TLS-DHE-
TLS-DHE-
DH-RSA-DES-CBC3-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
DH-DSS-DES-CBC3-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
TLS-ECDH-
TLS-ECDH-
TLS-RSA-
TLS-PSK-
I suspect everything after the first mention of RC4 should be removed (inclusive of rc4, of course).
Thanks
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: openvpn 2.3.10-1ubuntu2
ProcVersionSign
Uname: Linux 4.4.0-16-generic x86_64
ApportVersion: 2.20-0ubuntu3
Architecture: amd64
Date: Thu Apr 7 18:18:12 2016
InstallationDate: Installed on 2016-02-11 (57 days ago)
InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Alpha amd64 (20160210)
ProcEnviron:
TERM=rxvt-unicode
PATH=(custom, no user)
XDG_RUNTIME_
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: openvpn
UpgradeStatus: No upgrade log present (probably fresh install)
Hi Seth,
I think you are right to to remove exploitable ciphers.
But then there is also the (bad) need of some to be able to connect e.g. legacy systems.
I wouldn't mind so much about supporting the bad ciphers if one has to shoot (configure) himself to get them.
The manpage isn't to shy what it implies changing the default:
"Warning! --tls-cipher is an expert feature, which - if used correcly - can improve the security of your VPN connection. But it is also easy to unwittingly use it to carefully align a gun with your foot, or just break your connection. Use with care!"
But as the openvpn people pointed out on the linked bug:
"AFAIK that's a list of available ciphers, not usable or default. For example, there's even SRP ciphers which can't be used in OpenVPN."
Ok, I can accept that, but the man page about --tls-cipher states only: !EXP:!PSK: !SRP:!kRSA" when using OpenSSL.
The default for --tls-cipher [...] "DEFAULT:
It seems almost impossible to get the list what really is accepted from anybody.
So I wanted to know what that "Default" might be so that we can make better decisions here.
Also a good chance to debug our openvpn guide for 16.04 /help.ubuntu. com/lts/ serverguide/ openvpn. html
https:/
Eventually for debugging not used the service, but extra verbose direct calls: server. conf client. conf
sudo /usr/sbin/openvpn --verb 11 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/
sudo /usr/sbin/openvpn --verb 11 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/
The default of a 16.04<->16.04 connection seems to be: AES256- GCM-SHA384, 2048 bit RSA
Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-
Seth, would you consider that as a default "safe" - SHA1 is "only" used for HMAC authentication?
I had hopes I'd see something like an handshake exchange between client and server of really supported ciphers and picking one in the log. But there was none.
So I did a loop over all ciphers in "show-tls" to check which ones really would work. "\\(.*\ \)","") ; print $0}' | grep -- '-' | grep -v -- '--' | grep '^TLS' | sort); do client. conf; done
for cipher in $(openvpn --show-tls | awk '{gsub(
echo "Testing: ${cipher}"; sudo /usr/sbin/openvpn --tls-cipher ${cipher} --verb 11 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/
A few notes: the DH couldn't be translated to IANA names, if changing DH to DHE they were equivalent to the TLS-DHE-... so I removed them.
As expected quite some ended up in: ssl3_get_ client_ hello:no shared cipher SSL23_CLIENT_ HELLO:no ciphers available
TLS_ERROR: BIO read tls_read_plaintext error: error:1408A0C1:SSL routines:
or for the SRP/PSK cases
TLS_ERROR: BIO read tls_read_plaintext error: error:140740B5:SSL routines:
Full log: paste.ubuntu. com/15777811/ paste.ubuntu. com/15777817/
client: http://
server: http://
The reduced list of really "working" ciphers as it comes out-of-the-box thereby is: DES-CBC3- SHA AES128- SHA256 AES128- GCM-SHA256
Always TLSv1.2, cipher TLSv1/SSLv3, 2048 bit RSA
EDH-RSA-
DHE-RSA-AES128-SHA
DHE-RSA-
DHE-RSA-
DHE-RSA-AES2...