Ubuntu
openvpn package

openvpn supports many cipher suites that it probably shouldn't

Bug #1567717 reported by Seth Arnold
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenVPN
Unknown
Unknown
openvpn (Ubuntu)
Fix Released
Medium
Unassigned
Xenial
Won't Fix
Medium
Unassigned

Bug Description

On xenial:

~$ openvpn --show-tls
Available TLS Ciphers,
listed in order of preference:

TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384
TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA
TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA
TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA
TLS-SRP-SHA-RSA-WITH-AES-256-CBC-SHA
SRP-AES-256-CBC-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
DH-DSS-AES256-GCM-SHA384 (No IANA name known to OpenVPN, use OpenSSL name.)
TLS-DHE-DSS-WITH-AES-256-GCM-SHA384
DH-RSA-AES256-GCM-SHA384 (No IANA name known to OpenVPN, use OpenSSL name.)
TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
TLS-DHE-DSS-WITH-AES-256-CBC-SHA256
DH-RSA-AES256-SHA256 (No IANA name known to OpenVPN, use OpenSSL name.)
DH-DSS-AES256-SHA256 (No IANA name known to OpenVPN, use OpenSSL name.)
TLS-DHE-RSA-WITH-AES-256-CBC-SHA
TLS-DHE-DSS-WITH-AES-256-CBC-SHA
DH-RSA-AES256-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
DH-DSS-AES256-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA
TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA
DH-RSA-CAMELLIA256-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
DH-DSS-CAMELLIA256-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384
TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384
TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384
TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384
TLS-ECDH-RSA-WITH-AES-256-CBC-SHA
TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA
TLS-RSA-WITH-AES-256-GCM-SHA384
TLS-RSA-WITH-AES-256-CBC-SHA256
TLS-RSA-WITH-AES-256-CBC-SHA
TLS-RSA-WITH-CAMELLIA-256-CBC-SHA
TLS-PSK-WITH-AES-256-CBC-SHA
TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256
TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA
TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA
TLS-SRP-SHA-DSS-WITH-AES-128-CBC-SHA
TLS-SRP-SHA-RSA-WITH-AES-128-CBC-SHA
SRP-AES-128-CBC-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
DH-DSS-AES128-GCM-SHA256 (No IANA name known to OpenVPN, use OpenSSL name.)
TLS-DHE-DSS-WITH-AES-128-GCM-SHA256
DH-RSA-AES128-GCM-SHA256 (No IANA name known to OpenVPN, use OpenSSL name.)
TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
TLS-DHE-DSS-WITH-AES-128-CBC-SHA256
DH-RSA-AES128-SHA256 (No IANA name known to OpenVPN, use OpenSSL name.)
DH-DSS-AES128-SHA256 (No IANA name known to OpenVPN, use OpenSSL name.)
TLS-DHE-RSA-WITH-AES-128-CBC-SHA
TLS-DHE-DSS-WITH-AES-128-CBC-SHA
DH-RSA-AES128-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
DH-DSS-AES128-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
TLS-DHE-RSA-WITH-SEED-CBC-SHA
TLS-DHE-DSS-WITH-SEED-CBC-SHA
TLS-DH-RSA-WITH-SEED-CBC-SHA
TLS-DH-DSS-WITH-SEED-CBC-SHA
TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA
DH-RSA-CAMELLIA128-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
DH-DSS-CAMELLIA128-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256
TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256
TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256
TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256
TLS-ECDH-RSA-WITH-AES-128-CBC-SHA
TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA
TLS-RSA-WITH-AES-128-GCM-SHA256
TLS-RSA-WITH-AES-128-CBC-SHA256
TLS-RSA-WITH-AES-128-CBC-SHA
TLS-RSA-WITH-SEED-CBC-SHA
TLS-RSA-WITH-CAMELLIA-128-CBC-SHA
TLS-PSK-WITH-AES-128-CBC-SHA
TLS-ECDHE-RSA-WITH-RC4-128-SHA
TLS-ECDHE-ECDSA-WITH-RC4-128-SHA
TLS-ECDH-RSA-WITH-RC4-128-SHA
TLS-ECDH-ECDSA-WITH-RC4-128-SHA
TLS-RSA-WITH-RC4-128-SHA
TLS-RSA-WITH-RC4-128-MD5
TLS-PSK-WITH-RC4-128-SHA
TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA
TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA
TLS-SRP-SHA-DSS-WITH-3DES-EDE-CBC-SHA
TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA
SRP-3DES-EDE-CBC-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA
DH-RSA-DES-CBC3-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
DH-DSS-DES-CBC3-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
TLS-ECDH-RSA-WITH-3DES-EDE-CBC-SHA
TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA
TLS-RSA-WITH-3DES-EDE-CBC-SHA
TLS-PSK-WITH-3DES-EDE-CBC-SHA

I suspect everything after the first mention of RC4 should be removed (inclusive of rc4, of course).

Thanks

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: openvpn 2.3.10-1ubuntu2
ProcVersionSignature: User Name 4.4.0-16.32-generic 4.4.6
Uname: Linux 4.4.0-16-generic x86_64
ApportVersion: 2.20-0ubuntu3
Architecture: amd64
Date: Thu Apr 7 18:18:12 2016
InstallationDate: Installed on 2016-02-11 (57 days ago)
InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Alpha amd64 (20160210)
ProcEnviron:
 TERM=rxvt-unicode
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: openvpn
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Seth Arnold (seth-arnold) wrote :
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :
Download full text (5.5 KiB)

Hi Seth,
I think you are right to to remove exploitable ciphers.
But then there is also the (bad) need of some to be able to connect e.g. legacy systems.

I wouldn't mind so much about supporting the bad ciphers if one has to shoot (configure) himself to get them.
The manpage isn't to shy what it implies changing the default:
"Warning! --tls-cipher is an expert feature, which - if used correcly - can improve the security of your VPN connection. But it is also easy to unwittingly use it to carefully align a gun with your foot, or just break your connection. Use with care!"

But as the openvpn people pointed out on the linked bug:
"AFAIK that's a list of available ciphers, not usable or default. For example, there's even SRP ciphers which can't be used in OpenVPN."

Ok, I can accept that, but the man page about --tls-cipher states only:
The default for --tls-cipher [...] "DEFAULT:!EXP:!PSK:!SRP:!kRSA" when using OpenSSL.

It seems almost impossible to get the list what really is accepted from anybody.
So I wanted to know what that "Default" might be so that we can make better decisions here.

Also a good chance to debug our openvpn guide for 16.04
https://help.ubuntu.com/lts/serverguide/openvpn.html

Eventually for debugging not used the service, but extra verbose direct calls:
sudo /usr/sbin/openvpn --verb 11 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/server.conf
sudo /usr/sbin/openvpn --verb 11 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/client.conf

The default of a 16.04<->16.04 connection seems to be:
Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA

Seth, would you consider that as a default "safe" - SHA1 is "only" used for HMAC authentication?

I had hopes I'd see something like an handshake exchange between client and server of really supported ciphers and picking one in the log. But there was none.

So I did a loop over all ciphers in "show-tls" to check which ones really would work.
for cipher in $(openvpn --show-tls | awk '{gsub("\\(.*\\)",""); print $0}' | grep -- '-' | grep -v -- '--' | grep '^TLS' | sort); do
echo "Testing: ${cipher}"; sudo /usr/sbin/openvpn --tls-cipher ${cipher} --verb 11 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/client.conf; done

A few notes: the DH couldn't be translated to IANA names, if changing DH to DHE they were equivalent to the TLS-DHE-... so I removed them.

As expected quite some ended up in:
TLS_ERROR: BIO read tls_read_plaintext error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
or for the SRP/PSK cases
TLS_ERROR: BIO read tls_read_plaintext error: error:140740B5:SSL routines:SSL23_CLIENT_HELLO:no ciphers available

Full log:
client: http://paste.ubuntu.com/15777811/
server: http://paste.ubuntu.com/15777817/

The reduced list of really "working" ciphers as it comes out-of-the-box thereby is:
Always TLSv1.2, cipher TLSv1/SSLv3, 2048 bit RSA
EDH-RSA-DES-CBC3-SHA
DHE-RSA-AES128-SHA
DHE-RSA-AES128-SHA256
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES2...

Read more...

Changed in openvpn (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Depending how we proceed with that we could also address #2 of bug 1379132

Revision history for this message
Merlijn Sebrechts (merlijn-sebrechts) wrote :

Update:

Bug has been patched upstream: https://community.openvpn.net/openvpn/ticket/673

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Thanks Merlijn for the link.
That means that 2.3.11 is fixed which in turn means >=Yakkety is fine.

Seth, what is the security Teams position on that for Xenial now?

Changed in openvpn (Ubuntu Xenial):
status: New → Confirmed
importance: Undecided → Medium
Changed in openvpn (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks Christian; I think we can probably close this due to "The --cipher and --auth options are not negotiable, so I see less risk there" in the upstream ticket. There's doubtless higher-priority things to work on than preventing poor security configurations.

Thanks

Changed in openvpn (Ubuntu Xenial):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.