Comment 2 for bug 1567717

Hi Seth,
I think you are right to to remove exploitable ciphers.
But then there is also the (bad) need of some to be able to connect e.g. legacy systems.

I wouldn't mind so much about supporting the bad ciphers if one has to shoot (configure) himself to get them.
The manpage isn't to shy what it implies changing the default:
"Warning! --tls-cipher is an expert feature, which - if used correcly - can improve the security of your VPN connection. But it is also easy to unwittingly use it to carefully align a gun with your foot, or just break your connection. Use with care!"

But as the openvpn people pointed out on the linked bug:
"AFAIK that's a list of available ciphers, not usable or default. For example, there's even SRP ciphers which can't be used in OpenVPN."

Ok, I can accept that, but the man page about --tls-cipher states only:
The default for --tls-cipher [...] "DEFAULT:!EXP:!PSK:!SRP:!kRSA" when using OpenSSL.

It seems almost impossible to get the list what really is accepted from anybody.
So I wanted to know what that "Default" might be so that we can make better decisions here.

Also a good chance to debug our openvpn guide for 16.04
https://help.ubuntu.com/lts/serverguide/openvpn.html

Eventually for debugging not used the service, but extra verbose direct calls:
sudo /usr/sbin/openvpn --verb 11 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/server.conf
sudo /usr/sbin/openvpn --verb 11 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/client.conf

The default of a 16.04<->16.04 connection seems to be:
Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA

Seth, would you consider that as a default "safe" - SHA1 is "only" used for HMAC authentication?

I had hopes I'd see something like an handshake exchange between client and server of really supported ciphers and picking one in the log. But there was none.

So I did a loop over all ciphers in "show-tls" to check which ones really would work.
for cipher in $(openvpn --show-tls | awk '{gsub("\\(.*\\)",""); print $0}' | grep -- '-' | grep -v -- '--' | grep '^TLS' | sort); do
echo "Testing: ${cipher}"; sudo /usr/sbin/openvpn --tls-cipher ${cipher} --verb 11 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/client.conf; done

A few notes: the DH couldn't be translated to IANA names, if changing DH to DHE they were equivalent to the TLS-DHE-... so I removed them.

As expected quite some ended up in:
TLS_ERROR: BIO read tls_read_plaintext error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
or for the SRP/PSK cases
TLS_ERROR: BIO read tls_read_plaintext error: error:140740B5:SSL routines:SSL23_CLIENT_HELLO:no ciphers available

Full log:
client: http://paste.ubuntu.com/15777811/
server: http://paste.ubuntu.com/15777817/

The reduced list of really "working" ciphers as it comes out-of-the-box thereby is:
Always TLSv1.2, cipher TLSv1/SSLv3, 2048 bit RSA
EDH-RSA-DES-CBC3-SHA
DHE-RSA-AES128-SHA
DHE-RSA-AES128-SHA256
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-SHA
DHE-RSA-AES256-SHA256
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-CAMELLIA128-SHA
DHE-RSA-CAMELLIA256-SHA
DHE-RSA-SEED-SHA
DES-CBC3-SHA
AES128-SHA
AES128-SHA256
AES128-GCM-SHA256
AES256-SHA
AES256-SHA256
AES256-GCM-SHA384
CAMELLIA128-SHA
CAMELLIA256-SHA
RC4-MD5
RC4-SHA
SEED-SHA

While at it I also checked for digests and ciphers.
for digest in $(openvpn --show-digests | awk '{gsub("\\(.*\\)",""); print $1}' | grep -- '-' | grep -v -- '--' | sort); do echo "Tes
ting: ${digest}"; sudo /usr/sbin/openvpn --auth ${digest} --verb 11 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/client.conf; done

for cipher in $(openvpn --show-ciphers | awk '{print $1}' | grep -- '-' | grep -v -- '--' | sort); do echo "Testing ${cipher}"; sudo
/usr/sbin/openvpn --cipher ${cipher} --verb 11 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/client.conf; done

Note: The settings for the data encryption and authentication "auth" and "cipher" must be set to the same value on the server to let it really "work" but that done all could initialize.

So the full list of HMAC digests work:
DSA-SHA
DSA-SHA1
DSA-SHA1-old
RSA-MD4
RSA-MD5
RSA-RIPEMD160
RSA-SHA
RSA-SHA1
RSA-SHA1-2
RSA-SHA224
RSA-SHA256
RSA-SHA384
RSA-SHA512
ecdsa-with-SHA1

As well as the full list of ciphers for Data transfer:
AES-128-CBC
AES-128-CFB
AES-128-CFB1
AES-128-CFB8
AES-128-OFB
AES-192-CBC
AES-192-CFB
AES-192-CFB1
AES-192-CFB8
AES-192-OFB
AES-256-CBC
AES-256-CFB
AES-256-CFB1
AES-256-CFB8
AES-256-OFB
BF-CBC
BF-CFB
BF-OFB
CAMELLIA-128-CBC
CAMELLIA-128-CFB
CAMELLIA-128-CFB1
CAMELLIA-128-CFB8
CAMELLIA-128-OFB
CAMELLIA-192-CBC
CAMELLIA-192-CFB
CAMELLIA-192-CFB1
CAMELLIA-192-CFB8
CAMELLIA-192-OFB
CAMELLIA-256-CBC
CAMELLIA-256-CFB
CAMELLIA-256-CFB1
CAMELLIA-256-CFB8
CAMELLIA-256-OFB
CAST5-CBC
CAST5-CFB
CAST5-OFB
DES-CBC
DES-CFB
DES-CFB1
DES-CFB8
DES-EDE-CBC
DES-EDE-CFB
DES-EDE-OFB
DES-EDE3-CBC
DES-EDE3-CFB
DES-EDE3-CFB1
DES-EDE3-CFB8
DES-EDE3-OFB
DES-OFB
DESX-CBC
RC2-40-CBC
RC2-64-CBC
RC2-CBC
RC2-CFB
RC2-OFB
SEED-CBC
SEED-CFB
SEED-OFB

So overall we now know the "effective" list includes critical ones.
TLS: RC4-MD5, RC4-SHA, EDH-RSA-DES-CBC3-SHA, DES-CBC3-SHA
Digests: Sha1 - is that also critical in this use?
Ciphers: DES*

Seth - it is your call what should be considered dangerous.
Would you be so kind and go back with that info to the OpenVPN community on the ticket you opened there?