(Initial commit) |
(→Release Notes: Rephrased and tried to clarify a bit) |
||
(11 intermediate revisions by 3 users not shown) | |||
Line 19: | Line 19: | ||
<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name. This keeps all change proposals in the same namespace --> | <!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name. This keeps all change proposals in the same namespace --> | ||
= | = New default cipher in OpenVPN <!-- The name of your change proposal --> = | ||
== Summary == | == Summary == | ||
<!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release. --> | <!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release. --> | ||
Since the discovery of the [https://sweet32.info/ SWEET32] flaw, ciphers using cipher-blocks smaller than 128-bits are considered vulnerable and should not be used any more. OpenVPN uses BF-128-CBC as the default cipher. | Since the discovery of the [https://sweet32.info/ SWEET32] flaw, ciphers using cipher-blocks smaller than 128-bits are considered vulnerable and should not be used any more. OpenVPN uses Blowfish (<code>BF-128-CBC</code>) as the default cipher, which is hit by the SWEET32 flaw. This proposal changes the default cipher to <code>AES-256-GCM</code> while in parallel allowing clients to connect using <code>AES-256-CBC</code>, <code>AES-128-CBC</code> or the deprecated <code>BF-CBC</code>, | ||
This proposal will make use of that possibility by modifying the openvpn-server@.service unit file slightly. | |||
Line 31: | Line 33: | ||
This should link to your home wiki page so we know who you are. | This should link to your home wiki page so we know who you are. | ||
--> | --> | ||
* Name: [[User: | * Name: [[User:Dsommers|David Sommerseth]] | ||
<!-- Include you email address that you can be reached should people want to contact you about helping with your change, status is requested, or technical issues need to be resolved. If the change proposal is owned by a SIG, please also add a primary contact person. --> | <!-- Include you email address that you can be reached should people want to contact you about helping with your change, status is requested, or technical issues need to be resolved. If the change proposal is owned by a SIG, please also add a primary contact person. --> | ||
* Email: davids@openvpn.net | * Email: davids@openvpn.net | ||
Line 54: | Line 56: | ||
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development | CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development | ||
--> | --> | ||
* Tracker bug: | * Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=1479270 #1479270] | ||
== Detailed Description == | == Detailed Description == | ||
Line 65: | Line 67: | ||
ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf | ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf | ||
By adding <code>--cipher AES-256-GCM --ncp-ciphers AES-256-CBC:AES-128-GCM:AES-128-CBC:BF-CBC</code> before the <code>--config</code> option, the default cipher will be modified. The <code>--ncp-ciphers</code> list allows clients to use any of the listed ciphers as well. The new line will look like this: | By adding <code>--cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM:AES-128-CBC:BF-CBC</code> before the <code>--config</code> option, the default cipher will be modified. The <code>--ncp-ciphers</code> list allows clients to use any of the listed ciphers as well. The new line will look like this: | ||
ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --cipher AES-256-GCM --ncp-ciphers AES-256-CBC:AES-128-GCM:AES-128-CBC:BF-CBC --config %i.conf | ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM:AES-128-CBC:BF-CBC --config %i.conf | ||
This will result in the following: | This will result in the following: | ||
Line 91: | Line 93: | ||
<!-- What work do other developers have to accomplish to complete the feature in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--> | <!-- What work do other developers have to accomplish to complete the feature in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--> | ||
* Release engineering: | * Release engineering: [https://pagure.io/releng/issue/6908 #6908] (a check of an impact with Release Engineering is needed) <!-- REQUIRED FOR SYSTEM WIDE AS WELL AS FOR SELF CONTAINED CHANGES --> | ||
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)? Is a mass rebuild required? include a link to the releng issue. | <!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)? Is a mass rebuild required? include a link to the releng issue. | ||
The issue is required to be filed prior to feature submission, to ensure that someone is on board to do any process development work and testing, and that all changes make it into the pipeline; a bullet point in a change is not sufficient communication --> | The issue is required to be filed prior to feature submission, to ensure that someone is on board to do any process development work and testing, and that all changes make it into the pipeline; a bullet point in a change is not sufficient communication --> | ||
Line 165: | Line 167: | ||
* Contingency deadline: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | * Contingency deadline: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
<!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? --> | <!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? --> | ||
* Blocks release? N/A (not a System Wide Change), | * Blocks release? N/A (not a System Wide Change), No <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
* Blocks product? | * Blocks product? N/A <!-- Applicable for Changes that blocks specific product release/Fedora.next --> | ||
== Documentation == | == Documentation == | ||
<!-- Is there upstream documentation on this change, or notes you have written yourself? Link to that material here so other interested developers can get involved. --> | <!-- Is there upstream documentation on this change, or notes you have written yourself? Link to that material here so other interested developers can get involved. --> | ||
This builds upon the | This builds upon the Negotiable Crypto Parameters (NCP) features found in OpenVPN v2.4. For more information, look at the <code>--ncp-ciphers</code> and <code>--ncp-disable</code> options in the man page. | ||
Line 179: | Line 181: | ||
Release Notes are not required for initial draft of the Change Proposal but has to be completed by the Change Freeze. | Release Notes are not required for initial draft of the Change Proposal but has to be completed by the Change Freeze. | ||
--> | --> | ||
OpenVPN configurations utilizing the newer openvpn-server@.service unit file will use a stronger cipher for the VPN tunnel by default. The default is changed from the Blowfish algorithm using 128 bit keys to the newer AES-GCM algorithm with 256 bit keys. To ensure | OpenVPN configurations utilizing the newer openvpn-server@.service unit file will use a stronger cipher for the VPN tunnel by default. The default is changed from the Blowfish algorithm (BF-CBC) using 128 bit keys to the newer AES-GCM algorithm with 256 bit keys. To ensure existing client configurations will not break, the new <code>--ncp-ciphers</code> have been set to allow clients to use AES-GCM, AES-CBC and BF-CBC ciphers by default. Both 128 and 256 bits key lengths are accepted for AES-GCM and AES-CBC. This allows existing clients to both connect and gradually be migrated one-by-one over time by only updating the <code>--cipher</code> option in the client configuration to one of the ciphers enlisted in <code>--ncp-ciphers</code>. At the same time, all OpenVPN 2.4 clients will automatically upgrade to AES-256-GCM by default without changing any configuration. Until clients have migrated to AES-256-GCM there might be some warnings in the log files about different cipher and key length between server and client; these can in most cases be ignored - but serves as a reference point to clients needing to be migrated. | ||
[[Category: | [[Category:ChangeAcceptedF27]] | ||
<!-- When your change proposal page is completed and ready for review and announcement --> | <!-- When your change proposal page is completed and ready for review and announcement --> | ||
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | <!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> |
Latest revision as of 11:32, 27 October 2017
New default cipher in OpenVPN
Summary
Since the discovery of the SWEET32 flaw, ciphers using cipher-blocks smaller than 128-bits are considered vulnerable and should not be used any more. OpenVPN uses Blowfish (BF-128-CBC
) as the default cipher, which is hit by the SWEET32 flaw. This proposal changes the default cipher to AES-256-GCM
while in parallel allowing clients to connect using AES-256-CBC
, AES-128-CBC
or the deprecated BF-CBC
,
This proposal will make use of that possibility by modifying the openvpn-server@.service unit file slightly.
Owner
- Name: David Sommerseth
- Email: davids@openvpn.net
- Release notes owner:
Current status
Detailed Description
There have been two independent security audits of OpenVPN recently, performed by QuarksLab SAS and Cryptography Engineering. Both recommeds moving away from the default Blowfish cipher (BF/BF-CBC) to a stronger cipher.
The concept is fairly simple. In today's openvpn-server@.service systemd unit file the following command line is used to start OpenVPN:
ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf
By adding --cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM:AES-128-CBC:BF-CBC
before the --config
option, the default cipher will be modified. The --ncp-ciphers
list allows clients to use any of the listed ciphers as well. The new line will look like this:
ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM:AES-128-CBC:BF-CBC --config %i.conf
This will result in the following:
- OpenVPN 2.4 based clientswill automatically upgrade to AES-256-GCM, regardless if they have
--cipher
in their configuration file or not. For OpenVPN v2.4 configurations not wanting this cipher upgrade, the client configuration needs to deploy--ncp-disable
. - OpenVPN 2.3 based clients and older (and v2.4 clients using
--ncp-disable
in the client configuration) can connect to the server using any of the--ncp-ciphers
list; this is what is called "poor man's cipher negotiation" by the upstream OpenVPN developers. - Any client not providing
--cipher
defaults to BF-CBC. These clients should still be able to connect to the server as the server allows BF-CBC through--ncp-ciphers
.
If an already configured OpenVPN v2.4 based server configuration deploys --cipher
and/or --ncp-ciphers
, the options in the configuration file will override command line options set before --config
. This should not break any existing configuration.
The log files will still complain about the use of BF-CBC if a client uses that. But the advantage is that OpenVPN v2.3 and older clients can be updated one-by-one, by adding the recommended --cipher AES-256-CBC
option in the client configurations in their own pace, independent of the server - or upgrade to OpenVPN v2.4 or newer.
Benefit to Fedora
This enhances the default OpenVPN configurations by allowing users to seamlessly upgrade to a stronger cipher in a controlled way without breaking existing client connections.
Scope
- Proposal owners: Patch the openvpn-server@.service unit file which adds the
--cipher
and--ncp-ciphers
options.
- Other developers: N/A (not a System Wide Change)
- Release engineering: #6908 (a check of an impact with Release Engineering is needed)
- List of deliverables: N/A (not a System Wide Change)
- Policies and guidelines: N/A (not a System Wide Change)
- Trademark approval: N/A (not needed for this Change)
Upgrade/compatibility impact
This change should not require any initial configuration changes for users or server admins. After this change, clients using OpenVPN v2.3 or older should consider to add --cipher AES-256-CBC
to their client configuration files to enable a stronger and safer cipher. But this is not required and old existing client configuration files should continue to work.
N/A (not a System Wide Change)
How To Test
Generic test script:
- Create a simple CA (using easy-rsa, XCA, TinyCA, etc) and issue a server certificate and at least one client certificate
- Prepare a simple server and client configuration file, utilizing
--ca
,--cert
,--key
. Also use a--verb
level between 2 and 4 to get enough details about the established connections. - Put the server configuration into
/etc/oepnvpn/server
and the client configuration on a different host into/etc/openvpn/client/
(unless the client us a non-systemd based client, eg Windows client) - Start the server by running
systemctl start openvpn-server@$CONFIG_NAME
- Start the client
Depending on the version of OpenVPN clients, the result should be that a tunnel is successfully established. But the cipher being used may be different. This can be observed in the log files.
[root@host ~]# journalctl -u openvpn-server@vpn0 --since today | grep -E "Data Channel (En|De)crypt: " Jun 28 12:15:42 host.example.org openvpn[1234]: client.example.org/10.99.88.1:48593 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key Jun 28 12:15:42 host.example.org openvpn[1234]: client.example.org/10.99.88.1:48593 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
- A 2.4 client should by default end up using AES-256-GCM, regardless of what the
--cipher
option is set to. - A 2.4 client using
--ncp-disable
should end up with BF-CBC (with 128 bit key size) - Any 2.3 client or older should end up with BF-CBC (with 128 bit key size)
- Any 2.3 client or older (or v2.4 with
--ncp-disable
) using--cipher AES-256-CBC
(or AES-128-CBC or BF-CBC) should be able to connect. - Any 2.3 client or older (or v2.4 with
--ncp-disable
) which is configured to use BF-CBC (either not listing--cipher
at all, or explicitly setting it to BF-CBC) and uses--keysize 256
should be able to connect to the server as long as the server configuration also uses--keysize 256
.
All other scenarios is expected to fail, and those scenarios should fail even without this change. To test other ciphers, look at the output of openvpn --show-ciphers
.
User Experience
End users should not notice any thing, but if they run OpenVPN clients older than v2.4 (also non-Fedora packaged versions) they can independently change --cipher
to AES-256-CBC
or AES-128-CBC
without breaking their tunnel.
Dependencies
There are no changes of dependencies.
Contingency Plan
- Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? N/A (not a System Wide Change), No
- Blocks product? N/A
Documentation
This builds upon the Negotiable Crypto Parameters (NCP) features found in OpenVPN v2.4. For more information, look at the --ncp-ciphers
and --ncp-disable
options in the man page.
Release Notes
OpenVPN configurations utilizing the newer openvpn-server@.service unit file will use a stronger cipher for the VPN tunnel by default. The default is changed from the Blowfish algorithm (BF-CBC) using 128 bit keys to the newer AES-GCM algorithm with 256 bit keys. To ensure existing client configurations will not break, the new --ncp-ciphers
have been set to allow clients to use AES-GCM, AES-CBC and BF-CBC ciphers by default. Both 128 and 256 bits key lengths are accepted for AES-GCM and AES-CBC. This allows existing clients to both connect and gradually be migrated one-by-one over time by only updating the --cipher
option in the client configuration to one of the ciphers enlisted in --ncp-ciphers
. At the same time, all OpenVPN 2.4 clients will automatically upgrade to AES-256-GCM by default without changing any configuration. Until clients have migrated to AES-256-GCM there might be some warnings in the log files about different cipher and key length between server and client; these can in most cases be ignored - but serves as a reference point to clients needing to be migrated.