From Fedora Project Wiki

Revision as of 14:45, 3 July 2017 by Dsommers (talk | contribs) (Release it to Wrangler)


Changes/New default cipher in OpenVPN

Summary

Since the discovery of the SWEET32 flaw, ciphers using cipher-blocks smaller than 128-bits are considered vulnerable and should not be used any more. OpenVPN uses BF-128-CBC as the default cipher. Currently OpenVPN will complain in the log files if it notices a cipher with cipher-blocks smaller than 128 bits is used. But OpenVPN v2.4 also enable a migration path away from BF without breaking existing clients, through the new feature called Negotiable Crypto Parameters. This proposal will make use of that possibility by modifying the openvpn-server@.service unit file slightly.


Owner

Current status

  • Targeted release: Fedora 27
  • Last updated: 2017-07-03
  • Tracker bug: <will be assigned by the Wrangler>

Detailed Description

There have been two independent security audits of OpenVPN recently, performed by QuarksLab SAS and Cryptography Engineering. Both recommeds moving away from the default Blowfish cipher (BF/BF-CBC) to a stronger cipher.

The concept is fairly simple. In today's openvpn-server@.service systemd unit file the following command line is used to start OpenVPN:

   ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf

By adding --cipher AES-256-GCM --ncp-ciphers AES-256-CBC:AES-128-GCM:AES-128-CBC:BF-CBC before the --config option, the default cipher will be modified. The --ncp-ciphers list allows clients to use any of the listed ciphers as well. The new line will look like this:

   ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --cipher AES-256-GCM --ncp-ciphers  AES-256-CBC:AES-128-GCM:AES-128-CBC:BF-CBC --config %i.conf

This will result in the following:

  • OpenVPN 2.4 based clientswill automatically upgrade to AES-256-GCM, regardless if they have --cipher in their configuration file or not. For OpenVPN v2.4 configurations not wanting this cipher upgrade, the client configuration needs to deploy --ncp-disable.
  • OpenVPN 2.3 based clients and older (and v2.4 clients using --ncp-disable in the client configuration) can connect to the server using any of the --ncp-ciphers list; this is what is called "poor man's cipher negotiation" by the upstream OpenVPN developers.
  • Any client not providing --cipher defaults to BF-CBC. These clients should still be able to connect to the server as the server allows BF-CBC through --ncp-ciphers.

If an already configured OpenVPN v2.4 based server configuration deploys --cipher and/or --ncp-ciphers, the options in the configuration file will override command line options set before --config. This should not break any existing configuration.

The log files will still complain about the use of BF-CBC if a client uses that. But the advantage is that OpenVPN v2.3 and older clients can be updated one-by-one, by adding the recommended --cipher AES-256-CBC option in the client configurations in their own pace, independent of the server - or upgrade to OpenVPN v2.4 or newer.


Benefit to Fedora

This enhances the default OpenVPN configurations by allowing users to seamlessly upgrade to a stronger cipher in a controlled way without breaking existing client connections.


Scope

  • Proposal owners: Patch the openvpn-server@.service unit file which adds the --cipher and --ncp-ciphers options.
  • Other developers: N/A (not a System Wide Change)
  • Release engineering: N/A (a check of an impact with Release Engineering is needed)
  • Policies and guidelines: N/A (not a System Wide Change)
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

This change should not require any initial configuration changes for users or server admins. After this change, clients using OpenVPN v2.3 or older should consider to add --cipher AES-256-CBC to their client configuration files to enable a stronger and safer cipher. But this is not required and old existing client configuration files should continue to work.

N/A (not a System Wide Change)

How To Test

Generic test script:

  1. Create a simple CA (using easy-rsa, XCA, TinyCA, etc) and issue a server certificate and at least one client certificate
  2. Prepare a simple server and client configuration file, utilizing --ca, --cert, --key. Also use a --verb level between 2 and 4 to get enough details about the established connections.
  3. Put the server configuration into /etc/oepnvpn/server and the client configuration on a different host into /etc/openvpn/client/ (unless the client us a non-systemd based client, eg Windows client)
  4. Start the server by running systemctl start openvpn-server@$CONFIG_NAME
  5. Start the client

Depending on the version of OpenVPN clients, the result should be that a tunnel is successfully established. But the cipher being used may be different. This can be observed in the log files.

   [root@host ~]# journalctl -u openvpn-server@vpn0 --since today | grep -E "Data Channel (En|De)crypt: "
   Jun 28 12:15:42 host.example.org openvpn[1234]: client.example.org/10.99.88.1:48593 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
   Jun 28 12:15:42 host.example.org openvpn[1234]: client.example.org/10.99.88.1:48593 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
  • A 2.4 client should by default end up using AES-256-GCM, regardless of what the --cipher option is set to.
  • A 2.4 client using --ncp-disable should end up with BF-CBC (with 128 bit key size)
  • Any 2.3 client or older should end up with BF-CBC (with 128 bit key size)
  • Any 2.3 client or older (or v2.4 with --ncp-disable) using --cipher AES-256-CBC (or AES-128-CBC or BF-CBC) should be able to connect.
  • Any 2.3 client or older (or v2.4 with --ncp-disable) which is configured to use BF-CBC (either not listing --cipher at all, or explicitly setting it to BF-CBC) and uses --keysize 256 should be able to connect to the server as long as the server configuration also uses --keysize 256.

All other scenarios is expected to fail, and those scenarios should fail even without this change. To test other ciphers, look at the output of openvpn --show-ciphers.

User Experience

End users should not notice any thing, but if they run OpenVPN clients older than v2.4 (also non-Fedora packaged versions) they can independently change --cipher to AES-256-CBC or AES-128-CBC without breaking their tunnel.

Dependencies

There are no changes of dependencies.

Contingency Plan

  • Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change), Yes/No
  • Blocks product? product

Documentation

This builds upon the Negotiate Crypto Parameters features found in OpenVPN v2.4. For more information, look at the --ncp-ciphers and --ncp-disable options in the man page.


Release Notes

OpenVPN configurations utilizing the newer openvpn-server@.service unit file will use a stronger cipher for the VPN tunnel by default. The default is changed from the Blowfish algorithm using 128 bit keys to the newer AES-GCM algorithm with 256 bit keys. To ensure backwards compatibility, this new default also enables clients still using the not recommended Blowfish algorithm to connect by utilizing the --ncp-ciphers feature being available in OpenVPN v2.4. To facilitate an easy migration path away from Blowfish to clients not supporting AES-GCM, these clients can now add or change the --cipher option in the client configuration to either AES-256-CBC or AES-128-CBC without needing to do any other server changes.