From patchwork Mon Jun 22 01:30:22 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Sommerseth X-Patchwork-Id: 1158 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id aEkvM7GW8F6gTQAAIUCqbw for ; Mon, 22 Jun 2020 07:32:01 -0400 Received: from proxy6.mail.ord1c.rsapps.net ([172.28.255.1]) by director11.mail.ord1d.rsapps.net with LMTP id mArQMrGW8F5XHgAAvGGmqA ; Mon, 22 Jun 2020 07:32:01 -0400 Received: from smtp27.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy6.mail.ord1c.rsapps.net with LMTP id iKSbMrGW8F7rDgAA9sKXow ; Mon, 22 Jun 2020 07:32:01 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp27.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=fail (p=none; dis=none) header.from=openvpn.net X-Suspicious-Flag: YES X-Classification-ID: fce11392-b47b-11ea-b185-b8ca3a655ab8-1-1 Received: from [216.105.38.7] ([216.105.38.7:49050] helo=lists.sourceforge.net) by smtp27.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 06/39-14268-1B690FE5; Mon, 22 Jun 2020 07:32:01 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jnKfK-0005Ym-5O; Mon, 22 Jun 2020 11:31:06 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jnKfJ-0005Yf-6h for openvpn-devel@lists.sourceforge.net; Mon, 22 Jun 2020 11:31:05 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=zwkCCjSwmLjRs8OPG9RK/BVc8yz+u0SqxgK8bxatjpw=; b=IDeTeBIpDjUBOAuNsks+JcIstV eelf0jN/wT79tGKAL2lsG/0SUA4Nu0MhXim8qRM90VBJZb7Dm2VYGdklD6Npb6sL8v0rGyKGC6Cm3 Y2lSLSp3U0GvmSET4bnp/OhzMJ2mUCVvA9l8VouTjTqRzZc1fH14iADr8RnEaav0h4BI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=zwkCCjSwmLjRs8OPG9RK/BVc8yz+u0SqxgK8bxatjpw=; b=S gszUqH6EJVNQFzAkVHwHSCv4FbR3GAXhXHcSm23L2tKOKgItgLxy/pXS57PKdFMf4c2P06hT39Xon A1hqBwzF2c1UhZp2SRTx0I6JeKuMW+CdJfPFSw2S0ICRER/WzcfaxjJzGMaiX+bKgtgT6rGHJKhPI kVjRbViqte3Xigx8=; Received: from mx0.basenordic.cloud ([185.212.44.139]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jnKfE-00Doeg-0o for openvpn-devel@lists.sourceforge.net; Mon, 22 Jun 2020 11:31:05 +0000 Received: from localhost (unknown [IPv6:::1]) by mx0.basenordic.cloud (Postfix) with ESMTP id 671CA837AAE for ; Mon, 22 Jun 2020 11:30:45 +0000 (UTC) Received: from mx0.basenordic.cloud ([IPv6:::1]) by localhost (winterfell.topphemmelig.net [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id CQlHKhocA5QN for ; Mon, 22 Jun 2020 13:30:43 +0200 (CEST) Received: from zimbra.sommerseth.email (zimbra.sommerseth.email [172.16.33.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx0.basenordic.cloud (Postfix) with ESMTPS id 43624816DE3 for ; Mon, 22 Jun 2020 13:30:43 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by zimbra.sommerseth.email (Postfix) with ESMTP id 6BC7741CB563 for ; Mon, 22 Jun 2020 13:30:42 +0200 (CEST) Received: from zimbra.sommerseth.email ([127.0.0.1]) by localhost (zimbra.sommerseth.email [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id vSFxRWgrj_d6 for ; Mon, 22 Jun 2020 13:30:42 +0200 (CEST) Received: from optimus.homebase.sommerseths.net (unknown [10.35.7.3]) by zimbra.sommerseth.email (Postfix) with ESMTPS id DCDEE41CB562 for ; Mon, 22 Jun 2020 13:30:41 +0200 (CEST) From: David Sommerseth To: openvpn-devel@lists.sourceforge.net Date: Mon, 22 Jun 2020 13:30:22 +0200 Message-Id: <20200622113022.23047-1-davids@openvpn.net> X-Mailer: git-send-email 2.26.0 MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: openvpn.net] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1jnKfE-00Doeg-0o Subject: [Openvpn-devel] [PATCH] systemd: Change the default cipher to AES-256-GCM for server configs X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This change makes the server use AES-256-GCM instead of BF-CBC as the default cipher for the VPN tunnel when starting OpenVPN via systemd and the openvpn-server@.service unit file. To avoid breaking existing running configurations defaulting to BF-CBC, the Negotiable Crypto Parameters (NCP) list contains the BF-CBC in addition to AES-CBC. This makes it possible to migrate existing older client configurations one-by-one to use at least AES-CBC unless the client is updated to v2.4 or newer (which defaults to upgrade to AES-GCM automatically) This has been tested in Fedora 27 (released November 2017) with no reported issues. By making this default for all Linux distributions with systemd shipping with the unit files we provide, we gradually expand setups using this possibility. As we gather experience from this change, we can further move these changes into the defaults of the OpenVPN binary itself with time. Signed-off-by: David Sommerseth --- Changes.rst | 15 +++++++++++++++ distro/systemd/openvpn-server@.service.in | 2 +- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/Changes.rst b/Changes.rst index 00dd6ed8..e76d3c73 100644 --- a/Changes.rst +++ b/Changes.rst @@ -14,6 +14,21 @@ ChaCha20-Poly1305 cipher support channel. +User-visible Changes +-------------------- +New default cipher for systemd based Linux distributions + For Linux distributions with systemd which packages the systemd unit files + from the OpenVPN project, the default cipher is now changed to AES-256-GCM, + with BF-CBC as a fallback through the NCP feature. This change has been + tested successfully since the Fedora 27 release (released November 2017). + + *WARNING* This MAY break configurations where the client uses + ``--disable-occ`` feature where the ``--cipher`` has + not been explicitly configured on both client and + server side. It is recommended to remove the ``--disable-occ`` + option *or* explicitly add ``--cipher AES-256-GCM`` on the + client side if ``--disable-occ`` is strictly needed. + Overview of changes in 2.4 ========================== diff --git a/distro/systemd/openvpn-server@.service.in b/distro/systemd/openvpn-server@.service.in index d1cc72cb..f3545ff5 100644 --- a/distro/systemd/openvpn-server@.service.in +++ b/distro/systemd/openvpn-server@.service.in @@ -10,7 +10,7 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO Type=notify PrivateTmp=true WorkingDirectory=/etc/openvpn/server -ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf +ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC --config %i.conf CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE LimitNPROC=10 DeviceAllow=/dev/null rw