From patchwork Fri Feb 10 14:27:10 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 3071 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:c95:b0:82:e4b3:40a0 with SMTP id p21csp1312591dyk; Fri, 10 Feb 2023 06:27:48 -0800 (PST) X-Google-Smtp-Source: AK7set+NOnNCZR13BQ+1/T5jIP3H+Dol0JTNgspYcTa+62Bza5pZeKRKll6ZLNVhO3NSzhhNb1Wg X-Received: by 2002:a62:384f:0:b0:5a8:5901:3fb1 with SMTP id f76-20020a62384f000000b005a859013fb1mr5662501pfa.29.1676039268249; Fri, 10 Feb 2023 06:27:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1676039268; cv=none; d=google.com; s=arc-20160816; b=f4cV6YDOkQBPlxPBnvkQc/LwlnJdqMz7toC54pVkepra6Z4InIvfHa/HUNsrZ1Cvmh d7TR972BMt0DiWh0riKYFYNoWnGwYkvjIuRV4KAYj6RI59TiqdlCMKkVxw6FY/+SFiWN fZxgtGLWEm5z1cF3v84rmbyd0e6YOXnn1jZ/rx9s+J08LqKU7KzZyPB5Nrajq9zo93xM ZVHD1Q4a0u+5N7Nqy2oXT4F+Z89OMiNLTnGAP+uZGv1wWvLgI4lHZjR0SiwLk8NIbq0q NGhwJnFT3WCyFeN2C2194bmczEFtQTqdy2irYytz54NIQe8vxtLASTL2VVbWoIcVhL8A ygQA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=/X0T4o78BIgZTUgyGCZ3mGiYf+rMKK6/aYWVEvdJni4=; b=m7josT4KlZnzLgxwfW8IeIA+ylC8zyE8QQbX2VqyV7PGurFFLXn0GdNdfroqirwfXA pFTJiuOpr6qK8QtsEeKmhfkyZLYyJ/NiZpyvGCZduqt8Do3QdgfP/BsmbFFpTG65oaAA ENsc7qQ4x564UcOqFMm/HwYcDXeNCjZpFxAv5eR7YTgKwfRYYPXCguIt0462PUB2gLZ9 Luux5faGezeNfDypQCBAYsHJl57wWeCLKqQ7bIWNeTO5ncvBWEudIcldd8qIETX2JY4o X0GASK/c9vLmWXkTkGRtM57Wsew1zIF5ujFXalMk2yG8xO9pT3tBm6fiGgRcc9eJiqCs YCOQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=SpZxaJTD; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=AwEisMG7; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id v6-20020aa799c6000000b0059396a2d60csi4289557pfi.367.2023.02.10.06.27.47 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 10 Feb 2023 06:27:48 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=SpZxaJTD; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=AwEisMG7; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1pQUN8-0002ms-GV; Fri, 10 Feb 2023 14:27:29 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1pQUN6-0002mW-5H for openvpn-devel@lists.sourceforge.net; Fri, 10 Feb 2023 14:27:27 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Tz08TJHZKkFPZs19zm5Jo839VOvUBDpqnKnx8dbqVRc=; b=SpZxaJTDHNuVLfXGTUm18l0+vP s3vJw8FatLY4yEGoeuLwFgz5jbbdJAleQnlffA4NDYrEpR+Dw9iFCTQbj7Lq9v6IK6UeQZj5/pFQo p+AkxBN1Hvvor6uWwPBfxHCuTmwEre79LfreXmT9ZeVbKF12l9iJ6TKeU482dWC315G0=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Tz08TJHZKkFPZs19zm5Jo839VOvUBDpqnKnx8dbqVRc=; b=AwEisMG79ylWVePY7fK54CyD5l vx2liAWHXvTB/jjhpxt3/iWNwSleYeM5gBWoqoLO+qOyLl5SnjDVOMWmFFnwHV0vv+9WMiyyVG3ZO 4QDTQuj+VUEkpaa8O6D5m6ci5ChtBVZZvKrKWqdhHVKMCp9523Bm//rDsXlNwkFXLDZ0=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1pQUN1-00HHnp-9Q for openvpn-devel@lists.sourceforge.net; Fri, 10 Feb 2023 14:27:27 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1pQUMq-00051e-7Q for openvpn-devel@lists.sourceforge.net; Fri, 10 Feb 2023 15:27:12 +0100 Received: (nullmailer pid 572365 invoked by uid 10006); Fri, 10 Feb 2023 14:27:12 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Fri, 10 Feb 2023 15:27:10 +0100 Message-Id: <20230210142712.572303-7-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230210142712.572303-1-arne@rfc2549.org> References: <20230210142712.572303-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Score: 0.3 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Newer OpenVPN 3 core versions now allow limited configuration of ciphers: // Allow usage of legacy (cipher) algorithm that are no longer considered safe // This includes BF-CBC, single DES and RC2 private key encryption. // With OpenSSL 3.0 this also instructs OpenSSL to l [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1pQUN1-00HHnp-9Q Subject: [Openvpn-devel] [PATCH 3/4] Revise the cipher negotiation about OpenVPN3 in the man page X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1757454551419830637?= X-GMAIL-MSGID: =?utf-8?q?1757454551419830637?= Newer OpenVPN 3 core versions now allow limited configuration of ciphers: // Allow usage of legacy (cipher) algorithm that are no longer considered safe // This includes BF-CBC, single DES and RC2 private key encryption. // With OpenSSL 3.0 this also instructs OpenSSL to load the legacy provider. bool enableLegacyAlgorithms = false; // By default modern OpenVPN version (OpenVPN 2.6 and OpenVPN core 3.7) will only allow // preferred algorithms (AES-GCM, Chacha20-Poly1305) that also work with the newer DCO // implementations. If this is enabled, we fall back to allowing all algorithms (if these are // supported by the crypto library) bool enableNonPreferredDCAlgorithms = false; Adjust the man page section accordingly but only really mention the AEAD ciphers to be always present and that they should be included in the data-ciphers option. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- doc/man-sections/cipher-negotiation.rst | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/doc/man-sections/cipher-negotiation.rst b/doc/man-sections/cipher-negotiation.rst index b07176cd2..66afeb835 100644 --- a/doc/man-sections/cipher-negotiation.rst +++ b/doc/man-sections/cipher-negotiation.rst @@ -42,8 +42,9 @@ options to avoid this behaviour. OpenVPN 3 clients ----------------- Clients based on the OpenVPN 3.x library (https://github.com/openvpn/openvpn3/) -do not have a configurable ``--ncp-ciphers`` or ``--data-ciphers`` option. Instead -these clients will announce support for all their supported AEAD ciphers +do not have a configurable ``--ncp-ciphers`` or ``--data-ciphers`` option. Newer +version by default will disable legacy AES-CBC, BF-CBC, and, DES-CBC ciphers. +These clients will always announce support for all their supported AEAD ciphers (`AES-256-GCM`, `AES-128-GCM` and in newer versions also `Chacha20-Poly1305`). To support OpenVPN 3.x based clients at least one of these ciphers needs to be