Bug 1396598

Summary: NetworkManager-openvpn does not respect disabled --reneg-sec setting
Product: [Fedora] Fedora EPEL Reporter: David Sommerseth <dazo>
Component: NetworkManager-openvpnAssignee: Gwyn Ciesla <gwync>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: epel7CC: gwync, orion, psimerda
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: NetworkManager-openvpn-1.2.6-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-31 10:48:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Sommerseth 2016-11-18 17:38:53 UTC 
When disabling "Use custom renegotiation interval" in the "Advanced" settings of an OpenVPN tunnel, the OpenVPN process is started with --reneg-sec 0.  This disables time based renegotiation completely.

This is invalid, as that overrides the default value (1 hour) and puts users at risk - in particular if the default blowfish or other weak cipher algorithm is used.  See the SWEET32 information page [1] for more information.

If a user wants to disable --reneg-sec, the user should set this value to 0 her/himself.

On a related note, as of OpenVPN v2.3.13 --reneg-bytes will default to 64MB if weak ciphers are used.  It would probably be benefitical to also expose this setting via the Advanced settings as well.  For earlier OpenVPN versions before v2.3.13, the default is to have --reneg-bytes disabled for any cipher.

Version-Release number of selected component (if applicable):
NetworkManager-openvpn-1.0.8-1.el7.x86_64


[1] http://community.openvpn.net/openvpn/wiki/SWEET32
Comment 1 Fedora Update System 2016-12-14 18:33:30 UTC 
NetworkManager-openvpn-1.2.6-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-1427c2b2fc
Comment 2 Fedora Update System 2016-12-16 04:20:09 UTC 
NetworkManager-openvpn-1.2.6-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-1427c2b2fc
Comment 3 Fedora Update System 2016-12-31 10:48:06 UTC 
NetworkManager-openvpn-1.2.6-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.