Bug 1479270
Summary: | New default cipher in OpenVPN | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jan Kurik <jkurik> |
Component: | Changes Tracking | Assignee: | David Sommerseth <dazo> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 27 | CC: | dazo |
Target Milestone: | --- | Flags: | dazo:
fedora_requires_release_note+
|
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | ChangeAcceptedF27, SelfContainedChange | ||
Fixed In Version: | Doc Type: | Enhancement | |
Doc Text: |
Feature: Change of default cipher algorithm
Reason: The current default cipher in OpenVPN uses BF-CBC (Blowfish) which is considered a very weak cipher these days, especially after the SWEET32 issue (https://sweet32.info/) which was publicised in 2016.
Result: OpenVPN v2.4 supports a fairly simple negotiation of crypto parameters. This allows OpenVPN to let clients connect using independent cipher settings.
This change will *only* affect OpenVPN servers using the openvpn-server@.service unit file.
This change moves the default cipher to AES-256-GCM while keeping backwards compatibility to older clients not supporting GCM to connect using either BF-CBC, AES-128-CBC or AES-256-CBC. If --cipher is not provided in the client OpenVPN configuration file, BF-CBC will be used as the default. Those client configurations can be updated on a one-by-one approach to use at least --cipher AES-128-CBC or --cipher AES-256-CBC. For any clients running OpenVPN v2.4 or newer, they will by default switch to AES-256-GCM automatically regardless of the --cipher values.
This behaviour can be overridden on the server side by changing/adding --cipher to the configuration file. The list of ciphers being allowed can be modified by changing/adding --ncp-ciphers.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2017-11-14 08:58:41 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jan Kurik
2017-08-08 08:42:10 UTC
This change is applied to openvpn-2.4.3-4.fc27 (master branch) https://koji.fedoraproject.org/koji/buildinfo?buildID=951059 This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle. Changing version to '27'. On 2017-Sep-05 we reached the "Change Checkpoint: 100% Code Complete Deadline" milestone for Fedora 27 release. At this point all the Changes not at least in "ON_QA" state should be brought to FESCo for review. Please update the state of this bug to "ON_QA" if it is already 100% completed. Please let me know in case you have any trouble with the implementation and the Change needs any help or review. Thanks, Jan commit b931012953451b2614b5fdfa5afe3c1d47c42fe8 Author: David Sommerseth <dazo> Date: Tue Jul 4 16:17:37 2017 +0200 Change default cipher for server configurations to AES-GCM At the same time, utilize the Negotiable Crypto Parameters (NCP) feature in OpenVPN v2.4, which allows clients using the old BF-CBC default cipher to connect without any issues. F-27 Change request: https://fedoraproject.org/wiki/Changes/New_default_cipher_in_OpenVPN This change was approved in the FESCO meeting 2017-08-04. Also fix a truncated changelog entry for openvpn-2.4.3-1 $ git branch --contains b931012953451b2614b5fdfa5afe3c1d47c42fe8 * f27 master $ |