Red Hat Bugzilla – Bug 1479270
New default cipher in OpenVPN
Last modified: 2017-09-06 11:02:21 EDT
This is a tracking bug for Change: New default cipher in OpenVPN
For more details, see: https://fedoraproject.org//wiki/Changes/New_default_cipher_in_OpenVPN
Since the discovery of the SWEET32 flaw, ciphers using cipher-blocks smaller than 128-bits are considered vulnerable and should not be used any more. OpenVPN uses Blowfish (BF-128-CBC) as the default cipher, which is hit by the SWEET32 flaw. This proposal changes the default cipher to AES-256-GCM while in parallel allowing clients to connect using AES-256-CBC, AES-128-CBC or the deprecated BF-CBC,
This change is applied to openvpn-2.4.3-4.fc27 (master branch)
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.
On 2017-Sep-05 we reached the "Change Checkpoint: 100% Code Complete Deadline" milestone for Fedora 27 release. At this point all the Changes not at least in "ON_QA" state should be brought to FESCo for review. Please update the state of this bug to "ON_QA" if it is already 100% completed. Please let me know in case you have any trouble with the implementation and the Change needs any help or review.
Author: David Sommerseth <firstname.lastname@example.org>
Date: Tue Jul 4 16:17:37 2017 +0200
Change default cipher for server configurations to AES-GCM
At the same time, utilize the Negotiable Crypto Parameters (NCP) feature
in OpenVPN v2.4, which allows clients using the old BF-CBC default cipher
to connect without any issues.
F-27 Change request: https://fedoraproject.org/wiki/Changes/New_default_cipher_in_OpenVPN
This change was approved in the FESCO meeting 2017-08-04.
Also fix a truncated changelog entry for openvpn-2.4.3-1
$ git branch --contains b931012953451b2614b5fdfa5afe3c1d47c42fe8