Changes/New default cipher in OpenVPN

Summary

Since the discovery of the SWEET32 flaw, ciphers using cipher-blocks smaller than 128-bits are considered vulnerable and should not be used any more. OpenVPN uses Blowfish (BF-128-CBC) as the default cipher, which is hit by the SWEET32 flaw. This proposal changes the default cipher to AES-256-GCM while in parallel allowing clients to connect using AES-256-CBC, AES-128-CBC or the deprecated BF-CBC,

This proposal will make use of that possibility by modifying the openvpn-server@.service unit file slightly.

Owner

• Name: User:dsommers David Sommerseth
• Email: davids@openvpn.net
• Release notes owner:

Current status

• Targeted release: Fedora 27
• Last updated: 2017-07-03
• Tracker bug: <will be assigned by the Wrangler>

Detailed Description

There have been two independent security audits of OpenVPN recently, performed by QuarksLab SAS and Cryptography Engineering. Both recommeds moving away from the default Blowfish cipher (BF/BF-CBC) to a stronger cipher.

The concept is fairly simple. In today's openvpn-server@.service systemd unit file the following command line is used to start OpenVPN:

   ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf

By adding --cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM:AES-128-CBC:BF-CBC before the --config option, the default cipher will be modified. The --ncp-ciphers list allows clients to use any of the listed ciphers as well. The new line will look like this:

   ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --cipher AES-256-GCM --ncp-ciphers  AES-256-GCM:AES-256-CBC:AES-128-GCM:AES-128-CBC:BF-CBC --config %i.conf

This will result in the following:

• OpenVPN 2.4 based clientswill automatically upgrade to AES-256-GCM, regardless if they have --cipher in their configuration file or not. For OpenVPN v2.4 configurations not wanting this cipher upgrade, the client configuration needs to deploy --ncp-disable.
• OpenVPN 2.3 based clients and older (and v2.4 clients using --ncp-disable in the client configuration) can connect to the server using any of the --ncp-ciphers list; this is what is called "poor man's cipher negotiation" by the upstream OpenVPN developers.
• Any client not providing --cipher defaults to BF-CBC. These clients should still be able to connect to the server as the server allows BF-CBC through --ncp-ciphers.

If an already configured OpenVPN v2.4 based server configuration deploys --cipher and/or --ncp-ciphers, the options in the configuration file will override command line options set before --config. This should not break any existing configuration.

The log files will still complain about the use of BF-CBC if a client uses that. But the advantage is that OpenVPN v2.3 and older clients can be updated one-by-one, by adding the recommended --cipher AES-256-CBC option in the client configurations in their own pace, independent of the server - or upgrade to OpenVPN v2.4 or newer.

Benefit to Fedora

This enhances the default OpenVPN configurations by allowing users to seamlessly upgrade to a stronger cipher in a controlled way without breaking existing client connections.

Scope

• Proposal owners: Patch the openvpn-server@.service unit file which adds the --cipher and --ncp-ciphers options.

• Other developers: N/A (not a System Wide Change)

• Release engineering: N/A (a check of an impact with Release Engineering is needed)
  • List of deliverables: N/A (not a System Wide Change)

• Policies and guidelines: N/A (not a System Wide Change)

• Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

This change should not require any initial configuration changes for users or server admins. After this change, clients using OpenVPN v2.3 or older should consider to add --cipher AES-256-CBC to their client configuration files to enable a stronger and safer cipher. But this is not required and old existing client configuration files should continue to work.

N/A (not a System Wide Change)

How To Test

Generic test script:

1. Create a simple CA (using easy-rsa, XCA, TinyCA, etc) and issue a server certificate and at least one client certificate
2. Prepare a simple server and client configuration file, utilizing --ca, --cert, --key. Also use a --verb level between 2 and 4 to get enough details about the established connections.
3. Put the server configuration into /etc/oepnvpn/server and the client configuration on a different host into /etc/openvpn/client/ (unless the client us a non-systemd based client, eg Windows client)
4. Start the server by running systemctl start openvpn-server@$CONFIG_NAME
5. Start the client

Depending on the version of OpenVPN clients, the result should be that a tunnel is successfully established. But the cipher being used may be different. This can be observed in the log files.

   [root@host ~]# journalctl -u openvpn-server@vpn0 --since today | grep -E "Data Channel (En|De)crypt: "
   Jun 28 12:15:42 host.example.org openvpn[1234]: client.example.org/10.99.88.1:48593 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
   Jun 28 12:15:42 host.example.org openvpn[1234]: client.example.org/10.99.88.1:48593 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key

• A 2.4 client should by default end up using AES-256-GCM, regardless of what the --cipher option is set to.
• A 2.4 client using --ncp-disable should end up with BF-CBC (with 128 bit key size)
• Any 2.3 client or older should end up with BF-CBC (with 128 bit key size)
• Any 2.3 client or older (or v2.4 with --ncp-disable) using --cipher AES-256-CBC (or AES-128-CBC or BF-CBC) should be able to connect.
• Any 2.3 client or older (or v2.4 with --ncp-disable) which is configured to use BF-CBC (either not listing --cipher at all, or explicitly setting it to BF-CBC) and uses --keysize 256 should be able to connect to the server as long as the server configuration also uses --keysize 256.

All other scenarios is expected to fail, and those scenarios should fail even without this change. To test other ciphers, look at the output of openvpn --show-ciphers.

User Experience

End users should not notice any thing, but if they run OpenVPN clients older than v2.4 (also non-Fedora packaged versions) they can independently change --cipher to AES-256-CBC or AES-128-CBC without breaking their tunnel.

Dependencies

There are no changes of dependencies.

Contingency Plan

• Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
• Contingency deadline: N/A (not a System Wide Change)
• Blocks release? N/A (not a System Wide Change), No
• Blocks product? N/A

Documentation

This builds upon the Negotiable Crypto Parameters (NCP) features found in OpenVPN v2.4. For more information, look at the --ncp-ciphers and --ncp-disable options in the man page.

Release Notes

OpenVPN configurations utilizing the newer openvpn-server@.service unit file will use a stronger cipher for the VPN tunnel by default. The default is changed from the Blowfish algorithm using 128 bit keys to the newer AES-GCM algorithm with 256 bit keys. To ensure backwards compatibility, this new default also enables clients still using the not recommended Blowfish algorithm to connect by utilizing the --ncp-ciphers feature being available in OpenVPN v2.4. To facilitate an easy migration path away from Blowfish to clients not supporting AES-GCM, these clients can now add or change the --cipher option in the client configuration to either AES-256-CBC or AES-128-CBC without needing to do any other server changes.