New default cipher in OpenVPN
Since the discovery of the SWEET32 flaw, ciphers using cipher-blocks smaller than 128-bits are considered vulnerable and should not be used any more. OpenVPN uses Blowfish (
BF-128-CBC) as the default cipher, which is hit by the SWEET32 flaw. This proposal changes the default cipher to
AES-256-GCM while in parallel allowing clients to connect using
AES-128-CBC or the deprecated
This proposal will make use of that possibility by modifying the openvpn-server@.service unit file slightly.
- Name: David Sommerseth
- Email: email@example.com
- Release notes owner:
There have been two independent security audits of OpenVPN recently, performed by QuarksLab SAS and Cryptography Engineering. Both recommeds moving away from the default Blowfish cipher (BF/BF-CBC) to a stronger cipher.
The concept is fairly simple. In today's openvpn-server@.service systemd unit file the following command line is used to start OpenVPN:
ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf
--cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM:AES-128-CBC:BF-CBC before the
--config option, the default cipher will be modified. The
--ncp-ciphers list allows clients to use any of the listed ciphers as well. The new line will look like this:
ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM:AES-128-CBC:BF-CBC --config %i.conf
This will result in the following:
- OpenVPN 2.4 based clientswill automatically upgrade to AES-256-GCM, regardless if they have
--cipherin their configuration file or not. For OpenVPN v2.4 configurations not wanting this cipher upgrade, the client configuration needs to deploy
- OpenVPN 2.3 based clients and older (and v2.4 clients using
--ncp-disablein the client configuration) can connect to the server using any of the
--ncp-cipherslist; this is what is called "poor man's cipher negotiation" by the upstream OpenVPN developers.
- Any client not providing
--cipherdefaults to BF-CBC. These clients should still be able to connect to the server as the server allows BF-CBC through
If an already configured OpenVPN v2.4 based server configuration deploys
--ncp-ciphers, the options in the configuration file will override command line options set before
--config. This should not break any existing configuration.
The log files will still complain about the use of BF-CBC if a client uses that. But the advantage is that OpenVPN v2.3 and older clients can be updated one-by-one, by adding the recommended
--cipher AES-256-CBC option in the client configurations in their own pace, independent of the server - or upgrade to OpenVPN v2.4 or newer.
Benefit to Fedora
This enhances the default OpenVPN configurations by allowing users to seamlessly upgrade to a stronger cipher in a controlled way without breaking existing client connections.
- Proposal owners: Patch the openvpn-server@.service unit file which adds the
- Other developers: N/A (not a System Wide Change)
- Release engineering: #6908 (a check of an impact with Release Engineering is needed)
- List of deliverables: N/A (not a System Wide Change)
- Policies and guidelines: N/A (not a System Wide Change)
- Trademark approval: N/A (not needed for this Change)
This change should not require any initial configuration changes for users or server admins. After this change, clients using OpenVPN v2.3 or older should consider to add
--cipher AES-256-CBC to their client configuration files to enable a stronger and safer cipher. But this is not required and old existing client configuration files should continue to work.
N/A (not a System Wide Change)
How To Test
Generic test script:
- Create a simple CA (using easy-rsa, XCA, TinyCA, etc) and issue a server certificate and at least one client certificate
- Prepare a simple server and client configuration file, utilizing
--key. Also use a
--verblevel between 2 and 4 to get enough details about the established connections.
- Put the server configuration into
/etc/oepnvpn/serverand the client configuration on a different host into
/etc/openvpn/client/(unless the client us a non-systemd based client, eg Windows client)
- Start the server by running
systemctl start openvpn-server@$CONFIG_NAME
- Start the client
Depending on the version of OpenVPN clients, the result should be that a tunnel is successfully established. But the cipher being used may be different. This can be observed in the log files.
[root@host ~]# journalctl -u openvpn-server@vpn0 --since today | grep -E "Data Channel (En|De)crypt: " Jun 28 12:15:42 host.example.org openvpn: client.example.org/10.99.88.1:48593 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key Jun 28 12:15:42 host.example.org openvpn: client.example.org/10.99.88.1:48593 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
- A 2.4 client should by default end up using AES-256-GCM, regardless of what the
--cipheroption is set to.
- A 2.4 client using
--ncp-disableshould end up with BF-CBC (with 128 bit key size)
- Any 2.3 client or older should end up with BF-CBC (with 128 bit key size)
- Any 2.3 client or older (or v2.4 with
--cipher AES-256-CBC(or AES-128-CBC or BF-CBC) should be able to connect.
- Any 2.3 client or older (or v2.4 with
--ncp-disable) which is configured to use BF-CBC (either not listing
--cipherat all, or explicitly setting it to BF-CBC) and uses
--keysize 256should be able to connect to the server as long as the server configuration also uses
All other scenarios is expected to fail, and those scenarios should fail even without this change. To test other ciphers, look at the output of
End users should not notice any thing, but if they run OpenVPN clients older than v2.4 (also non-Fedora packaged versions) they can independently change
AES-128-CBC without breaking their tunnel.
There are no changes of dependencies.
- Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? N/A (not a System Wide Change), No
- Blocks product? N/A
This builds upon the Negotiable Crypto Parameters (NCP) features found in OpenVPN v2.4. For more information, look at the
--ncp-disable options in the man page.
OpenVPN configurations utilizing the newer openvpn-server@.service unit file will use a stronger cipher for the VPN tunnel by default. The default is changed from the Blowfish algorithm (BF-CBC) using 128 bit keys to the newer AES-GCM algorithm with 256 bit keys. To ensure existing client configurations will not break, the new
--ncp-ciphers have been set to allow clients to use AES-GCM, AES-CBC and BF-CBC ciphers by default. Both 128 and 256 bits key lengths are accepted for AES-GCM and AES-CBC. This allows existing clients to both connect and gradually be migrated one-by-one over time by only updating the
--cipher option in the client configuration to one of the ciphers enlisted in
--ncp-ciphers. At the same time, all OpenVPN 2.4 clients will automatically upgrade to AES-256-GCM by default without changing any configuration. Until clients have migrated to AES-256-GCM there might be some warnings in the log files about different cipher and key length between server and client; these can in most cases be ignored - but serves as a reference point to clients needing to be migrated.