Page MenuHomeVyOS Platform
Create Task
Maniphest T5634

Remove support for Blowfish and DES from OpenVPN
Closed, ResolvedPublic
Actions

Description

Blowfish is vulnerable to Sweet32 attacks and should not be used for any new deployments, regardless of key length (it's the block size that makes it vulnerable). And DES, well, there's nothing to say — DES has been insecure for ages by now. We still support it in 1.3 but we have to revert its removal from OpenVPN to do that, and it will likely become impractical as OpenVPN keeps moving forward.

We should remove support for those insecure ciphers from 1.4/Sagitta. The good thing is that the default — no encryption option specified — allows clients to use any cipher supported by OpenVPN. Thus for setups that have no encryption option, nothing will change, except very old clients will be unable to connect — but people need to update those very old clients anyway. For systems where encryption is explicitly set to des, bf128 or bf256, removing that option from their config will be a security upgrade since it will allow clients to negotiate a more secure cipher.

Since there is a possibility that someone uses old clients with cipher set to Blowfish or DES, this is a breaking, not really migratable change, and it should be properly communicated as such.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Config syntax change (non-migratable)
Issue type
Feature/functionality removal

Related Objects

Event Timeline

dmbaturin created this task.Oct 4 2023, 3:11 PM
pasik added a subscriber: pasik.Oct 4 2023, 3:23 PM
dmbaturin renamed this task from Remove support for Blowfish from OpenVPN to Remove support for Blowfish and DES from OpenVPN.Oct 9 2023, 3:45 PM
dmbaturin updated the task description. (Show Details)
Viacheslav added a subscriber: Viacheslav.Oct 13 2023, 2:46 PM

OpenVPN cannot pass the smoketest

 DEBUG - ======================================================================
DEBUG - FAIL: test_openvpn_options (__main__.TestInterfacesOpenVPN.test_openvpn_options)
DEBUG - ----------------------------------------------------------------------
DEBUG - Traceback (most recent call last):
DEBUG -   File "/usr/libexec/vyos/tests/smoke/cli/test_interfaces_openvpn.py", line 525, in test_openvpn_options
DEBUG -     self.assertNotEqual(cur_pid, new_pid)
DEBUG - AssertionError: None == None
DEBUG - 
DEBUG - ======================================================================
DEBUG - FAIL: test_openvpn_site2site_interfaces_tun (__main__.TestInterfacesOpenVPN.test_openvpn_site2site_interfaces_tun)
DEBUG - ----------------------------------------------------------------------
DEBUG - Traceback (most recent call last):
DEBUG -   File "/usr/libexec/vyos/tests/smoke/cli/test_interfaces_openvpn.py", line 601, in test_openvpn_site2site_interfaces_tun
DEBUG -     self.assertTrue(process_named_running(PROCESS_NAME))
DEBUG - AssertionError: None is not true
jestabro added a subscriber: jestabro.EditedOct 15 2023, 12:55 AM

cf. T5027: the commit for this task necessarily removed the fix there, leading to failing of the same two tests. A fix is to specify a specific encryption cipher within test_openvpn_options and test_openvpn_site2site_interfaces_tun to avoid openvpn defaulting to bf.

Apachez added a subscriber: Apachez.Oct 16 2023, 2:35 AM

Still fails:

DEBUG - Running Testcase: /usr/libexec/vyos/tests/smoke/cli/test_interfaces_openvpn.py
DEBUG - test_openvpn_client_interfaces (__main__.TestInterfacesOpenVPN.test_openvpn_client_interfaces) ... ok
DEBUG - test_openvpn_client_verify (__main__.TestInterfacesOpenVPN.test_openvpn_client_verify) ... ok
DEBUG - test_openvpn_options (__main__.TestInterfacesOpenVPN.test_openvpn_options) ... FAIL
DEBUG - test_openvpn_server_subnet_topology (__main__.TestInterfacesOpenVPN.test_openvpn_server_subnet_topology) ... ok
DEBUG - test_openvpn_server_verify (__main__.TestInterfacesOpenVPN.test_openvpn_server_verify) ... ok
DEBUG - test_openvpn_site2site_interfaces_tun (__main__.TestInterfacesOpenVPN.test_openvpn_site2site_interfaces_tun) ... FAIL
DEBUG - test_openvpn_site2site_verify (__main__.TestInterfacesOpenVPN.test_openvpn_site2site_verify) ... ok
DEBUG - 
DEBUG - ======================================================================
DEBUG - FAIL: test_openvpn_options (__main__.TestInterfacesOpenVPN.test_openvpn_options)
DEBUG - ----------------------------------------------------------------------
DEBUG - Traceback (most recent call last):
DEBUG -   File "/usr/libexec/vyos/tests/smoke/cli/test_interfaces_openvpn.py", line 525, in test_openvpn_options
DEBUG -     self.assertNotEqual(cur_pid, new_pid)
DEBUG - AssertionError: None == None
DEBUG - 
DEBUG - ======================================================================
DEBUG - FAIL: test_openvpn_site2site_interfaces_tun (__main__.TestInterfacesOpenVPN.test_openvpn_site2site_interfaces_tun)
DEBUG - ----------------------------------------------------------------------
DEBUG - Traceback (most recent call last):
DEBUG -   File "/usr/libexec/vyos/tests/smoke/cli/test_interfaces_openvpn.py", line 601, in test_openvpn_site2site_interfaces_tun
DEBUG -     self.assertTrue(process_named_running(PROCESS_NAME))
DEBUG - AssertionError: None is not true
DEBUG - 
DEBUG - ----------------------------------------------------------------------
DEBUG - Ran 7 tests in 54.828s
DEBUG - 
DEBUG - FAILED (failures=2)
Viacheslav added a comment.Oct 16 2023, 6:54 AM

PR https://github.com/vyos/vyos-1x/pull/2366

dmbaturin closed this task as Resolved.Thu, Apr 4, 7:40 PM