Opened 7 years ago

Closed 5 years ago

#290 closed Bug / Defect (fixed)

OpenVPN connect on iOS Keysize issue, with DD-WRT

Reported by: shadoweyez Owned by: jamesyonan
Priority: major Milestone:
Component: OpenVPN Connect Version:
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: iOS
Cc: james@…

Description

Hi all, first bug report here;

On iPad2 w/openvpn connect 1.0, attempting to connect w/DD-WRT w/openvpn 2.3.0, configs listed at the end.
When attempting to connect using 4096-bit keys, connection times out.
When attempting to connect using 1024-bit keys, connection works.

Other combinations with these server/client configs work, including a linux laptop with openvpn to the DD-WRT server, a windows box to the DD-WRT server, and openvpn on the iPad to a linux openvpn server with 4096-bit keys.

Then, without changing the config * OTHER THAN USING 1024-bit key sizes * on both the iPad and DD-WRT router, everything connects and works.
I'm using easy-rsa on linux to generate keys, though I believe other key generation methods would not really change the results.

The only thing changing here is the key sizes, and it only occurs with openVPN connect.

(I consider this a bug, as from a security standpoint, 1024-bit asymmetric/RSA is weak)

=========================
DD-WRT v24-sp2 (03/17/13) mega, SVN revision 20979, on Asus RT-N66U
$ uname -a
Linux DD-WRT 2.6.24.111 #68 Sun Mar 17 19:00:02 PDT 2013 mips GNU/Linux
$ openvpn --help
OpenVPN 2.3.0 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Mar 17 2013

iPad2 config:
remote vpn.site 443
client
remote-cert-tls server
comp-lzo
dev tun0
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
float
cipher AES-256-CBC
auth SHA512
<ca>
4096-bit ca-key
</ca>
<cert>
4096-bit cert
</cert>
<key>
4096-bit key
</key>

DD-WRT server config:
push "dhcp-option DNS 208.67.222.222"
server 192.168.3.0 255.255.255.0
duplicate-cn
tls-server
push "redirect-gateway"
script-security 2
verb 5
dev tun0
proto udp
keepalive 60 180
port 443
comp-lzo

cipher AES-256-CBC
auth SHA512

#4096-bit keys
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem

management localhost 5001

Change History (5)

comment:1 Changed 7 years ago by JoshC

Component: CryptoOpenVPN Connect

comment:2 Changed 7 years ago by Samuli Seppänen

Cc: james@… added
Keywords: key size removed
Owner: set to jamesyonan
Status: newassigned

James is the guy that can fix this. Adding him to CC.

comment:3 Changed 7 years ago by Gert Döring

It might actually be fixed by the crypto/ssl updates in Connect for IOS 1.0.3 - shadoweyez, can you re-test, please?

comment:4 Changed 5 years ago by Samuli Seppänen

No activity in 16 months - closing this as fixed. If the problem persists please reopen this ticket or file a new one.

comment:5 Changed 5 years ago by Samuli Seppänen

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.