Opened 10 years ago
Closed 8 years ago
#290 closed Bug / Defect (fixed)
OpenVPN connect on iOS Keysize issue, with DD-WRT
| Reported by: | shadoweyez | Owned by: | jamesyonan |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | OpenVPN Connect | Version: | |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | iOS |
| Cc: | james@… |
Description
Hi all, first bug report here;
On iPad2 w/openvpn connect 1.0, attempting to connect w/DD-WRT w/openvpn 2.3.0, configs listed at the end.
When attempting to connect using 4096-bit keys, connection times out.
When attempting to connect using 1024-bit keys, connection works.
Other combinations with these server/client configs work, including a linux laptop with openvpn to the DD-WRT server, a windows box to the DD-WRT server, and openvpn on the iPad to a linux openvpn server with 4096-bit keys.
Then, without changing the config * OTHER THAN USING 1024-bit key sizes * on both the iPad and DD-WRT router, everything connects and works.
I'm using easy-rsa on linux to generate keys, though I believe other key generation methods would not really change the results.
The only thing changing here is the key sizes, and it only occurs with openVPN connect.
(I consider this a bug, as from a security standpoint, 1024-bit asymmetric/RSA is weak)
=========================
DD-WRT v24-sp2 (03/17/13) mega, SVN revision 20979, on Asus RT-N66U
$ uname -a
Linux DD-WRT 2.6.24.111 #68 Sun Mar 17 19:00:02 PDT 2013 mips GNU/Linux
$ openvpn --help
OpenVPN 2.3.0 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Mar 17 2013
iPad2 config:
remote vpn.site 443
client
remote-cert-tls server
comp-lzo
dev tun0
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
float
cipher AES-256-CBC
auth SHA512
<ca>
4096-bit ca-key
</ca>
<cert>
4096-bit cert
</cert>
<key>
4096-bit key
</key>
DD-WRT server config:
push "dhcp-option DNS 208.67.222.222"
server 192.168.3.0 255.255.255.0
duplicate-cn
tls-server
push "redirect-gateway"
script-security 2
verb 5
dev tun0
proto udp
keepalive 60 180
port 443
comp-lzo
cipher AES-256-CBC
auth SHA512
#4096-bit keys
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
management localhost 5001
Change History (5)
comment:1 Changed 10 years ago by
| Component: | Crypto → OpenVPN Connect |
|---|
comment:2 Changed 10 years ago by
| Cc: | james@… added |
|---|---|
| Keywords: | key size removed |
| Owner: | set to jamesyonan |
| Status: | new → assigned |
comment:3 Changed 10 years ago by
It might actually be fixed by the crypto/ssl updates in Connect for IOS 1.0.3 - shadoweyez, can you re-test, please?
comment:4 Changed 8 years ago by
No activity in 16 months - closing this as fixed. If the problem persists please reopen this ticket or file a new one.
comment:5 Changed 8 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
James is the guy that can fix this. Adding him to CC.