Opened 9 years ago

Closed 6 years ago

#519 closed Bug / Defect (wontfix)

keysize config variable of 448 for BF algorithm not respected and utilized on either Android nor iOS

Reported by: 5F7TujB4sEccR23Q Owned by: Antonio Quartulli
Priority: major Milestone:
Component: OpenVPN Connect Version: OpenVPN git master branch (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: keysize key size blowfish bf config
Cc: plaisthos


What steps will reproduce the problem?

  1. Configure a server and client to utilize Blowfish (BF) algorithm with keysize of 448 bits (the max supported)
  2. Install, run, and import a VPN config file on Android with BF keysize of 448.
  3. In the OpenVPN server logs, notice that the Android client attempts to connect to the server using 128 bit key size rather than 448.

What is the expected output? What do you see instead?

Error will be failure to connect and numerous general errors depending on whether you choose TCP or UDP endpoint (doesn't matter to this issue).

What mobile phone are you using?

LG Nexus 4

Which Android Version and stock ROM or aftermarket like cyanogenmod?

Affects both:

Android Lollipop v5.0.2 (stock)
CyanogenMod? 12 (aftermarket)

Please provide any additional information below.

Let me know what additional information you require. Seems pretty straightforward...

Change History (9)

comment:1 Changed 9 years ago by plaisthos

Which Android software did you use? OpenVPN for Android or OpenVPN Connect?

comment:2 in reply to:  1 Changed 9 years ago by 5F7TujB4sEccR23Q

Replying to plaisthos:

Which Android software did you use? OpenVPN for Android or OpenVPN Connect?

I am using the official OpenVPN client for Android, OpenVPN Connect (eg. net.openvpn.openvpn in Google Play Store). URL is It appears to me that OpenVPN for Android is an unofficial client and I wouldn't attempt to use that unless the code is open source, security audited, and recommended by OpenVPN dev team. What say you?

comment:3 Changed 9 years ago by plaisthos

Component: Generic / unclassifiedOpenVPN Connect
Owner: set to James Smith
Status: newassigned

See for the differences between the Android clients. The UI code has not been security audited. The OpenVPN source code is (almost) identical to the community edition..

comment:4 Changed 9 years ago by plaisthos

Owner: changed from James Smith to jamesyonan

comment:5 Changed 9 years ago by 5F7TujB4sEccR23Q

You don't currently map the keysize to a UI element. I didn't actually try to connect, since I saw the error when I imported the config on your semi-official app. To fix this, you can map the keysize option to your UI so that it can be edited inside the app easily (still not currently supported in your app). But you are surely right, the the bug only really affects OpenVPN Connect and works fine in your app despite the UI warning. Thanks and let me know if you plan to map the UI option :) Let me know where I can make a donation too...

comment:6 Changed 9 years ago by plaisthos

Yes. I currently does not map to specific UI element. Instead the keysize (and other unknown) options are added as custom options and passed to OpenVPN. Parsing oepnvpn --ciphers and providing cipher/keysize combination is on my long todo list.

comment:7 Changed 6 years ago by Antonio Quartulli

Owner: changed from jamesyonan to Antonio Quartulli

comment:8 Changed 6 years ago by Antonio Quartulli

Cc: plaisthos added

@plaisthos is this something interesting for your client, or can we close the ticket?

comment:9 Changed 6 years ago by plaisthos

Resolution: wontfix
Status: assignedclosed

well custom config option for keysize is supported with OpenVPN 2.x and blowfish is deprecated anyway. I don't plan to add ui support for it now.

Note: See TracTickets for help on using tickets.