#673 closed Bug / Defect (fixed)

weak cipher suites

Reported by: sarnold Owned by: syzzer
Priority: major Milestone: release 2.3.11
Component: Crypto Version: OpenVPN 2.3.10 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

Ubuntu's Xenial packaged 2.3.10-1ubuntu2 reports the following ciphersuites:

$ openvpn --show-tls
Available TLS Ciphers,
listed in order of preference:

TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384
TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA
TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA
TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA
TLS-SRP-SHA-RSA-WITH-AES-256-CBC-SHA
SRP-AES-256-CBC-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
DH-DSS-AES256-GCM-SHA384 (No IANA name known to OpenVPN, use OpenSSL name.)
TLS-DHE-DSS-WITH-AES-256-GCM-SHA384
DH-RSA-AES256-GCM-SHA384 (No IANA name known to OpenVPN, use OpenSSL name.)
TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
TLS-DHE-DSS-WITH-AES-256-CBC-SHA256
DH-RSA-AES256-SHA256 (No IANA name known to OpenVPN, use OpenSSL name.)
DH-DSS-AES256-SHA256 (No IANA name known to OpenVPN, use OpenSSL name.)
TLS-DHE-RSA-WITH-AES-256-CBC-SHA
TLS-DHE-DSS-WITH-AES-256-CBC-SHA
DH-RSA-AES256-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
DH-DSS-AES256-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA
TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA
DH-RSA-CAMELLIA256-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
DH-DSS-CAMELLIA256-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384
TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384
TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384
TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384
TLS-ECDH-RSA-WITH-AES-256-CBC-SHA
TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA
TLS-RSA-WITH-AES-256-GCM-SHA384
TLS-RSA-WITH-AES-256-CBC-SHA256
TLS-RSA-WITH-AES-256-CBC-SHA
TLS-RSA-WITH-CAMELLIA-256-CBC-SHA
TLS-PSK-WITH-AES-256-CBC-SHA
TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256
TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA
TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA
TLS-SRP-SHA-DSS-WITH-AES-128-CBC-SHA
TLS-SRP-SHA-RSA-WITH-AES-128-CBC-SHA
SRP-AES-128-CBC-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
DH-DSS-AES128-GCM-SHA256 (No IANA name known to OpenVPN, use OpenSSL name.)
TLS-DHE-DSS-WITH-AES-128-GCM-SHA256
DH-RSA-AES128-GCM-SHA256 (No IANA name known to OpenVPN, use OpenSSL name.)
TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
TLS-DHE-DSS-WITH-AES-128-CBC-SHA256
DH-RSA-AES128-SHA256 (No IANA name known to OpenVPN, use OpenSSL name.)
DH-DSS-AES128-SHA256 (No IANA name known to OpenVPN, use OpenSSL name.)
TLS-DHE-RSA-WITH-AES-128-CBC-SHA
TLS-DHE-DSS-WITH-AES-128-CBC-SHA
DH-RSA-AES128-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
DH-DSS-AES128-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
TLS-DHE-RSA-WITH-SEED-CBC-SHA
TLS-DHE-DSS-WITH-SEED-CBC-SHA
TLS-DH-RSA-WITH-SEED-CBC-SHA
TLS-DH-DSS-WITH-SEED-CBC-SHA
TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA
DH-RSA-CAMELLIA128-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
DH-DSS-CAMELLIA128-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256
TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256
TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256
TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256
TLS-ECDH-RSA-WITH-AES-128-CBC-SHA
TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA
TLS-RSA-WITH-AES-128-GCM-SHA256
TLS-RSA-WITH-AES-128-CBC-SHA256
TLS-RSA-WITH-AES-128-CBC-SHA
TLS-RSA-WITH-SEED-CBC-SHA
TLS-RSA-WITH-CAMELLIA-128-CBC-SHA
TLS-PSK-WITH-AES-128-CBC-SHA
TLS-ECDHE-RSA-WITH-RC4-128-SHA
TLS-ECDHE-ECDSA-WITH-RC4-128-SHA
TLS-ECDH-RSA-WITH-RC4-128-SHA
TLS-ECDH-ECDSA-WITH-RC4-128-SHA
TLS-RSA-WITH-RC4-128-SHA
TLS-RSA-WITH-RC4-128-MD5
TLS-PSK-WITH-RC4-128-SHA
TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA
TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA
TLS-SRP-SHA-DSS-WITH-3DES-EDE-CBC-SHA
TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA
SRP-3DES-EDE-CBC-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA
DH-RSA-DES-CBC3-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
DH-DSS-DES-CBC3-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
TLS-ECDH-RSA-WITH-3DES-EDE-CBC-SHA
TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA
TLS-RSA-WITH-3DES-EDE-CBC-SHA
TLS-PSK-WITH-3DES-EDE-CBC-SHA

I suspect everything after the first mention of RC4 should be removed (inclusive of rc4, of course).

It's also getting close to time to plan on removing SHA-1 support, too. Google and Mozilla are already taking steps to remove SHA-1 support from their TLS-based products.

Thanks

Change History (5)

comment:1 Changed 21 months ago by cron2

  • Owner set to syzzer
  • Status changed from new to assigned

@syzzer: you might want to comment on this?

comment:2 Changed 21 months ago by ValdikSS

AFAIK that's a list of available ciphers, not usable or default.
For example, there's even SRP ciphers which can't be used in OpenVPN.

comment:3 Changed 20 months ago by sarnold

Ah, thanks. With this, Christian Ehrhardt did some further research https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1567717/comments/2 .

It appears that the ciphers available for the control channel are:

EDH-RSA-DES-CBC3-SHA
DHE-RSA-AES128-SHA
DHE-RSA-AES128-SHA256
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-SHA
DHE-RSA-AES256-SHA256
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-CAMELLIA128-SHA
DHE-RSA-CAMELLIA256-SHA
DHE-RSA-SEED-SHA
DES-CBC3-SHA
AES128-SHA
AES128-SHA256
AES128-GCM-SHA256
AES256-SHA
AES256-SHA256
AES256-GCM-SHA384
CAMELLIA128-SHA
CAMELLIA256-SHA
RC4-MD5
RC4-SHA
SEED-SHA

And the ciphers available for the data channel are:
AES-128-CBC
AES-128-CFB
AES-128-CFB1
AES-128-CFB8
AES-128-OFB
AES-192-CBC
AES-192-CFB
AES-192-CFB1
AES-192-CFB8
AES-192-OFB
AES-256-CBC
AES-256-CFB
AES-256-CFB1
AES-256-CFB8
AES-256-OFB
BF-CBC
BF-CFB
BF-OFB
CAMELLIA-128-CBC
CAMELLIA-128-CFB
CAMELLIA-128-CFB1
CAMELLIA-128-CFB8
CAMELLIA-128-OFB
CAMELLIA-192-CBC
CAMELLIA-192-CFB
CAMELLIA-192-CFB1
CAMELLIA-192-CFB8
CAMELLIA-192-OFB
CAMELLIA-256-CBC
CAMELLIA-256-CFB
CAMELLIA-256-CFB1
CAMELLIA-256-CFB8
CAMELLIA-256-OFB
CAST5-CBC
CAST5-CFB
CAST5-OFB
DES-CBC
DES-CFB
DES-CFB1
DES-CFB8
DES-EDE-CBC
DES-EDE-CFB
DES-EDE-OFB
DES-EDE3-CBC
DES-EDE3-CFB
DES-EDE3-CFB1
DES-EDE3-CFB8
DES-EDE3-OFB
DES-OFB
DESX-CBC
RC2-40-CBC
RC2-64-CBC
RC2-CBC
RC2-CFB
RC2-OFB
SEED-CBC
SEED-CFB
SEED-OFB

Maybe some of these can only be chosen by mutual agreement by both parties, but supporting ancient algorithms for negotiated cipher selection has proven in other protocols to be a source of trouble. Ancient deployments may need to be upgraded to continue working with newer deployments -- it's an unfortunate truth with cryptographic tools that occasionally the right answer is to prevent interoperation.

Thanks

comment:4 Changed 20 months ago by syzzer

I sent patches to the list to restrict the default --tls-cipher list. That should remove the DES, SEED and RC4 ciphers from the TLS list.
http://article.gmane.org/gmane.network.openvpn.devel/11455

For the master branch (what will become 2.4.x), I also suggested to remove support for DSA certificates and non-ephemeral ciphers from the default list:
http://article.gmane.org/gmane.network.openvpn.devel/11457

The --cipher and --auth options are not negotiable, so I see less risk there. We might decide to drop support from some later on, but that will require extra logic in the code (we now just list whatever the crypto library reports as available to us).

comment:5 Changed 20 months ago by syzzer

  • Milestone set to release 2.3.11
  • Resolution set to fixed
  • Status changed from assigned to closed

Both patches have been applied. Changes will be first visible in 2.3.11, and more once 2.4.x is released.

Note: See TracTickets for help on using tickets.