#845 closed Feature Wish (fixed)
set cipher for client in ccd
| Reported by: | slesru | Owned by: | Steffan Karger |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | Generic / unclassified | Version: | OpenVPN 2.4.0 (Community Ed) |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
| Cc: |
Description
Hello!
This was discussed in user's mail list, and there was info that such fetaure was already planned , but we really need it, so I decided to create feature wish.
In 2.4 it is possible for server to get cipher info from pre-2.4 client , but some clients (let's say in home routers) can't send info about cipher to server, because they are compiled without support for this feature,
so server will always use default cipher.
This makes migration from one default cipher to another , at least, very hard task, because we need to change default cipher on all such clients and on server at the same time.
This is major issue for us, because we are using OpenVPN for long time and aour default cipher is blowfish :-(
I'd like to have an ability to set default cipher on per-client basis in ccd.
Thank you!
Attachments (1)
Change History (18)
comment:1 Changed 7 years ago by
| Owner: | set to Steffan Karger |
|---|---|
| Status: | new → accepted |
Changed 7 years ago by
| Attachment: | 0001-Allow-changing-cipher-from-a-ccd-file.patch added |
|---|
comment:2 Changed 7 years ago by
Hello!
Sorry for extremely late reply, I somehow missed this patch.
Just applied this on 2.4.1.
And trying to connect using 2.3.11, unfortunately, this is full version, i.e. it can tell to server which cipher it wants.
I have in server config:
cipher AES-256-CBC
ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC
And client has default BF-CBC.
I wrote in ccd:
cipher BF-CBC
But I see during connect:
Thu Mar 23 10:58:07 2017 WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-CBC'
I.e. looks like server doesn't use cipher BF-CBC for me :-(
Although server does not complain about cipher directive in ccd, looks like server does not use
cipher from ccd.
Thank you!
Or, may be, I'm wrong and it works only if client can inform server about cipher?
comment:3 Changed 7 years ago by
Sorry for previous message, it was too early - looks like disabling ncp helps to test and looks like it works, I need to test it on real hardware router.
Thank you!
comment:4 Changed 7 years ago by
We just tested patched 2.4.1 with openvpn in soho router, we use, and
it works just fine with cipher from ccd, i.e. not default per server.
Great!
btw, looks like building 2.4.1 with --enable-small doesn't turn off occ and/or ncp - this is why I wrote firts comment here without any useful info.
So I built 2.3 for tests on my desktop...
Thank you very much! Going to patch my production servers in next several days.
Hope to have this in 2.4.2.. :-)
comment:5 Changed 7 years ago by
Hello!
We are in production now, tested on two soho routers, everything looks just fine.
Thank you!
comment:6 Changed 7 years ago by
Thanks for reporting back! The patch is awaiting review on the development mailing list:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14066.html
comment:8 Changed 7 years ago by
Hello!
Very pity it is not included in release 2.4.2.
Patch can be applied to 2.4.2 without problems, though:
+ echo 'Patch #0 (0001-Allow-changing-cipher-from-a-ccd-file.patch):'
Patch #0 (0001-Allow-changing-cipher-from-a-ccd-file.patch):
+ /usr/bin/patch -p1 --fuzz=0
+ /bin/cat /root/rpmbuild/SOURCES/0001-Allow-changing-cipher-from-a-ccd-file.patch
patching file src/openvpn/multi.c
patching file src/openvpn/options.c
Hunk #1 succeeded at 7495 (offset -41 lines).
patching file src/openvpn/options.h
Hunk #1 succeeded at 629 (offset 1 line).
patching file src/openvpn/ssl.c
Hunk #1 succeeded at 2396 (offset -5 lines).
Thank you!
comment:10 Changed 7 years ago by
and in 2.4.4 :-(
Could you, please, tell me will it be included in main tree?
I'm tired from patching ;)
Thank you!
comment:11 Changed 4 years ago by
Hello!
2.4.9 breaks patch compatibilty, because tls_session_update_crypto_params now has additional parameter:
multi.c: In function ‘multi_connection_established’:
multi.c:2091:17: error: too few arguments to function ‘tls_session_update_crypto_params’
&& !tls_session_update_crypto_params(session, &mi->context.options,
from original multi.c:
if (!tls_session_update_crypto_params(session, &c->options,
&c->c2.frame, frame_fragment))
I have no enough knowledge to fix this.
Could you, please, update patch?
comment:12 Changed 4 years ago by
Hi,
I tried to quick-fix parameter part in patch but got other errors. For that specific problem you could try something like:
struct context *c = &mi->context;
struct frame *frame_fragment = NULL;
#ifdef ENABLE_FRAGMENT
if (c->options.ce.fragment)
{
frame_fragment = &c->c2.frame_fragment;
}
#endif
struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
if (!tls_session_update_crypto_params(session, &c->options,
&c->c2.frame, frame_fragment))
comment:13 Changed 4 years ago by
Hello!
Yes, I understand, this is how code in another place looks now, but problem can't be solved by just copying it, I already tried..
Thank you!
comment:14 Changed 4 years ago by
I am trying to get rid of --cipher eventually and rely on ncp-ciphers/NCP in the future. Adding this would be against this effort. For the people that are interested in this patch, what reasons do you have to use it?
comment:15 Changed 4 years ago by
Reason is still the same:
There are openvpn 2.3 clients in 3g routers which are built without ability to inform server about cipher, so server uses default cipher for them,
in case you need to change default cipher on server you can't do this , because clients will not work, it is also impossible to change default cipher on all clients at once,
so this is where ability to set default cipher on ccd helps. All these are explained in ticket.
Thanks to patch author we were able to change default cipher without downtime.
btw, we still run such routers but can't do the same procedure because patch is not compatible with 2.4.9 if for some reason current cipher will became nonsecure as blowfish.
comment:16 Changed 4 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | accepted → closed |
closed in master by commit 6168f53d
comment:17 Changed 4 years ago by
Unfortunately, current git master dies when 2.3.18 client compiled with enable-small connects to it:
Jul 13 09:33:22 ovpn1 systemd[1]: openvpn@…: Main process exited, code=killed, status=11/SEGV
Thank you!
Thanks for creating the trac ticket, that helps keeping track of the issue.
I've created a patch that should allow you to set 'cipher' directives in ccd files, and attached it to this ticket. It would be great if you could test the patch to verify whether this works for you.