| | 1 | Security researchers at INRIA published an attack on 64-bit block ciphers, such as 3DES and Blowfish ^![0]^. They show that they are able to recover plaintext when the same data is sent often enough, and show how they can use cross-site scripting vulnerabilities to send data of interest often enough. This works over HTTPS, but also works for HTTP-over-OpenVPN. See https://sweet32.info/ ^![0]^ for a much better and more elaborate explanation. |
| | 2 | |
| | 3 | = Am I affected? |
| | 4 | |
| | 5 | This depends on the cipher you've chosen (OpenVPN's --cipher option). |
| | 6 | OpenVPN's default cipher, BF-CBC, is affected by this attack. |
| | 7 | |
| | 8 | Whether you're affected can be checked by installing OpenVPN 2.3.12 ^![1]^ or newer, and running "openvpn --show-ciphers". This will show you which ciphers should no longer be used. For convenience, we provide a summary for commonly used cipher here: |
| | 9 | |
| | 10 | The following ciphers are affected, and should no longer be used: |
| | 11 | * BF-* |
| | 12 | * DES* (including 3DES variants) |
| | 13 | * RC2-* |
| | 14 | |
| | 15 | The following ciphers are *not* affected: |
| | 16 | * AES-* |
| | 17 | * CAMELLIA-* |
| | 18 | * SEED-* |
| | 19 | |
| | 20 | = Mitigation |
| | 21 | |
| | 22 | == 1. Change to a larger block cipher |
| | 23 | |
| | 24 | The best mitigation is to transition away from small-block ciphers. This |
| | 25 | requires editting the cipher setting in all server and client configs (or |
| | 26 | upgrading to our experimental branch, see below). |
| | 27 | |
| | 28 | Of the currently supported ciphers, OpenVPN currently recommends using |
| | 29 | AES-256-CBC or AES-128-CBC. OpenVPN 2.4 and newer will also support GCM. For |
| | 30 | 2.4+, we recommend using AES-256-GCM or AES-128-GCM. |
| | 31 | |
| | 32 | == 2. Renegotiate more often |
| | 33 | |
| | 34 | If changing the cipher is not possible, for example because you don't control |
| | 35 | the server, or can not update all client configs on a short notice, you can |
| | 36 | renegotiate new keys more often. For example, add --reneg-bytes 64000 to your |
| | 37 | config to renegatiate after every 64 megabytes. |
| | 38 | |
| | 39 | Note that if you're using two-factor authentication, or username-password |
| | 40 | authentication, this might require used to re-enter their 2FA token or |
| | 41 | usernamne and password. To avoid this, do not use --auth-nocache, and enable |
| | 42 | <insert-correct-name> on the server side to ask for 2FA once per session only. |
| | 43 | |
| | 44 | <some text on the single-2FA-per-session option> |
| | 45 | |
| | 46 | == 3. Enable cipher negotiation (experimental!) |
| | 47 | |
| | 48 | OpenVPN 2.4 and newer will support cipher negotiation. If both peers (client |
| | 49 | and server) support cipher negotiation, OpenVPN will default to using AES-GCM. |
| | 50 | The bad news is that OpenVPN 2.4 is not available yet, we're still fixing bugs |
| | 51 | and working our way to the first alpha release. Nevertheless, the code is |
| | 52 | pretty stable. Most bugs are hiding in seldomly-used corner cases. If you're |
| | 53 | brave enough, check out the master branch of our git repo ^![2]^, and build your own |
| | 54 | OpenVPN-with-cipher-negotiation support. |
| | 55 | |
| | 56 | = References |
| | 57 | |
| | 58 | ![0] https://sweet32.info/ |
| | 59 | |
| | 60 | ![1] https://openvpn.net/index.php/open-source/downloads.html |
| | 61 | |
| | 62 | ![2] https://github.com/OpenVPN/openvpn.git |
