| 1 | Security researchers at INRIA published an attack on 64-bit block ciphers, such as 3DES and Blowfish ^![0]^. They show that they are able to recover plaintext when the same data is sent often enough, and show how they can use cross-site scripting vulnerabilities to send data of interest often enough. This works over HTTPS, but also works for HTTP-over-OpenVPN. See https://sweet32.info/ ^![0]^ for a much better and more elaborate explanation. |
| 2 | |
| 3 | = Am I affected? |
| 4 | |
| 5 | This depends on the cipher you've chosen (OpenVPN's --cipher option). |
| 6 | OpenVPN's default cipher, BF-CBC, is affected by this attack. |
| 7 | |
| 8 | Whether you're affected can be checked by installing OpenVPN 2.3.12 ^![1]^ or newer, and running "openvpn --show-ciphers". This will show you which ciphers should no longer be used. For convenience, we provide a summary for commonly used cipher here: |
| 9 | |
| 10 | The following ciphers are affected, and should no longer be used: |
| 11 | * BF-* |
| 12 | * DES* (including 3DES variants) |
| 13 | * RC2-* |
| 14 | |
| 15 | The following ciphers are *not* affected: |
| 16 | * AES-* |
| 17 | * CAMELLIA-* |
| 18 | * SEED-* |
| 19 | |
| 20 | = Mitigation |
| 21 | |
| 22 | == 1. Change to a larger block cipher |
| 23 | |
| 24 | The best mitigation is to transition away from small-block ciphers. This |
| 25 | requires editting the cipher setting in all server and client configs (or |
| 26 | upgrading to our experimental branch, see below). |
| 27 | |
| 28 | Of the currently supported ciphers, OpenVPN currently recommends using |
| 29 | AES-256-CBC or AES-128-CBC. OpenVPN 2.4 and newer will also support GCM. For |
| 30 | 2.4+, we recommend using AES-256-GCM or AES-128-GCM. |
| 31 | |
| 32 | == 2. Renegotiate more often |
| 33 | |
| 34 | If changing the cipher is not possible, for example because you don't control |
| 35 | the server, or can not update all client configs on a short notice, you can |
| 36 | renegotiate new keys more often. For example, add --reneg-bytes 64000 to your |
| 37 | config to renegatiate after every 64 megabytes. |
| 38 | |
| 39 | Note that if you're using two-factor authentication, or username-password |
| 40 | authentication, this might require used to re-enter their 2FA token or |
| 41 | usernamne and password. To avoid this, do not use --auth-nocache, and enable |
| 42 | <insert-correct-name> on the server side to ask for 2FA once per session only. |
| 43 | |
| 44 | <some text on the single-2FA-per-session option> |
| 45 | |
| 46 | == 3. Enable cipher negotiation (experimental!) |
| 47 | |
| 48 | OpenVPN 2.4 and newer will support cipher negotiation. If both peers (client |
| 49 | and server) support cipher negotiation, OpenVPN will default to using AES-GCM. |
| 50 | The bad news is that OpenVPN 2.4 is not available yet, we're still fixing bugs |
| 51 | and working our way to the first alpha release. Nevertheless, the code is |
| 52 | pretty stable. Most bugs are hiding in seldomly-used corner cases. If you're |
| 53 | brave enough, check out the master branch of our git repo ^![2]^, and build your own |
| 54 | OpenVPN-with-cipher-negotiation support. |
| 55 | |
| 56 | = References |
| 57 | |
| 58 | ![0] https://sweet32.info/ |
| 59 | |
| 60 | ![1] https://openvpn.net/index.php/open-source/downloads.html |
| 61 | |
| 62 | ![2] https://github.com/OpenVPN/openvpn.git |