On 07/12/2022 16:02, Alexander Ploumistos wrote:
Hello David, Thanks for the heads up. Is there a tool that can test server and client configurations for compatibility before upgrading? If not, how can one verify that certificates, TLS version etc. comply with the minimum requirements?
There exists no tools to check compatibility. I would recommend you to just try your configuration files on a VM with the distribution version of your choice. Just run the openvpn binary manually with the --config argument on the command line. It should complain about issues reasonably quickly. Otherwise, as long as OpenSSL permits it, OpenVPN tries to be considerate to older clients. In general, it the cryptographic and MTU related options which can cause the biggest issues. If your clients are at least v2.4 or newer, then the cryptographic settings should usually work well, as long as the certificates and private keys are accepted by recent OpenSSL versions . The DCO support is opportunistic. If the configuration contains settings which makes it unsuitable for DCO, it will warn about that and continue with the classic tun setup. Otherwise, it is the OpenSSL library setting the limitations of what is supported in regards to TLS protocols and algorithms in use. The same goes for certificates and private keys. Since Fedora 27 and EPEL-7, the openvpn-server@.service unit file has added a few changes which should mostly upgrade the default ciphers to AES-GCM, while keeping the older clients supported via the NCP (Negotiable Crypto Parameters) feature in OpenVPN. I suggest reading the "DATA CHANNEL CIPHER NEGOTIATION" section in the man page. Also notice that OpenVPN clients older than v2.4 are no longer supported upstream [1]. And from March 2023, OpenVPN 2.4 will also become unsupported. So I would strongly recommend starting to migrate clients and configurations to be more up to recent standards. Default ciphers should be an AEAD based cipher (AES-GCM, ChaCha20-Poly1305). And certificates should be at least RSA-2048 with SHA256, preferably ECC based certificates. You should also ensure you use --tls-crypt or --tls-crypt-v2. TLSv1.3 is preferred, but TLSv1.2 will be accepted if the OpenSSL library accepts it. The --auth option is of less relevance unless you require AES-CBC, other non AEAD ciphers or --tls-auth. In these case SHA1 (default) and SHA256 is more than reasonable enough; it is only used in HMAC contexts. If you use an AEAD, --auth should only be used with --tls-auth. You can run the openvpn command with --show-ciphers and --show-tls to see available ciphers and which algorithms are deprecated. [1] <https://community.openvpn.net/openvpn/wiki/SupportedVersions> -- kind regards, David Sommerseth
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
