Re: OpenVPN 2.6 Beta released

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 07/12/2022 16:02, Alexander Ploumistos wrote:
Hello David,

Thanks for the heads up.
Is there a tool that can test server and client configurations for
compatibility before upgrading? If not, how can one verify that
certificates, TLS version etc. comply with the minimum requirements?
There exists no tools to check compatibility.  I would recommend you to
just try your configuration files on a VM with the distribution version
of your choice.  Just run the openvpn binary manually with the --config
argument on the command line.  It should complain about issues
reasonably quickly.

Otherwise, as long as OpenSSL permits it, OpenVPN tries to be
considerate to older clients.  In general, it the cryptographic and MTU
related options which can cause the biggest issues.  If your clients are
at least v2.4 or newer, then the cryptographic settings should usually
work well, as long as the certificates and private keys are accepted by
recent OpenSSL versions
.

The DCO support is opportunistic.  If the configuration contains
settings which makes it unsuitable for DCO, it will warn about that and
continue with the classic tun setup.  Otherwise, it is the OpenSSL
library setting the limitations of what is supported in regards to TLS
protocols and algorithms in use.  The same goes for certificates and
private keys.


Since Fedora 27 and EPEL-7, the openvpn-server@.service unit file has
added a few changes which should mostly upgrade the default ciphers to
AES-GCM, while keeping the older clients supported via the NCP
(Negotiable Crypto Parameters) feature in OpenVPN.  I suggest reading
the "DATA CHANNEL CIPHER NEGOTIATION" section in the man page.


Also notice that OpenVPN clients older than v2.4 are no longer supported
upstream [1].  And from March 2023, OpenVPN 2.4 will also become
unsupported.  So I would strongly recommend starting to migrate clients
and configurations to be more up to recent standards.


Default ciphers should be an AEAD based cipher (AES-GCM,
ChaCha20-Poly1305).  And certificates should be at least RSA-2048 with
SHA256, preferably ECC based certificates.  You should also ensure you
use --tls-crypt or --tls-crypt-v2.  TLSv1.3 is preferred, but TLSv1.2
will be accepted if the OpenSSL library accepts it.

The --auth option is of less relevance unless you require AES-CBC, other
non AEAD ciphers or --tls-auth.  In these case SHA1 (default) and SHA256
is more than reasonable enough; it is only used in HMAC contexts.  If
you use an AEAD, --auth should only be used with --tls-auth.

You can run the openvpn command with --show-ciphers and --show-tls to
see available ciphers and which algorithms are deprecated.


[1] <https://community.openvpn.net/openvpn/wiki/SupportedVersions>

--
kind regards,

David Sommerseth

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux