NCP support in 2.4.3?

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
kia0
OpenVpn Newbie
Posts: 6
Joined: Thu Sep 23, 2010 3:20 am

NCP support in 2.4.3?

Post by kia0 » Fri Jun 30, 2017 7:08 am

Hello

I recently upgrade my OpenVPN server under Linux (RHEL 5) for 2.3 to 2.4.3 and try to get NCP working. In server config I specify:

cipher BF-CBC # Blowfish
ncp-ciphers AES-256-CBC:AES-128-CBC

I try to connect from Linux client 2.4.3 to the server and I don't see 'peer info: IV_NCP=2' lines in the server log. If I specify 'cipher BF-CBC' in the client config connection is up with BF-CBC resulting in usial 'INSECURE cipher with block size less than 128 bit' warning. If i specify AES-256-CBC in the client configuration I have mismatched ciphers: 'Authenticate/Decrypt packet error: cipher final failed'

I see 'IV_NCP=2' messages only for some Android and IOS clients but they negotiates only BF_CBC too

What is wrong? How can I utilize NCP and negotiate a more secure cipher at least with modern Linux clients? Do I need to change some compile-time options? Or my RHEL 5 environment miss something?

Ivan

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: NCP support in 2.4.3?

Post by TinCanTech » Fri Jun 30, 2017 12:21 pm

kia0 wrote:I try to connect from Linux client 2.4.3 to the server and I don't see 'peer info: IV_NCP=2' lines in the server log
This suggests your client does not support cipher negotiation ..

kia0
OpenVpn Newbie
Posts: 6
Joined: Thu Sep 23, 2010 3:20 am

Re: NCP support in 2.4.3?

Post by kia0 » Fri Jun 30, 2017 12:52 pm

"The client" and " the server" has identical binaries as they both were set up from one OpenVPN 2.3.4 package...

My be I need to set some compile-time options to support NCP? But 'configure --help' does not show any.

User avatar
dazo
OpenVPN Inc.
Posts: 155
Joined: Mon Jan 11, 2010 10:14 am
Location: dazo :: #openvpn-devel @ libera.chat

Re: NCP support in 2.4.3?

Post by dazo » Fri Jun 30, 2017 1:13 pm

I recently upgrade my OpenVPN server under Linux (RHEL 5) for 2.3 to 2.4.3 and try to get NCP working
For NCP to work, the OpenSSL library must support AES-GCM. I don't recall if the OpenSSL build in RHEL5 supports that.

And to have it said, we do not support OpenVPN 2.4 on anything older than the RHEL6 "era". Which implies no older OpenSSL builds than openssl-1.0.1. The stock OpenSSL build on RHEL5 is openssl-0.9.8.

Btw, RHEL5 went officially EOL March 2017. So even your RHEL5 install should be upgraded ASAP. It is no longer safe to use, especially not if being accessible over the Internet. For more details, see here: https://access.redhat.com/support/polic ... ycle_Dates

kia0
OpenVpn Newbie
Posts: 6
Joined: Thu Sep 23, 2010 3:20 am

Re: NCP support in 2.4.3?

Post by kia0 » Fri Jun 30, 2017 1:46 pm

Dazo, thank you for the information. AES-GCM is not supported in RHEL5's OpenSSL 0.9.8e

Our OpenVPN server's is currently being upgraded to Oracle Linux 6. But I can't upgrade all the client's setup as I don't control them. We even should support very old RHEL4 installations...

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: NCP support in 2.4.3?

Post by TinCanTech » Fri Jun 30, 2017 2:11 pm

@ kia0 - Be sure you know which version of openvpn you are using
because it looks like you are confusing version 2.4.3 with 2.3.4

kia0
OpenVpn Newbie
Posts: 6
Joined: Thu Sep 23, 2010 3:20 am

Re: NCP support in 2.4.3?

Post by kia0 » Fri Jun 30, 2017 2:48 pm

Fri Jun 30 10:14:50 2017 OpenVPN 2.4.3 i686-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] built on Jun 29 2017
Fri Jun 30 10:14:50 2017 library versions: OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008, LZO 2.02

[root@vpn ~]# openssl ciphers -v | grep AES
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1

AES-GCM crypto is not supported :(

User avatar
dazo
OpenVPN Inc.
Posts: 155
Joined: Mon Jan 11, 2010 10:14 am
Location: dazo :: #openvpn-devel @ libera.chat

Re: NCP support in 2.4.3?

Post by dazo » Fri Jun 30, 2017 5:37 pm

What you can do is to have server use --ncp-ciphers AES-256-CBC:AES-128-CBC and --cipher AES-256-GCM. If you rely on clients using other ciphers, like BF-CBC, change --ncp-cipher to AES-256-CBC:AES-128-CBC:BF-CBC.

Now you can take those old clients one-by-one and change --cipher to AES-256-CBC in the client configs. That's a migration method which can work. But you can't get NCP on such old SSL libraries without AES-GCM.

Once all clients are migrated away from BF-CBC, remove that from the --ncp-ciphers list.

Post Reply