NCP support in 2.4.3?
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVpn Newbie
- Posts: 6
- Joined: Thu Sep 23, 2010 3:20 am
NCP support in 2.4.3?
Hello
I recently upgrade my OpenVPN server under Linux (RHEL 5) for 2.3 to 2.4.3 and try to get NCP working. In server config I specify:
cipher BF-CBC # Blowfish
ncp-ciphers AES-256-CBC:AES-128-CBC
I try to connect from Linux client 2.4.3 to the server and I don't see 'peer info: IV_NCP=2' lines in the server log. If I specify 'cipher BF-CBC' in the client config connection is up with BF-CBC resulting in usial 'INSECURE cipher with block size less than 128 bit' warning. If i specify AES-256-CBC in the client configuration I have mismatched ciphers: 'Authenticate/Decrypt packet error: cipher final failed'
I see 'IV_NCP=2' messages only for some Android and IOS clients but they negotiates only BF_CBC too
What is wrong? How can I utilize NCP and negotiate a more secure cipher at least with modern Linux clients? Do I need to change some compile-time options? Or my RHEL 5 environment miss something?
Ivan
I recently upgrade my OpenVPN server under Linux (RHEL 5) for 2.3 to 2.4.3 and try to get NCP working. In server config I specify:
cipher BF-CBC # Blowfish
ncp-ciphers AES-256-CBC:AES-128-CBC
I try to connect from Linux client 2.4.3 to the server and I don't see 'peer info: IV_NCP=2' lines in the server log. If I specify 'cipher BF-CBC' in the client config connection is up with BF-CBC resulting in usial 'INSECURE cipher with block size less than 128 bit' warning. If i specify AES-256-CBC in the client configuration I have mismatched ciphers: 'Authenticate/Decrypt packet error: cipher final failed'
I see 'IV_NCP=2' messages only for some Android and IOS clients but they negotiates only BF_CBC too
What is wrong? How can I utilize NCP and negotiate a more secure cipher at least with modern Linux clients? Do I need to change some compile-time options? Or my RHEL 5 environment miss something?
Ivan
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: NCP support in 2.4.3?
This suggests your client does not support cipher negotiation ..kia0 wrote:I try to connect from Linux client 2.4.3 to the server and I don't see 'peer info: IV_NCP=2' lines in the server log
-
- OpenVpn Newbie
- Posts: 6
- Joined: Thu Sep 23, 2010 3:20 am
Re: NCP support in 2.4.3?
"The client" and " the server" has identical binaries as they both were set up from one OpenVPN 2.3.4 package...
My be I need to set some compile-time options to support NCP? But 'configure --help' does not show any.
My be I need to set some compile-time options to support NCP? But 'configure --help' does not show any.
- dazo
- OpenVPN Inc.
- Posts: 155
- Joined: Mon Jan 11, 2010 10:14 am
- Location: dazo :: #openvpn-devel @ libera.chat
Re: NCP support in 2.4.3?
For NCP to work, the OpenSSL library must support AES-GCM. I don't recall if the OpenSSL build in RHEL5 supports that.I recently upgrade my OpenVPN server under Linux (RHEL 5) for 2.3 to 2.4.3 and try to get NCP working
And to have it said, we do not support OpenVPN 2.4 on anything older than the RHEL6 "era". Which implies no older OpenSSL builds than openssl-1.0.1. The stock OpenSSL build on RHEL5 is openssl-0.9.8.
Btw, RHEL5 went officially EOL March 2017. So even your RHEL5 install should be upgraded ASAP. It is no longer safe to use, especially not if being accessible over the Internet. For more details, see here: https://access.redhat.com/support/polic ... ycle_Dates
-
- OpenVpn Newbie
- Posts: 6
- Joined: Thu Sep 23, 2010 3:20 am
Re: NCP support in 2.4.3?
Dazo, thank you for the information. AES-GCM is not supported in RHEL5's OpenSSL 0.9.8e
Our OpenVPN server's is currently being upgraded to Oracle Linux 6. But I can't upgrade all the client's setup as I don't control them. We even should support very old RHEL4 installations...
Our OpenVPN server's is currently being upgraded to Oracle Linux 6. But I can't upgrade all the client's setup as I don't control them. We even should support very old RHEL4 installations...
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: NCP support in 2.4.3?
@ kia0 - Be sure you know which version of openvpn you are using
because it looks like you are confusing version 2.4.3 with 2.3.4
because it looks like you are confusing version 2.4.3 with 2.3.4
-
- OpenVpn Newbie
- Posts: 6
- Joined: Thu Sep 23, 2010 3:20 am
Re: NCP support in 2.4.3?
Fri Jun 30 10:14:50 2017 OpenVPN 2.4.3 i686-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] built on Jun 29 2017
Fri Jun 30 10:14:50 2017 library versions: OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008, LZO 2.02
[root@vpn ~]# openssl ciphers -v | grep AES
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
AES-GCM crypto is not supported
Fri Jun 30 10:14:50 2017 library versions: OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008, LZO 2.02
[root@vpn ~]# openssl ciphers -v | grep AES
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
AES-GCM crypto is not supported
- dazo
- OpenVPN Inc.
- Posts: 155
- Joined: Mon Jan 11, 2010 10:14 am
- Location: dazo :: #openvpn-devel @ libera.chat
Re: NCP support in 2.4.3?
What you can do is to have server use --ncp-ciphers AES-256-CBC:AES-128-CBC and --cipher AES-256-GCM. If you rely on clients using other ciphers, like BF-CBC, change --ncp-cipher to AES-256-CBC:AES-128-CBC:BF-CBC.
Now you can take those old clients one-by-one and change --cipher to AES-256-CBC in the client configs. That's a migration method which can work. But you can't get NCP on such old SSL libraries without AES-GCM.
Once all clients are migrated away from BF-CBC, remove that from the --ncp-ciphers list.
Now you can take those old clients one-by-one and change --cipher to AES-256-CBC in the client configs. That's a migration method which can work. But you can't get NCP on such old SSL libraries without AES-GCM.
Once all clients are migrated away from BF-CBC, remove that from the --ncp-ciphers list.