Missing ciphers: How to add a new one?

[Anton]

Hi,
I'm newbie with openvpn.

I miss some ciphers inside openvpn despite openssl shows them. Why openvpn don't recognize the rest of ciphers?

How can I add Camellia to openvpn?. Is there some tutorial or help?.


this is what OpenSSL v0.9.8e and OpenVPN v2.0 show me:

Code: Select all

#openssl -h    
openssl:Error: 'c-h' is an invalid command.
...
Cipher commands (see the `enc' command for more details)
aes-128-cbc       aes-128-ecb       aes-192-cbc       aes-192-ecb       
aes-256-cbc       aes-256-ecb       base64            bf                
bf-cbc            bf-cfb            bf-ecb            bf-ofb            
camellia-128-cbc  camellia-128-ecb  camellia-192-cbc  camellia-192-ecb  
camellia-256-cbc  camellia-256-ecb  cast              cast-cbc          
cast5-cbc         cast5-cfb         cast5-ecb         cast5-ofb         
des               des-cbc           des-cfb           des-ecb           
des-ede           des-ede-cbc       des-ede-cfb       des-ede-ofb       
des-ede3          des-ede3-cbc      des-ede3-cfb      des-ede3-ofb      
des-ofb           des3              desx              idea              
idea-cbc          idea-cfb          idea-ecb          idea-ofb          
rc2               rc2-40-cbc        rc2-64-cbc        rc2-cbc           
rc2-cfb           rc2-ecb           rc2-ofb           rc4               
rc4-40            

Code: Select all

 #openvpn --show-ciphers
The following ciphers and cipher modes are available
for use with OpenVPN.  Each cipher shown below may be
used as a parameter to the --cipher option.  The default
key size is shown as well as whether or not it can be
changed with the --keysize directive.  Using a CBC mode
is recommended.

DES-CBC 64 bit default key (fixed)
RC2-CBC 128 bit default key (variable)
DES-EDE-CBC 128 bit default key (fixed)
DES-EDE3-CBC 192 bit default key (fixed)
DESX-CBC 192 bit default key (fixed)
BF-CBC 128 bit default key (variable)
RC2-40-CBC 40 bit default key (variable)
CAST5-CBC 128 bit default key (variable)
RC2-64-CBC 64 bit default key (variable)
AES-128-CBC 128 bit default key (fixed)
AES-192-CBC 192 bit default key (fixed)
AES-256-CBC 256 bit default key (fixed)

any help would be appreciated.

thanks so much,

[IncreasedSecurity]

I'd suggest upgrading to a newer version of OpenVPN - 2.0.0 is very old. We've got various 2.1.x's, 2.2.x's, and 2.3.0 all available now. Even Debian 6 (Squeeze) stable is on OpenVPN 2.2.1!

On Windows, at least, Openvpn installs its own local OpenSSL copy, which is often a different version than the one in the system path - I'm now sure how it works on Linux.

If you get any of the GCN ciphers working, please let us know!

[Anton]

I think there is not special version of openssl in the tar.gz. When openvpn starts to compile there is an include of system file /usr/include/openssl/evp.h. Here there are the constants of the cyphers of my system. I have Camellia, so I don't understand why this is not included in the compilation.

Is there another issue affecting this inclusion? What it can be?

Is there an openvpn able to include all cyphers of openssl?

Code: Select all

#/usr/include/openssl/evp.h,
#...
#ifndef OPENSSL_NO_CAMELLIA
const EVP_CIPHER *EVP_camellia_128_ecb(void);
const EVP_CIPHER *EVP_camellia_128_cbc(void);
const EVP_CIPHER *EVP_camellia_128_cfb1(void);
const EVP_CIPHER *EVP_camellia_128_cfb8(void);
const EVP_CIPHER *EVP_camellia_128_cfb128(void);
# define EVP_camellia_128_cfb EVP_camellia_128_cfb128
const EVP_CIPHER *EVP_camellia_128_ofb(void);
const EVP_CIPHER *EVP_camellia_192_ecb(void);
const EVP_CIPHER *EVP_camellia_192_cbc(void);
const EVP_CIPHER *EVP_camellia_192_cfb1(void);
const EVP_CIPHER *EVP_camellia_192_cfb8(void);
const EVP_CIPHER *EVP_camellia_192_cfb128(void); 
# define EVP_camellia_192_cfb EVP_camellia_192_cfb128 
const EVP_CIPHER *EVP_camellia_192_ofb(void);
const EVP_CIPHER *EVP_camellia_256_ecb(void);
const EVP_CIPHER *EVP_camellia_256_cbc(void);
const EVP_CIPHER *EVP_camellia_256_cfb1(void);
const EVP_CIPHER *EVP_camellia_256_cfb8(void);
const EVP_CIPHER *EVP_camellia_256_cfb128(void); 
# define EVP_camellia_256_cfb EVP_camellia_256_cfb128 
const EVP_CIPHER *EVP_camellia_256_ofb(void);
 #endif 

thanks!

[IncreasedSecurity]

Hmm... I just checked some machines, all of which have openssl and openvpn installed from the package managers (Synaptic/apt) from normal Debian repositories.

OpenVPN 2.2.1 on Debian 6 (Squeeze), with OpenSSL 0.9.8o, only shows the older ciphers - no Camellia, GCM, or EC.

OpenVPN 2.2.1 on Debian 7 (Wheezy) with OpenSSL 1.0.1e does show Camellia, GCM mode AES, and EC ciphers.

[Anton]

Many thanks for your comments.
I have updated Openvpn from CentOS RPMforge repositories, and there is the same issue:

Is this normal?

Code: Select all

OpenVPN 2.2.2 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Apr  5 2012

/usr/sbin/openvpn --show-ciphers
The following ciphers and cipher modes are available
for use with OpenVPN.  Each cipher shown below may be
used as a parameter to the --cipher option.  The default
key size is shown as well as whether or not it can be
changed with the --keysize directive.  Using a CBC mode
is recommended.

DES-CFB 64 bit default key (fixed)
DES-CBC 64 bit default key (fixed)
RC2-CBC 128 bit default key (variable)
RC2-CFB 128 bit default key (variable)
RC2-OFB 128 bit default key (variable)
DES-EDE-CBC 128 bit default key (fixed)
DES-EDE3-CBC 192 bit default key (fixed)
DES-OFB 64 bit default key (fixed)
DES-EDE-CFB 128 bit default key (fixed)
DES-EDE3-CFB 192 bit default key (fixed)
DES-EDE-OFB 128 bit default key (fixed)
DES-EDE3-OFB 192 bit default key (fixed)
DESX-CBC 192 bit default key (fixed)
BF-CBC 128 bit default key (variable)
BF-CFB 128 bit default key (variable)
BF-OFB 128 bit default key (variable)
RC2-40-CBC 40 bit default key (variable)
CAST5-CBC 128 bit default key (variable)
CAST5-CFB 128 bit default key (variable)
CAST5-OFB 128 bit default key (variable)
RC2-64-CBC 64 bit default key (variable)
AES-128-CBC 128 bit default key (fixed)
AES-128-OFB 128 bit default key (fixed)
AES-128-CFB 128 bit default key (fixed)
AES-192-CBC 192 bit default key (fixed)
AES-192-OFB 192 bit default key (fixed)
AES-192-CFB 192 bit default key (fixed)
AES-256-CBC 256 bit default key (fixed)
AES-256-OFB 256 bit default key (fixed)
AES-256-CFB 256 bit default key (fixed)
AES-128-CFB1 128 bit default key (fixed)
AES-192-CFB1 192 bit default key (fixed)
AES-256-CFB1 256 bit default key (fixed)
AES-128-CFB8 128 bit default key (fixed)
AES-192-CFB8 192 bit default key (fixed)
AES-256-CFB8 256 bit default key (fixed)
DES-CFB1 64 bit default key (fixed)
DES-CFB8 64 bit default key (fixed)

[Anton]

well, I'm not sure of what happens... I have reviewed all my libraries and updating Crypto++, and testing the new 2.3 version. No results.
I'm not a C programmer and I have the doubt if there is some relation with Kerberos.

I have read Kerberos v5 doesn't have support for Camellia despite it appears in the RFC. I have found some complaints about this.
Not sure if this is the reason but updating kerberos is not easy to me. Perhaps it would be solved upgrading my CentOS 5x or changing the distro. I don't know really.

Maybe kerberos is not the cause. Anyway, I'm bored of searching a solution for this issue. There is not support although it is a bug noticed 2 years ago:
https://community.openvpn.net/openvpn/ticket/89
topic8007.html?hilit=camellia

still not solved.


thanks anyway for those useful comments on Debian, it is an alternative from a Virtual Machine.

.

[IncreasedSecurity]

I'm afraid that I am unable to help on a CentOS project.

Debian 6 and 7 do have working OpenVPN installations, and you could also run a pfSense VM (FreeBSD based) and use that for OpenVPN and perhaps other features.

Good luck - if you ever get it fixed, drop a post!

[Douglas]

I know its bad to say because it makes me look bad but i use pfsense often for quick-n-dirty VPN's and it works great.