Help resolving OpenVPN Access Server Sweet32 Vulnerability
-
- OpenVpn Newbie
- Posts: 2
- Joined: Wed Dec 20, 2017 1:33 pm
Help resolving OpenVPN Access Server Sweet32 Vulnerability
I'm trying to resolve a vulnerability on our OpenVPN Access Server for Sweet32. But have been unable to get it to resolve. I updated both the client and server configs to contain "cipher AES-256-CBC" and the web server is using a SHA256 cert. Any idea's on what else i need to change to resolve? Also this is running on Ubuntu Server 14.04. Also under TLS settings it's set to you OpenSSL. Minimum TLS version by server is 1.2 and minimum TLS for web server is TLS 1.2.
- novaflash
- OpenVPN Inc.
- Posts: 1073
- Joined: Fri Apr 13, 2012 8:43 pm
Re: Help resolving OpenVPN Access Server Sweet32 Vulnerability
We see this a lot these days so to put is as succinctly as possible:
1: In the openvpn logs you may see a warning about sweet32. If so, you probably use BF-CBC now. AES-256-CBC would be much better and will be the default in the future. OpenVPN Connect Client and the Access Server mitigate the problems with this by forcing the TLS key used for encryption to refresh every 60 megabytes or so, making the vulnerability impossible to exploit. To switch to AES-256-CBC now beware; if you have a lot of clients installed you may need to reinstall/reconfigure them. But putting cipher AES-256-CBC in both the server config directives and client config directives fields and then reinstalling/reconfiguring the client should fix that.
2: If you use a vulnerability scanner program or some online vulnerability scanner, you may see a warning about sweet32 too. Since such a scanner is very unlikely to even bother with scanning the OpenVPN daemons, what they'll most likely be picking up on is the web services. And that has a default cipher suite string that contains ciphers based on 3DES that are there for compatibility with older software. If you don't care about that, then you should harden your web server cipher suite string per the recommendations here:
https://docs.openvpn.net/getting-starte ... ite_string
1: In the openvpn logs you may see a warning about sweet32. If so, you probably use BF-CBC now. AES-256-CBC would be much better and will be the default in the future. OpenVPN Connect Client and the Access Server mitigate the problems with this by forcing the TLS key used for encryption to refresh every 60 megabytes or so, making the vulnerability impossible to exploit. To switch to AES-256-CBC now beware; if you have a lot of clients installed you may need to reinstall/reconfigure them. But putting cipher AES-256-CBC in both the server config directives and client config directives fields and then reinstalling/reconfiguring the client should fix that.
2: If you use a vulnerability scanner program or some online vulnerability scanner, you may see a warning about sweet32 too. Since such a scanner is very unlikely to even bother with scanning the OpenVPN daemons, what they'll most likely be picking up on is the web services. And that has a default cipher suite string that contains ciphers based on 3DES that are there for compatibility with older software. If you don't care about that, then you should harden your web server cipher suite string per the recommendations here:
https://docs.openvpn.net/getting-starte ... ite_string
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.
-
- OpenVpn Newbie
- Posts: 2
- Joined: Wed Dec 20, 2017 1:33 pm
Re: Help resolving OpenVPN Access Server Sweet32 Vulnerability
Thanks @novaflash number 2 fit what I was trying to do and appears to have cleared up the vulnerabilities.