Client won't comply to server settings?

[horizn]

Hi,
I have strange situation with OpenVPN on client side, no matter which platform on (Linux, Windows or Android). The problem occurs when there is no (at least):
cipher AES-256-CBC
option defined in the client config file, but it is configured on the server config, (then client won't connect):

Code: Select all

Tue Oct 17 14:46:43 2017 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1543', remote='link-mtu 1559'
Tue Oct 17 14:46:43 2017 WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-CBC'
Tue Oct 17 14:46:43 2017 WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'

...

Tue Oct 17 14:46:59 2017 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Oct 17 14:46:59 2017 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Tue Oct 17 14:46:59 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Oct 17 14:46:59 2017 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Oct 17 14:46:59 2017 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Tue Oct 17 14:46:59 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Oct 17 14:46:59 2017 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
Tue Oct 17 14:46:59 2017 Preserving previous TUN/TAP instance: Ethernet 3
Tue Oct 17 14:46:59 2017 Initialization Sequence Completed
Tue Oct 17 14:46:59 2017 MANAGEMENT: >STATE:1508248019,CONNECTED,SUCCESS,10.190.5.6,1.2.3.44430,192.168.52.144,57804
Tue Oct 17 14:47:00 2017 Connection reset, restarting [0]
Tue Oct 17 14:47:00 2017 SIGUSR1[soft,connection-reset] received, process restarting
Tue Oct 17 14:47:00 2017 MANAGEMENT: >STATE:1508248020,RECONNECTING,connection-reset,,,,,
Tue Oct 17 14:47:00 2017 Restart pause, 5 second(s)

it is of course fine if I add "cipher AES-256-CBC" to the client config, but unfortunately it is not possible to replace hundret config files at the moment. Is there any option to force clients to import settings from server?

Why it is not trying to negotiate better ciphers if first won't comply?

[TinCanTech]

OpenVPN 2.4 support negotiate-cipher-parameters which will always select the best cipher between openvpn peers which support it.

OpenVPN 2.3 does not support this and you have to setup compatible ciphers between peers manually.

Please see:
HOWTO: Request Help !

[horizn]

Thank you. Unfortunately OpenVPN in Ubuntu 16.04 repo is 2.3.x, but I found that I can switch to OpenVPN repo and have 2.4.x version installed:
https://community.openvpn.net/openvpn/w ... twareRepos
However, do you know what will happen if I setup server on 2.4.4 and leave cipher not configured? Will clients based on 2.3 branch (Windows/Linux) negotiate AES-256-CBC?

[TinCanTech]

do you know what will happen if I setup server on 2.4.4 and leave cipher not configured? Will clients based on 2.3 branch (Windows/Linux) negotiate AES-256-CBC?

No.

OpenVPN 2.3 does not support this and you have to setup compatible ciphers between peers manually

In other words: you have to use --cipher AES-256-CBC in the config file.

Note:
If you have not configured --cipher AES-256-CBC in the 2.3 client config file then --cipher BF-CBC (Blowfish) is the default .. Blowfish is susceptible to SWEET32 (The client log file has more details)