We have a large deployment all currently at 2.3.18. It consists of 4 servers (linux) and greater than 2000 clients (windows 10/7/XP -- i know, i know, please bare with me). All auth is by certificates and ccd's. This system has worked quite well for more than a decade. But it is time to upgrade.
Now I am faced with a quandary. I can easily upgrade all 4 servers at once. But upgrading the 2000+ clients (and any changes to their .ovpn files) will take a little time -- spread out at approx 100 per day. So in order not to loose connectivity, i have to make sure the new 2.6+ server will still connect to all older clients (we're talking BF-CBC) and then also connect to clients as they are upgraded to 2.6+. Or else, start by upgrading the clients to 2.6+ first and adjust them so they'll connect to the old 2.3.18 servers. Then have everything still work when i upgrade the servers later.
Reading through the docs, and playing with our dev environment, i was able to make a new client connect to the old server with --cipher AES-256-CBC on both. And vis-a-vis. But if i did that, then pre-upgraded clients (BF-CBC) would loose connection. If i tried to add BF-CBC to a list of ciphers on 2.6+, it would fail with "not supported".
Can anyone recommend any settings or a step-by-step workflow that would work with this scenario with minimal downtime?
On Upgrading 2.3.18 to 2.6+
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVpn Newbie
- Posts: 13
- Joined: Thu Jun 19, 2014 11:14 pm
-
- OpenVpn Newbie
- Posts: 17
- Joined: Mon May 14, 2012 1:15 pm
Re: On Upgrading 2.3.18 to 2.6+
This is actually in the FAQ section of the release notes for 2.6.0:
https://github.com/OpenVPN/openvpn/blob ... hanges.rst
Use of a legacy or deprecated cipher (e.g. 64bit block ciphers)
OpenSSL 3.0 no longer supports a number of insecure and outdated ciphers in its default configuration. Some of these ciphers are known to be vulnerable (SWEET32 attack).
This will typically manifest itself in messages like:
OpenSSL: error:0308010C:digital envelope routines::unsupported
Cipher algorithm 'BF-CBC' not found
Unsupported cipher in --data-ciphers: BF-CBC
If your OpenSSL distribution comes with the legacy provider (see also man OSSL_PROVIDER-legacy), you can load it with --providers legacy default. This will re-enable the old algorithms.
https://github.com/OpenVPN/openvpn/blob ... hanges.rst
Use of a legacy or deprecated cipher (e.g. 64bit block ciphers)
OpenSSL 3.0 no longer supports a number of insecure and outdated ciphers in its default configuration. Some of these ciphers are known to be vulnerable (SWEET32 attack).
This will typically manifest itself in messages like:
OpenSSL: error:0308010C:digital envelope routines::unsupported
Cipher algorithm 'BF-CBC' not found
Unsupported cipher in --data-ciphers: BF-CBC
If your OpenSSL distribution comes with the legacy provider (see also man OSSL_PROVIDER-legacy), you can load it with --providers legacy default. This will re-enable the old algorithms.
-
- OpenVpn Newbie
- Posts: 13
- Joined: Thu Jun 19, 2014 11:14 pm
Re: On Upgrading 2.3.18 to 2.6+
--SOLVED--
What finally solved this was add these lines to the server side ovpn (running 2.6.4):
providers legacy default
data-ciphers-fallback BF-CBC
compat-mode 2.3.18
Now the 2.6.4 server will connect with either 2.6+ or 2.3.18 clients. Once all clients are upgraded to 2.6+, i will remove those lines.
What finally solved this was add these lines to the server side ovpn (running 2.6.4):
providers legacy default
data-ciphers-fallback BF-CBC
compat-mode 2.3.18
Now the 2.6.4 server will connect with either 2.6+ or 2.3.18 clients. Once all clients are upgraded to 2.6+, i will remove those lines.