Page 1 of 1
Missing ciphers: How to add a new one?
Posted: Wed Mar 06, 2013 4:55 pm
by Anton
Hi,
I'm newbie with openvpn.
I miss some ciphers inside openvpn despite openssl shows them. Why openvpn don't recognize the rest of ciphers?
How can I add Camellia to openvpn?. Is there some tutorial or help?.
this is what OpenSSL v0.9.8e and OpenVPN v2.0 show me:
Code: Select all
#openssl -h
openssl:Error: 'c-h' is an invalid command.
...
Cipher commands (see the `enc' command for more details)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb
aes-256-cbc aes-256-ecb base64 bf
bf-cbc bf-cfb bf-ecb bf-ofb
camellia-128-cbc camellia-128-ecb camellia-192-cbc camellia-192-ecb
camellia-256-cbc camellia-256-ecb cast cast-cbc
cast5-cbc cast5-cfb cast5-ecb cast5-ofb
des des-cbc des-cfb des-ecb
des-ede des-ede-cbc des-ede-cfb des-ede-ofb
des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb
des-ofb des3 desx idea
idea-cbc idea-cfb idea-ecb idea-ofb
rc2 rc2-40-cbc rc2-64-cbc rc2-cbc
rc2-cfb rc2-ecb rc2-ofb rc4
rc4-40
Code: Select all
#openvpn --show-ciphers
The following ciphers and cipher modes are available
for use with OpenVPN. Each cipher shown below may be
used as a parameter to the --cipher option. The default
key size is shown as well as whether or not it can be
changed with the --keysize directive. Using a CBC mode
is recommended.
DES-CBC 64 bit default key (fixed)
RC2-CBC 128 bit default key (variable)
DES-EDE-CBC 128 bit default key (fixed)
DES-EDE3-CBC 192 bit default key (fixed)
DESX-CBC 192 bit default key (fixed)
BF-CBC 128 bit default key (variable)
RC2-40-CBC 40 bit default key (variable)
CAST5-CBC 128 bit default key (variable)
RC2-64-CBC 64 bit default key (variable)
AES-128-CBC 128 bit default key (fixed)
AES-192-CBC 192 bit default key (fixed)
AES-256-CBC 256 bit default key (fixed)
any help would be appreciated.
thanks so much,
Re: Missing ciphers: How to add a new one?
Posted: Thu Mar 07, 2013 4:20 am
by IncreasedSecurity
I'd suggest upgrading to a newer version of OpenVPN - 2.0.0 is very old. We've got various 2.1.x's, 2.2.x's, and 2.3.0 all available now. Even Debian 6 (Squeeze) stable is on OpenVPN 2.2.1!
On Windows, at least, Openvpn installs its own local OpenSSL copy, which is often a different version than the one in the system path - I'm now sure how it works on Linux.
If you get any of the GCN ciphers working, please let us know!
Re: Missing ciphers: How to add a new one?
Posted: Fri Mar 08, 2013 4:19 am
by Anton
I think there is not special version of openssl in the tar.gz. When openvpn starts to compile there is an include of system file /usr/include/openssl/evp.h. Here there are the constants of the cyphers of my system. I have Camellia, so I don't understand why this is not included in the compilation.
Is there another issue affecting this inclusion? What it can be?
Is there an openvpn able to include all cyphers of openssl?
Code: Select all
#/usr/include/openssl/evp.h,
#...
#ifndef OPENSSL_NO_CAMELLIA
const EVP_CIPHER *EVP_camellia_128_ecb(void);
const EVP_CIPHER *EVP_camellia_128_cbc(void);
const EVP_CIPHER *EVP_camellia_128_cfb1(void);
const EVP_CIPHER *EVP_camellia_128_cfb8(void);
const EVP_CIPHER *EVP_camellia_128_cfb128(void);
# define EVP_camellia_128_cfb EVP_camellia_128_cfb128
const EVP_CIPHER *EVP_camellia_128_ofb(void);
const EVP_CIPHER *EVP_camellia_192_ecb(void);
const EVP_CIPHER *EVP_camellia_192_cbc(void);
const EVP_CIPHER *EVP_camellia_192_cfb1(void);
const EVP_CIPHER *EVP_camellia_192_cfb8(void);
const EVP_CIPHER *EVP_camellia_192_cfb128(void);
# define EVP_camellia_192_cfb EVP_camellia_192_cfb128
const EVP_CIPHER *EVP_camellia_192_ofb(void);
const EVP_CIPHER *EVP_camellia_256_ecb(void);
const EVP_CIPHER *EVP_camellia_256_cbc(void);
const EVP_CIPHER *EVP_camellia_256_cfb1(void);
const EVP_CIPHER *EVP_camellia_256_cfb8(void);
const EVP_CIPHER *EVP_camellia_256_cfb128(void);
# define EVP_camellia_256_cfb EVP_camellia_256_cfb128
const EVP_CIPHER *EVP_camellia_256_ofb(void);
#endif
thanks!
Re: Missing ciphers: How to add a new one?
Posted: Fri Mar 08, 2013 5:45 am
by IncreasedSecurity
Hmm... I just checked some machines, all of which have openssl and openvpn installed from the package managers (Synaptic/apt) from normal Debian repositories.
OpenVPN 2.2.1 on Debian 6 (Squeeze), with OpenSSL 0.9.8o, only shows the older ciphers - no Camellia, GCM, or EC.
OpenVPN 2.2.1 on Debian 7 (Wheezy) with OpenSSL 1.0.1e does show Camellia, GCM mode AES, and EC ciphers.
Re: Missing ciphers: How to add a new one?
Posted: Fri Mar 08, 2013 5:59 am
by Anton
Many thanks for your comments.
I have updated Openvpn from CentOS RPMforge repositories, and there is the same issue:
Is this normal?
Code: Select all
OpenVPN 2.2.2 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Apr 5 2012
/usr/sbin/openvpn --show-ciphers
The following ciphers and cipher modes are available
for use with OpenVPN. Each cipher shown below may be
used as a parameter to the --cipher option. The default
key size is shown as well as whether or not it can be
changed with the --keysize directive. Using a CBC mode
is recommended.
DES-CFB 64 bit default key (fixed)
DES-CBC 64 bit default key (fixed)
RC2-CBC 128 bit default key (variable)
RC2-CFB 128 bit default key (variable)
RC2-OFB 128 bit default key (variable)
DES-EDE-CBC 128 bit default key (fixed)
DES-EDE3-CBC 192 bit default key (fixed)
DES-OFB 64 bit default key (fixed)
DES-EDE-CFB 128 bit default key (fixed)
DES-EDE3-CFB 192 bit default key (fixed)
DES-EDE-OFB 128 bit default key (fixed)
DES-EDE3-OFB 192 bit default key (fixed)
DESX-CBC 192 bit default key (fixed)
BF-CBC 128 bit default key (variable)
BF-CFB 128 bit default key (variable)
BF-OFB 128 bit default key (variable)
RC2-40-CBC 40 bit default key (variable)
CAST5-CBC 128 bit default key (variable)
CAST5-CFB 128 bit default key (variable)
CAST5-OFB 128 bit default key (variable)
RC2-64-CBC 64 bit default key (variable)
AES-128-CBC 128 bit default key (fixed)
AES-128-OFB 128 bit default key (fixed)
AES-128-CFB 128 bit default key (fixed)
AES-192-CBC 192 bit default key (fixed)
AES-192-OFB 192 bit default key (fixed)
AES-192-CFB 192 bit default key (fixed)
AES-256-CBC 256 bit default key (fixed)
AES-256-OFB 256 bit default key (fixed)
AES-256-CFB 256 bit default key (fixed)
AES-128-CFB1 128 bit default key (fixed)
AES-192-CFB1 192 bit default key (fixed)
AES-256-CFB1 256 bit default key (fixed)
AES-128-CFB8 128 bit default key (fixed)
AES-192-CFB8 192 bit default key (fixed)
AES-256-CFB8 256 bit default key (fixed)
DES-CFB1 64 bit default key (fixed)
DES-CFB8 64 bit default key (fixed)
Re: Missing ciphers: How to add a new one?
Posted: Sat Mar 09, 2013 6:49 am
by Anton
well, I'm not sure of what happens... I have reviewed all my libraries and updating Crypto++, and testing the new 2.3 version. No results.
I'm not a C programmer and I have the doubt if
there is some relation with Kerberos.
I have read
Kerberos v5 doesn't have support for Camellia despite it appears
in the RFC. I have found
some complaints about this.
Not sure if this is the reason but updating kerberos is not easy to me. Perhaps it would be solved upgrading my CentOS 5x or changing the distro. I don't know really.
Maybe kerberos is not the cause. Anyway, I'm bored of searching a solution for this issue. There is not support although it is a bug noticed 2 years ago:
https://community.openvpn.net/openvpn/ticket/89
topic8007.html?hilit=camellia
still not solved.
thanks anyway for those useful comments on Debian, it is an alternative from a Virtual Machine.
.
Re: Missing ciphers: How to add a new one?
Posted: Sat Mar 09, 2013 9:58 pm
by IncreasedSecurity
I'm afraid that I am unable to help on a CentOS project.
Debian 6 and 7 do have working OpenVPN installations, and you could also run a pfSense VM (FreeBSD based) and use that for OpenVPN and perhaps other features.
Good luck - if you ever get it fixed, drop a post!
Re: Missing ciphers: How to add a new one?
Posted: Mon Mar 11, 2013 4:13 am
by Douglas
I know its bad to say because it makes me look bad but i use pfsense often for quick-n-dirty VPN's and it works great.