Some ciphers not working with OpenVPN

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
marssi
OpenVpn Newbie
Posts: 2
Joined: Tue Apr 26, 2011 8:43 am

Some ciphers not working with OpenVPN

Post by marssi » Tue Apr 26, 2011 9:32 am

Hi,

I have a problem with some of the ciphers with OpenVPN. When trying to run command

Code: Select all

openvpn --secret ta.key --cipher ${a} --test-crypto
where a is some of the ciphers it fails. If it fails the message seems to be the same.

Code: Select all

OpenVPN 2.1.3 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Apr 12 2011
OpenVPN 2.1.3 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Apr 12 2011
Entering OpenVPN crypto self-test mode.
TESTING ENCRYPT/DECRYPT of packet length=1
Assertion failed at crypto.c:162
Exiting
My command for testing all the ciphers was

Code: Select all

for a in $(openvpn --show-ciphers|sed '1,7d;$d;s/\(\([^ ]*\) \)\{1\}.*/\2/;'|tr '\n' ' '); do openvpn --secret ta.key --cipher ${a} --test-crypto &>/dev/null ||echo ${a}; done
There probably would be some simpler method if anyone would want to share.

The list of failing ciphers is the following, they mostly seem to be using CFB or OFB mode. They all work for me with openssl, which I tested with the command

Code: Select all

for a in $(openvpn --show-ciphers|sed '1,7d;$d;s/\(\([^ ]*\) \)\{1\}.*/\2/;'|tr '\n' ' '); do openssl speed -evp $a &> /dev/null || echo $a; done
  • DES-CFB
    RC2-CFB
    RC2-OFB
    DES-OFB
    DES-EDE-CFB
    DES-EDE3-CFB
    DES-EDE-OFB
    DES-EDE3-OFB
    BF-CFB
    BF-OFB
    CAST5-CFB
    CAST5-OFB
    AES-128-OFB
    AES-128-CFB
    AES-192-OFB
    AES-192-CFB
    AES-256-OFB
    AES-256-CFB
    AES-128-CFB1
    AES-192-CFB1
    AES-256-CFB1
    AES-128-CFB8
    AES-192-CFB8
    AES-256-CFB8
    DES-CFB1
    DES-CFB8
    DES-EDE3-CFB1
    DES-EDE3-CFB8
    CAMELLIA-128-CFB
    CAMELLIA-192-CFB
    CAMELLIA-256-CFB
    CAMELLIA-128-CFB1
    CAMELLIA-192-CFB1
    CAMELLIA-256-CFB1
    CAMELLIA-128-CFB8
    CAMELLIA-192-CFB8
    CAMELLIA-256-CFB8
    CAMELLIA-128-OFB
    CAMELLIA-192-OFB
    CAMELLIA-256-OFB
    SEED-OFB
    SEED-CFB
The following ciphers work, they all seem to using the CBC mode.
  • AES-128-CBC
    AES-192-CBC
    AES-256-CBC
    BF-CBC
    CAMELLIA-128-CBC
    CAMELLIA-192-CBC
    CAMELLIA-256-CBC
    CAST5-CBC
    DES-CBC
    DES-EDE-CBC
    DES-EDE3-CBC
    DESX-CBC
    RC2-40-CBC
    RC2-64-CBC
    RC2-CBC
    SEED-CBC
Some of the used software is.
  • Kernel 2.6.38
    OpenSSL 1.0.0d
    OpenVPN 2.1.3
Does any one have an idea why some ciphers are failing and how to get them to work with OpenVPN?
Top
User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:
Contact janjust

Re: Some ciphers not working with OpenVPN

Post by janjust » Tue Apr 26, 2011 10:13 am

Hi,

thanks for your report; this was already reported as a bug:
https://community.openvpn.net/openvpn/ticket/89
I've added your info to the ticket. We'll have to wait for the developers to see what the right solution is; I tried fiddling with the cipher code myself but could never get it to work. Getting past the 'assert failed' error was easy, but a full-blown --test-crypto test was harder to do.
Top
marssi
OpenVpn Newbie
Posts: 2
Joined: Tue Apr 26, 2011 8:43 am

Re: Some ciphers not working with OpenVPN

Post by marssi » Tue Apr 26, 2011 10:51 am

Hi Jan,

Thanks for the fast reply. I looked at the report and added some information to the bug report. I tested the ciphers with the 2.2 series and with my testing the CFB and OFB modes failed. I also tested the 1.6 version but it didn't have OFB nor CFB modes available for me.
Top
Post Reply

Return to “Server Administration”