Project

General

Profile

Actions

Todo #13255

closed

Set PKCS#12 algorithm when exporting OpenVPN ZIP or Windows bundles

Added by Jim Pingle over 2 years ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
OpenVPN Client Export
Target version:
-
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:

Description

Currently when crafting a PKCS#12 archive the OpenVPN Client Export package does not set a specific encryption algorithm, so it ends up using the current default in OpenSSL 1.1.1 which is RC2. OpenSSL 3.0 is dropping support for RC2, and given its weakness we should be exporting using something stronger anyhow.

The package should set AES-256 by passing -certpbe AES-256-CBC -keypbe AES-256-CBC when creating the PKCS#12 file, perhaps with an option to omit them so it uses the old algorithms for legacy clients.


Related issues

Related to Todo #13917: OpenVPN Client Export: Integrate OpenVPN 2.6.0ResolvedJim Pingle

Actions
Actions #1

Updated by Jim Pingle over 2 years ago

  • Description updated (diff)
Actions #3

Updated by Thomas Ward almost 2 years ago

Jim Pingle wrote:

Currently when crafting a PKCS#12 archive the OpenVPN Client Export package does not set a specific encryption algorithm, so it ends up using the current default in OpenSSL 1.1.1 which is RC2. OpenSSL 3.0 is dropping support for RC2, and given its weakness we should be exporting using something stronger anyhow.

The package should set AES-256 by passing -certpbe AES-256-CBC -keypbe AES-256-CBC when creating the PKCS#12 file, perhaps with an option to omit them so it uses the old algorithms for legacy clients.

Borrowing from comments/logs in #13257 but, could we do something similar here to what was done for general PKCS#12 exports?

Added an option to change the encryption level to high (AES-256+SHA256), low (3DES+SHA1), and legacy (RC2-40 + SHA1). Most things non-macOS are good with "high", and macOS is happy with "low". Anything even older can use "legacy".

This way, we can still use the "lower" security that is required/present for "older" things (a-la Macs) and default to "high" unless selected by admin/exporter in the UI.

Actions #4

Updated by Jim Pingle almost 2 years ago

That is part of the plan, see #13917

Actions #5

Updated by Jim Pingle almost 2 years ago

  • Related to Todo #13917: OpenVPN Client Export: Integrate OpenVPN 2.6.0 added
Actions #6

Updated by Jim Pingle over 1 year ago

  • Status changed from New to In Progress
Actions #7

Updated by Jim Pingle over 1 year ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 100

Included in OpenVPN client export package 1.9. Will be in snapshots for testing, then release branches if it tests OK.

Actions #8

Updated by Jim Pingle over 1 year ago

  • Status changed from Feedback to Resolved

This has been available for Plus 23.05.1 and CE 2.7.0 for several days with no reports of trouble.

We can open new issues as needed should problems arise.

Actions

Also available in: Atom PDF