Project

General

Profile

Actions

Todo #14686

closed

Check for deprecated OpenVPN encryption and digest options on upgrade

Added by Jim Pingle over 1 year ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
OpenVPN
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.09
Release Notes:
Default

Description

OpenSSL 3.x deprecated several algorithms for encryption and digest.

Encryption algorithms removed from OpenVPN:

  • ARIA
  • Blowfish (e.g. BF-CBC), which was formerly an OpenVPN default
  • CAST5
  • DES
  • DESX
  • IDEA
  • RC2
  • RC5
  • SEED
  • SM4

Hash algorithms removed from OpenVPN:

  • MD4
  • MDC2
  • SM3
  • Whirlpool

On upgrade these should be removed and replaced with a stronger default.

Deprecated encryption options should be removed and replaced with valid options. In the interest of compatibility, we can replace these with the current recommended defaults, rather than disabling the tunnel and forcing the user to correct the options manually.

If there are no valid ciphers remaining in the data_ciphers list, replace it with AES-256-GCM,AES-128-GCM,CHACHA20-POLY1305

If data_ciphers_fallback is using a deprecated value, replace it with AES-256-CBC

If digest is using an invalid value, replace it with SHA256

Notify the user if any changes are made, similar to what was done for IPsec in the past (See upgrade_227_to_228())

We also need to check if the certificate is using a weak digest but that's in issue #14677 though it may be lumped into the same upgrade code function.

N.B. Though in theory using the legacy provider may allow these weak algorithms to function, it's past time to retire them and if someone wants to dig into doing that in custom options, that's left as an exercise for the reader. We shouldn't add support for that into the GUI or backend.


Files

Actions

Also available in: Atom PDF