Off topic: OpenVPN

Jan Dušátko jan at dusatko.org
Sat Oct 25 01:33:18 CEST 2014
Previous message: Nesrovnalosti ve verzi
Next message: Off topic: OpenVPN
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-SSLv2:-SSLv3:+TLSv1:+TLSv11:+TLSv12:+TLSv13:-aNULL:-eNULL:-MD5:-RC2:-RC4:-E
XPORT40:-EXP

/usr/local/bin/openssl ciphers -v -tls1
"!aNULL:!eNULL:!MD5:!RC2:!RC4:!EXPORT40:!EXP"

drupal6-cck-6.x.2.8_1 conflicts with drupal6-token-6.x.1.12_1 (installs
files into the same place).  Problematic file:
/usr/local/www/drupal6/sites/all/modules/translations/es.po



portmaster -df www/drupal6-cck www/drupal6-ckeditor
www/drupal6-content_access www/drupal6-chaos www/drupal6-geshifilter
www/drupal6-google_analytics www/drupal6-image www/drupal6-imce
www/drupal6-menu_block www/drupal6-mimedetect www/drupal6-nice_menus
www/drupal6-nodewords www/drupal6-page_title www/drupal6-panels
www/drupal6-path_redirect www/drupal6-pathauto www/drupal6-print
www/drupal6-seo_checklist www/drupal6-services www/drupal6-tagadelic
www/drupal6-views www/drupal6-webform www/drupal6-wysiwyg
www/drupal6-zeropoint 




Ahoj
omlouvam se, nebot mnou uvedene souvisi s FreeBSD pouze okrajove a tyka se
hlavne OpenVPN vs OpenSSL.
1) Pri upravach systemu jsem narazil na problem, kdy mi to po rekompilaci
stale vracelo spatnou sadu z OpenSSL. Pricina byla jednoducha. System ma v
sobe integrouvano OpenSSL 0.9.8, v portech je 1.0.1 ... mel jsem cist
UPDATES. Bylo potreba nastavit v /etc/make.conf promennou
WITH_OPENSSL_PORT=YES a prvni cast se vyresila po rekompilaci "sama".
2) Hlavnim duvodem pro vyse uvedenou aktivitu bylo nastaveni OpenVPN. V
minulosti jsem pouzival AES-256-CBC+SHA1, k tomu certifikat z CA. Vzhledem k
nedavnemu frmolu okolo OpenSSL jsem si zkousel starsi veci, mimo vypnuti
komprese (na kterou je zda se mozne aplikovat modifikaci utoku CRIME) jsem
se chtel jeste vyvarovat CBC modu (zde si nejsem jisty, zda je to doopravdy
napadnutelne utokem BEAST, ale dle vseho sice obtizne, ale stale ano). Navic
SHA1 uz je ponekud pozadu. Co se tyka sirky klice, pri pouziti AES-256 je to
na 1KB bloku o ctvrtinu pomalejsi nez AES-128.
Po rekompilaci jsem zkousel nastaveni
   openvpn --show-tls
   openvpn --show-ciphers 
   openvpn --show-digests 
a nalezl jsem vhodnou skupinu algoritmu
   TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
   TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
   TLS-DHE-DSS-WITH-AES-256-GCM-SHA384
   TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
   TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384
   TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384
   TLS-RSA-WITH-AES-256-GCM-SHA384
   TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
   TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
   TLS-DHE-DSS-WITH-AES-128-GCM-SHA256
   TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
   TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256
   TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256
   TLS-RSA-WITH-AES-128-GCM-SHA256

Predpokladana konfigurace:
   daemon
   ping-timer-rem
   persist-tun
   persist-key
   local                   server
   port                    1194
   dev                     tun
   proto                   tcp-server
   server                  192.168.0.0 255.255.255.0
   ifconfig-pool-persist   ipp.txt
   push                    "dhcp-option DNS 10.0.0.1"
   push                    "dhcp-option WINS 10.0.0.1"
   push                    "dhcp-option DOMAIN vpn.domena"
   push                    "dhcp-option NBDD 10.0.0.1"
   push                    "dhcp-option NTP 10.0.0.1"
   push                    "dhcp-option NBS 8"
   client-config-dir       ccd
   client-to-client
   max-clients             16
   ca                      /etc/ssl/certs/CA/cacert.crt
   cert                    /etc/ssl/certs/server/openvpn.crt
   key                     /etc/ssl/certs/server/openvpn.key
   dh                      /etc/ssl/certs/dh4096.pem
   tls-auth                static.key
   comp-lzo	           no
   keepalive               10 300
   #cipher                  AES-128-GCM
   auth                    SHA256
   tls-cipher		   TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
   verb                    2
   status                  /var/log/openvpn/status.log
   log                     /var/log/openvpn/openvpn.log
   log-append              /var/log/openvpn/openvpn.log
   mute                    64

Otazky:
1) Proc mi, prestoze je uvedene dostupne v OepnSSL 1.0.1 hlasi openvpn? Zda
se, ze cipher nepodporuje galois mode, ale tls-cipher ano.
library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.08
Cipher algorithm 'AES-128-GCM' not found (OpenSSL)

2) Snazim se v tom vyznat, proto bych se rad nekoho zeptal. Dela OpenVPN
dvojite sifrovani?
- jedna vrstva pomoci klauzule cipher
- transport pomoci tls-cipher

3) Otazka, ktera se uvedeneho tyka - zkousel nekdo implementaci uvedeneho a
ma prehled o podpore klientu? Kde je moznost nahrat OpenSSL klienta by
problem byt nemel ... snad. Ale android ma pry problem s CAMELIA atd.

Diky

Honza
Previous message: Nesrovnalosti ve verzi
Next message: Off topic: OpenVPN
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Users-l mailing list