Re: [Openvpn-users] question about "WARNING: this cipher's block size is less than 128 bit"

Fri, 04 Nov 2016 00:49:43 -0700 

Hi,

On Fri, Nov 04, 2016 at 02:03:02PM +1300, Jason Haar wrote:
> Am I correct that to move off Blowfish cipher, we'll have to reconfigure
> the openvpn servers and clients simultaneously? The server and clients
> don't currently have "cipher" defined, but the newer clients are generating
> those "cipher" warnings.
> 
> Also, am I correct that "cipher" cannot be used within a "<connection>"
> block? ie there's no way to migrate - it has to be a "hard" outage.
> 
> I'm just wondering how other people do it. I can't see any way out of this
> other than bringing up entirely independent server infrastructure, so that
> the new clients can use the new servers while the old clients migrate.

This would be one approach.  

The other would be to live with the warning message until you can roll 
out 2.4, which will be able to handle per-client ciphers, AND will 
auto-upgrade 2.4 clients to AES-256-GCM.  I've done this on one of our
servers yesterday (2.4_alpha2 on the server), and all the iOS and Android
clients already are on AES now...


As long as you are not using 2-factor authentication (or --auth-nocache
in the client configs), the changes in 2.3.13 should not any serious
annoyance - it will renegotiate keys every 64MB of transferred data,
which will happen without "service interruption".  The only issue is
if you use 2FA (or other credentials which can only be used once), because
then your clients will have to re-enter their username+password every
64MB, which is seriously annoying.  In that case, it's a bit complicated
- either you accept the risk of SWEET32 and configure 
"--reneg-bytes 1000000000" ("some big number"), on client and server
(because this cannot be pushed), or have to move to a new server with
a different "--cipher" in the config.

Apologies for the inconvenience...  this is why we have cipher negotiation
and AEAD in 2.4...

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             g...@greenie.muc.de
fax: +49-89-35655025                        g...@net.informatik.tu-muenchen.de

Attachment: signature.asc
Description: PGP signature

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to