Hello, I have a rather large installation with 2.4.9 clients connecting to 2.4.4 servers. Servers and clients use the default cipher and ncp-cipher settings which points to BF-CBC and AES-256-GCM:AES-128-GCM respectively, according to the documentation. The cipher negotiation works in most cases by selecting AES-256-GCM. So far so good, however in very rare cases the following warning appears:
WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Somehow BF-CBC seems to be used, despite NCP should select AES-256-GCM. Sadly, I cannot provide more insight, because as soon as I want to increase the verbosity and restart the affected client, the warning disappears and the client connects with AES-256-GCM. Enabling verb 4 on all clients precautionary is not feasible. I am not yet able to reproduce the behavior in a lab setup. What could cause a client (or server?) to suddenly fall back to BF-CBC even when NCP is enabled? The clients are MIPS and ARMv5 machines whereas the servers run ordinary x86_64. Updating to 2.5 is not an option right now. I was wondering if there is some magic happening in edge cases during negotiation (e.g. losing a specific packet, firewall, proxy (I use TCP transport)). Does anybody have more insight in how the cipher negotiation works in detail? Best regards, Marc Lasch The information in this email may be confidential and/or legally privileged. It has been sent for the sole use of the intended recipient(s). If you are not an intended recipient, you are strictly prohibited from reading, disclosing, distributing, copying or using this email or any of its contents, in any way whatsoever. If you have received this email in error, please contact the sender by reply email and destroy all copies of the original message. Please also be advised that emails are not a secure form for communication, and may contain errors.
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
