[Ach] OpenVPN and ACH

Reed Loden reed at reedloden.com
Thu Feb 19 20:47:58 CET 2015 

> # Enable compression on the VPN link.
> # If you enable it here, you must also
> # enable it in the client config file.
> comp-lzo

Why are you enabling compression on an SSL link? That possibly makes you
vulnerable to things like CRIME.

Again, another reason why ACH needs a thoroughly-researched OpenVPN
hardening section and not just ignoring it because it doesn't support AEAD.
People will do the wrong thing, so let's give them the best possible
options/config to use in OpenVPN's current state.

~reed

On Thu, Feb 19, 2015 at 7:56 AM, Aaron Zauner <azet at azet.org> wrote:

>
>
> Aaron Zauner wrote:
> > Hi,
> >
> > L. Aaron Kaplan wrote:
> >> No, I disagree. Not mentioning OpenVPN and the issues you are seeing
> >> makes the guide *weaker* than having it in there with *clear* warnings.
> >> Why? Because people will use OpenVPN *anyway*.
> >> No matter if you remove the OpenVPN section or not.
> >> Better to have a clear message on this.
> >>
> >
> > Ok. So how does our guide exactly help people that use OpenVPN anyway?
> > Nothing in this document improves the default security as shipped with
> > OpenVPN.
> >
>
> E.g. the server configuration file in our repo currently ships with:
>
> ```
> ...
>
> # Attention: it must fit in 256 bytes, so not the infamous CipherStringB!
> tls-cipher
>
> DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
> cipher AES-256-CBC
> auth SHA384
>
> # Enable compression on the VPN link.
> # If you enable it here, you must also
> # enable it in the client config file.
> comp-lzo
>
> ...
> ```
>
> Of course this cipherstring is bogus since it automatically falls back
> to AES256-SHA. Compression on the VPN link layer is also enabled while
> it is unclear how different compression algorithms interfere with TLS
> encrypted traffic.
>
> Upstream OpenVPN defaults and configurations shipped are identical.
>
> Aaron
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20150219/fb39deab/attachment.html>

More information about the Ach mailing list