Re: [Openvpn-users] New OpenVPN 2.3.6 Windows installers released - FREAK

Fri, 06 Mar 2015 03:37:10 -0800 

Hi

Can somebody please explain this:

Adding !EXP to the server side tls-cipher is enough to mitigate attacks. The 
suggested tls-cipher string is DEFAULT:!EXP:!LOW:!PSK:!SRP:!kRSA. This 
disallows export ciphers, weak ciphers (e.g. DES), and RSA key exchange 
(note: not RSA authentication), but allows any future, stronger cipher 
suites.
Clients who wish to rule out this attack on clients prior to 2.3.6-I002/I603 
can add !kRSA to their tls-cipher string

ref:
https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-FREAK



This is what I get following these instructions:

Server Config:
tls-cipher 
TLS-DHE-RSA-WITH-AES-256-CBC-SHA:DEFAULT:!EXP:!LOW:!PSK:!SRP:!kRSA

Server log:
Fri Mar  6 11:24:00 2015 us=862202 OpenVPN 2.3_git 
[git:master/669f898b8fcaf7a8+] i686-pc-linux-gnu [SSL (OpenSSL)]
 [LZO] [LZ4] [EPOLL] [MH] [IPv6] built on Mar  3 2015
Fri Mar  6 11:24:01 2015 us=427277 No valid translation found for TLS cipher 
'!EXP'
Fri Mar  6 11:24:01 2015 us=427463 No valid translation found for TLS cipher 
'!LOW'
Fri Mar  6 11:24:01 2015 us=427544 No valid translation found for TLS cipher 
'!PSK'
Fri Mar  6 11:24:01 2015 us=427617 No valid translation found for TLS cipher 
'!SRP'
Fri Mar  6 11:24:01 2015 us=427688 No valid translation found for TLS cipher 
'!kRSA'


Client Config:
tls-cipher !kRSA

Client log:
Fri Mar 06 11:17:09 2015 us=390625 OpenVPN 2.3.6 i686-w64-mingw32 [SSL 
(OpenSSL)] [LZO] [PKCS11] [IPv6] built on Mar 4 2015
Fri Mar 06 11:17:10 2015 us=265625 No valid translation found for TLS cipher 
'!kRSA'
Fri Mar 06 11:17:10 2015 us=281250 MANAGEMENT: Client disconnected
Fri Mar 06 11:17:10 2015 us=281250 Failed to set restricted TLS cipher list: 
!kRSA: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match
Fri Mar 06 11:17:10 2015 us=281250 Exiting due to fatal error



Many Thanks.


------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to