Hi, On Fri, Mar 6, 2015 at 12:32 PM, <debbie...@gmail.com> wrote: > Can somebody please explain this: > > Adding !EXP to the server side tls-cipher is enough to mitigate attacks. The > suggested tls-cipher string is DEFAULT:!EXP:!LOW:!PSK:!SRP:!kRSA. This > disallows export ciphers, weak ciphers (e.g. DES), and RSA key exchange > (note: not RSA authentication), but allows any future, stronger cipher > suites. > Clients who wish to rule out this attack on clients prior to 2.3.6-I002/I603 > can add !kRSA to their tls-cipher string > ref: > https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-FREAK > > This is what I get following these instructions: > > Server Config: > tls-cipher > TLS-DHE-RSA-WITH-AES-256-CBC-SHA:DEFAULT:!EXP:!LOW:!PSK:!SRP:!kRSA
Just use "tls-cipher DEFAULT:!EXP:!LOW:!PSK:!SRP:!kRSA", TLS-DHE-RSA-WITH-AES-256-CBC-SHA is ready part of DEFAULT. > Server log: > Fri Mar 6 11:24:00 2015 us=862202 OpenVPN 2.3_git > [git:master/669f898b8fcaf7a8+] i686-pc-linux-gnu [SSL (OpenSSL)] > [LZO] [LZ4] [EPOLL] [MH] [IPv6] built on Mar 3 2015 > Fri Mar 6 11:24:01 2015 us=427277 No valid translation found for TLS cipher > '!EXP' > Fri Mar 6 11:24:01 2015 us=427463 No valid translation found for TLS cipher > '!LOW' > Fri Mar 6 11:24:01 2015 us=427544 No valid translation found for TLS cipher > '!PSK' > Fri Mar 6 11:24:01 2015 us=427617 No valid translation found for TLS cipher > '!SRP' > Fri Mar 6 11:24:01 2015 us=427688 No valid translation found for TLS cipher > '!kRSA' These warnings are harmless (but annoying and confusing). I'll work up a patch to get rid of these. > Client Config: > tls-cipher !kRSA > > Client log: > Fri Mar 06 11:17:09 2015 us=390625 OpenVPN 2.3.6 i686-w64-mingw32 [SSL > (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Mar 4 2015 > Fri Mar 06 11:17:10 2015 us=265625 No valid translation found for TLS cipher > '!kRSA' > Fri Mar 06 11:17:10 2015 us=281250 MANAGEMENT: Client disconnected > Fri Mar 06 11:17:10 2015 us=281250 Failed to set restricted TLS cipher list: > !kRSA: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match > Fri Mar 06 11:17:10 2015 us=281250 Exiting due to fatal error This results in an empty list, as this says "<empty>, but no RSA key exchange". That is what OpenSSL is complaining about. Just use "tls-cipher DEFAULT:!EXP:!LOW:!PSK:!SRP:!kRSA". As you've noticed, getting tls-cipher right can be tricky. Not specifically to you, but in general: tls-cipher really is an advanced feature for people who know what they're doing. If you don't understand *exactly* what you're doing, you might very well be causing more harm than good. Please please please do not use it unless you understand the consequences completely. -Steffan ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
