OPNsense Forum

Archive => 16.7 Legacy Series => Topic started by: Zapp on August 31, 2016, 10:14:13 pm

Title: [SOLVED] Empty Encryption algorithm selection in OpenVPN config?
Post by: Zapp on August 31, 2016, 10:14:13 pm

Trying to set up an OpenVPN server in 16.7.3 but my available Encryption algorithm selection is empty!?

What have I made wrong?

http://imgur.com/eKfopth (http://imgur.com/eKfopth)

   /Jonas...

Title: Re: Empty Encryption algorithm selection in OpenVPN config?
Post by: thomas_hh on August 31, 2016, 11:19:03 pm

thats by me the same.
16.7.1 and 16.7.2 are ok.

Its a bug??

greetings thomas

Title: Re: Empty Encryption algorithm selection in OpenVPN config?
Post by: franco on August 31, 2016, 11:52:21 pm

Problem with OpenVPN 2.3.12 update... I will investigate tomorrow.

Workaround for amd64/OpenSSL:

# pkg add -f https://pkg.opnsense.org/FreeBSD:10:amd64/MINT/16.7.2/OpenSSL/All/openvpn-2.3.11.txz

Workaround for amd64/LibreSSL:

# pkg add -f https://pkg.opnsense.org/FreeBSD:10:amd64/MINT/16.7.2/LibreSSL/All/openvpn-2.3.11.txz

Workaround for i386/OpenSSL:

# pkg add -f https://pkg.opnsense.org/FreeBSD:10:i386/MINT/16.7.2/OpenSSL/All/openvpn-2.3.11.txz

Workaround for i386/LibreSSL:

# pkg add -f https://pkg.opnsense.org/FreeBSD:10:i386/MINT/16.7.2/LibreSSL/All/openvpn-2.3.11.txz

Title: Re: Empty Encryption algorithm selection in OpenVPN config?
Post by: franco on September 01, 2016, 12:05:24 am

Wow, nice, 2.3.12 decided to completely reengineer the --show-ciphers output:

Code: [Select]

% diff -u before after
--- before 2016-08-31 23:58:14.655800000 +0200
+++ after 2016-08-31 23:58:32.567938000 +0200
@@ -5,64 +5,68 @@
 changed with the --keysize directive.  Using a CBC mode
 is recommended. In static key mode only CBC mode is allowed.
 
-DES-CFB 64 bit default key (fixed) (TLS client/server mode)
-DES-CBC 64 bit default key (fixed)
-IDEA-CBC 128 bit default key (fixed)
-IDEA-CFB 128 bit default key (fixed) (TLS client/server mode)
-RC2-CBC 128 bit default key (variable)
-RC2-CFB 128 bit default key (variable) (TLS client/server mode)
-RC2-OFB 128 bit default key (variable) (TLS client/server mode)
-DES-EDE-CBC 128 bit default key (fixed)
-DES-EDE3-CBC 192 bit default key (fixed)
-DES-OFB 64 bit default key (fixed) (TLS client/server mode)
-IDEA-OFB 128 bit default key (fixed) (TLS client/server mode)
-DES-EDE-CFB 128 bit default key (fixed) (TLS client/server mode)
-DES-EDE3-CFB 192 bit default key (fixed) (TLS client/server mode)
-DES-EDE-OFB 128 bit default key (fixed) (TLS client/server mode)
-DES-EDE3-OFB 192 bit default key (fixed) (TLS client/server mode)
-DESX-CBC 192 bit default key (fixed)
-BF-CBC 128 bit default key (variable)
-BF-CFB 128 bit default key (variable) (TLS client/server mode)
-BF-OFB 128 bit default key (variable) (TLS client/server mode)
-RC2-40-CBC 40 bit default key (variable)
-CAST5-CBC 128 bit default key (variable)
-CAST5-CFB 128 bit default key (variable) (TLS client/server mode)
-CAST5-OFB 128 bit default key (variable) (TLS client/server mode)
-RC2-64-CBC 64 bit default key (variable)
-AES-128-CBC 128 bit default key (fixed)
-AES-128-OFB 128 bit default key (fixed) (TLS client/server mode)
-AES-128-CFB 128 bit default key (fixed) (TLS client/server mode)
-AES-192-CBC 192 bit default key (fixed)
-AES-192-OFB 192 bit default key (fixed) (TLS client/server mode)
-AES-192-CFB 192 bit default key (fixed) (TLS client/server mode)
-AES-256-CBC 256 bit default key (fixed)
-AES-256-OFB 256 bit default key (fixed) (TLS client/server mode)
-AES-256-CFB 256 bit default key (fixed) (TLS client/server mode)
-AES-128-CFB1 128 bit default key (fixed) (TLS client/server mode)
-AES-192-CFB1 192 bit default key (fixed) (TLS client/server mode)
-AES-256-CFB1 256 bit default key (fixed) (TLS client/server mode)
-AES-128-CFB8 128 bit default key (fixed) (TLS client/server mode)
-AES-192-CFB8 192 bit default key (fixed) (TLS client/server mode)
-AES-256-CFB8 256 bit default key (fixed) (TLS client/server mode)
-DES-CFB1 64 bit default key (fixed) (TLS client/server mode)
-DES-CFB8 64 bit default key (fixed) (TLS client/server mode)
-DES-EDE3-CFB1 192 bit default key (fixed) (TLS client/server mode)
-DES-EDE3-CFB8 192 bit default key (fixed) (TLS client/server mode)
-CAMELLIA-128-CBC 128 bit default key (fixed)
-CAMELLIA-192-CBC 192 bit default key (fixed)
-CAMELLIA-256-CBC 256 bit default key (fixed)
-CAMELLIA-128-CFB 128 bit default key (fixed) (TLS client/server mode)
-CAMELLIA-192-CFB 192 bit default key (fixed) (TLS client/server mode)
-CAMELLIA-256-CFB 256 bit default key (fixed) (TLS client/server mode)
-CAMELLIA-128-CFB1 128 bit default key (fixed) (TLS client/server mode)
-CAMELLIA-192-CFB1 192 bit default key (fixed) (TLS client/server mode)
-CAMELLIA-256-CFB1 256 bit default key (fixed) (TLS client/server mode)
-CAMELLIA-128-CFB8 128 bit default key (fixed) (TLS client/server mode)
-CAMELLIA-192-CFB8 192 bit default key (fixed) (TLS client/server mode)
-CAMELLIA-256-CFB8 256 bit default key (fixed) (TLS client/server mode)
-CAMELLIA-128-OFB 128 bit default key (fixed) (TLS client/server mode)
-CAMELLIA-192-OFB 192 bit default key (fixed) (TLS client/server mode)
-CAMELLIA-256-OFB 256 bit default key (fixed) (TLS client/server mode)
-gost89 256 bit default key (fixed) (TLS client/server mode)
-gost89-cnt 256 bit default key (fixed) (TLS client/server mode)
+AES-128-CBC  (128 bit key, 128 bit block)
+AES-128-CFB  (128 bit key, 128 bit block, TLS client/server mode only)
+AES-128-CFB1  (128 bit key, 128 bit block, TLS client/server mode only)
+AES-128-CFB8  (128 bit key, 128 bit block, TLS client/server mode only)
+AES-128-OFB  (128 bit key, 128 bit block, TLS client/server mode only)
+AES-192-CBC  (192 bit key, 128 bit block)
+AES-192-CFB  (192 bit key, 128 bit block, TLS client/server mode only)
+AES-192-CFB1  (192 bit key, 128 bit block, TLS client/server mode only)
+AES-192-CFB8  (192 bit key, 128 bit block, TLS client/server mode only)
+AES-192-OFB  (192 bit key, 128 bit block, TLS client/server mode only)
+AES-256-CBC  (256 bit key, 128 bit block)
+AES-256-CFB  (256 bit key, 128 bit block, TLS client/server mode only)
+AES-256-CFB1  (256 bit key, 128 bit block, TLS client/server mode only)
+AES-256-CFB8  (256 bit key, 128 bit block, TLS client/server mode only)
+AES-256-OFB  (256 bit key, 128 bit block, TLS client/server mode only)
+CAMELLIA-128-CBC  (128 bit key, 128 bit block)
+CAMELLIA-128-CFB  (128 bit key, 128 bit block, TLS client/server mode only)
+CAMELLIA-128-CFB1  (128 bit key, 128 bit block, TLS client/server mode only)
+CAMELLIA-128-CFB8  (128 bit key, 128 bit block, TLS client/server mode only)
+CAMELLIA-128-OFB  (128 bit key, 128 bit block, TLS client/server mode only)
+CAMELLIA-192-CBC  (192 bit key, 128 bit block)
+CAMELLIA-192-CFB  (192 bit key, 128 bit block, TLS client/server mode only)
+CAMELLIA-192-CFB1  (192 bit key, 128 bit block, TLS client/server mode only)
+CAMELLIA-192-CFB8  (192 bit key, 128 bit block, TLS client/server mode only)
+CAMELLIA-192-OFB  (192 bit key, 128 bit block, TLS client/server mode only)
+CAMELLIA-256-CBC  (256 bit key, 128 bit block)
+CAMELLIA-256-CFB  (256 bit key, 128 bit block, TLS client/server mode only)
+CAMELLIA-256-CFB1  (256 bit key, 128 bit block, TLS client/server mode only)
+CAMELLIA-256-CFB8  (256 bit key, 128 bit block, TLS client/server mode only)
+CAMELLIA-256-OFB  (256 bit key, 128 bit block, TLS client/server mode only)
+
+The following ciphers have a block size of less than 128 bits,
+and are therefore deprecated.  Do not use unless you have to.
+
+BF-CBC  (128 bit key by default, 64 bit block)
+BF-CFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
+BF-OFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
+CAST5-CBC  (128 bit key by default, 64 bit block)
+CAST5-CFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
+CAST5-OFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
+DES-CBC  (64 bit key, 64 bit block)
+DES-CFB  (64 bit key, 64 bit block, TLS client/server mode only)
+DES-CFB1  (64 bit key, 64 bit block, TLS client/server mode only)
+DES-CFB8  (64 bit key, 64 bit block, TLS client/server mode only)
+DES-EDE-CBC  (128 bit key, 64 bit block)
+DES-EDE-CFB  (128 bit key, 64 bit block, TLS client/server mode only)
+DES-EDE-OFB  (128 bit key, 64 bit block, TLS client/server mode only)
+DES-EDE3-CBC  (192 bit key, 64 bit block)
+DES-EDE3-CFB  (192 bit key, 64 bit block, TLS client/server mode only)
+DES-EDE3-CFB1  (192 bit key, 64 bit block, TLS client/server mode only)
+DES-EDE3-CFB8  (192 bit key, 64 bit block, TLS client/server mode only)
+DES-EDE3-OFB  (192 bit key, 64 bit block, TLS client/server mode only)
+DES-OFB  (64 bit key, 64 bit block, TLS client/server mode only)
+DESX-CBC  (192 bit key, 64 bit block)
+IDEA-CBC  (128 bit key, 64 bit block)
+IDEA-CFB  (128 bit key, 64 bit block, TLS client/server mode only)
+IDEA-OFB  (128 bit key, 64 bit block, TLS client/server mode only)
+RC2-40-CBC  (40 bit key by default, 64 bit block)
+RC2-64-CBC  (64 bit key by default, 64 bit block)
+RC2-CBC  (128 bit key by default, 64 bit block)
+RC2-CFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
+RC2-OFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
+gost89  (256 bit key, 8 bit block, TLS client/server mode only)
+gost89-cnt  (256 bit key, 8 bit block, TLS client/server mode only)

Anyone seeing this in the patch notes?

https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.12

Title: Re: Empty Encryption algorithm selection in OpenVPN config?
Post by: franco on September 01, 2016, 12:15:18 am

https://github.com/openvpn/openvpn/commit/610fdbbd

"While touching this function, improve the output of --show-ciphers by
ordering the output alphabetically, and changing the output format
slightly."

I'm reverting this tomorrow on top of 2.3.12 and the firmware upgrades should pick up 2.3.12_1 by noon. Sorry folks.

Title: Re: Empty Encryption algorithm selection in OpenVPN config?
Post by: Zapp on September 01, 2016, 08:24:53 am

Quote from: franco on August 31, 2016, 11:52:21 pm

Problem with OpenVPN 2.3.12 update... I will investigate tomorrow.

Workaround for amd64/OpenSSL:

# pkg add -f https://pkg.opnsense.org/FreeBSD:10:amd64/MINT/16.7.2/OpenSSL/All/openvpn-2.3.11.txz

...

Above tested and worked for me.

BIG thanks!

   /Jonas...

Title: Re: Empty Encryption algorithm selection in OpenVPN config?
Post by: franco on September 01, 2016, 08:41:03 am

OpenVPN package version 2.3.12_2 currently syncing to the package mirrors, you guys should be able to grab this directly from the firmware update page now. Thanks again for the quick heads-up. :)


Cheers,
Franco