Page 1 of 3
Deprecated Options in OpenVPN
Posted: Wed Oct 11, 2017 3:37 pm
by rseiler
Using the latest OpenVPN client (as opposed to some older ones, which didn't show this), I've noticed a warning coming up in the log displayed in the client:
"WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead."
I then found this page, which explains it:
https://community.openvpn.net/openvpn/w ... -cert-type
I don't see where --ns-cert-type is being used, however. It's not obviously in server.conf, and it's not in my .ovpn. So I bring it up here in case it's something beyond our control that maybe should be updated in the ROM at some point, possibly along with some of the others on that page, if applicable.
Re: Deprecated Options in OpenVPN
Posted: Wed Oct 11, 2017 3:41 pm
by ispyisail
I have also reported this
https://github.com/ericpaulbishop/gargoyle/issues/663
I'm not sure its at the critical level?
Re: Deprecated Options in OpenVPN
Posted: Wed Oct 11, 2017 4:16 pm
by rseiler
It doesn't seem critical, since worst case we could just stick with the current client, but eventually it might be a problem (it sounds like --ns-cert-type might still be OK with 2.5, depending on whether the remapping they mention works).
I should mention that I also get the password cache warning, but I assumed that was my doing, since I've implemented a workaround to eliminate the need for the user to enter a password. Apparently not though.
For whatever reason, I don't get the other three you mentioned (--keysize and the two about ciphers), so those would seem to relate to configuration choices. We could always compare notes on that.
Re: Deprecated Options in OpenVPN
Posted: Wed Oct 11, 2017 4:48 pm
by ispyisail
so those would seem to relate to configuration choices.
I use the default settings, maybe the Gargoyle defaults should be increased?
Down side is CPU capacity?
Re: Deprecated Options in OpenVPN
Posted: Wed Oct 11, 2017 5:06 pm
by rseiler
Same here except for my use of "AES-CBC 128bit," which I'm using probably based on searching around to see which one I should be using (i.e. I don't recall the specific reasons now).
Based on your error message though ("INSECURE cipher with block size less than 128 bit (64 bit)...Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC)"), I have to wonder why I don't also get the warning, as I'm not using 256bit. Actually, it says less than 128bit. Hmmm.
I never tested 256bit to see the impact on CPU, but it might be substantial, since that's a huge difference.
Re: Deprecated Options in OpenVPN
Posted: Wed Oct 11, 2017 5:59 pm
by ispyisail
New Test
Code: Select all
Thu Oct 12 10:54:09 2017 WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6
Code: Select all
Thu Oct 12 10:54:09 2017 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Code: Select all
Thu Oct 12 10:54:11 2017 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
Code: Select all
Thu Oct 12 10:54:16 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Re: Deprecated Options in OpenVPN
Posted: Wed Oct 11, 2017 6:13 pm
by ispyisail
When I change to
Only two errors
Code: Select all
Thu Oct 12 11:09:45 2017 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Code: Select all
Thu Oct 12 11:09:51 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Re: Deprecated Options in OpenVPN
Posted: Wed Oct 11, 2017 6:25 pm
by ispyisail
Current Server Config
Code: Select all
client
remote 192.168.10.141 1194
dev tun
proto udp
status current_status
resolv-retry infinite
ns-cert-type server
topology subnet
verb 3
cipher BF-CBC
keysize 128
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1
nobind
persist-key
persist-tun
comp-lzo
Looks like we need to change
to
and add
Re: Deprecated Options in OpenVPN
Posted: Wed Oct 11, 2017 6:34 pm
by rseiler
Based on the first and second of your new messages, I guess we can conclude that the warning is more about Blowfish than the bits. Maybe it's Blowfish that's deprecated.
On your last message, is that /etc/openvpn/server.conf that you're showing? I don't have the "ns-cert-type" line at all, but maybe that's the default even if absent.
Re: Deprecated Options in OpenVPN
Posted: Wed Oct 11, 2017 6:38 pm
by ispyisail
https://www.bestvpn.com/vpn-encryption- ... ete-guide/
Looks like "Blowfish" is being replaced with "AES" and "Camellia"?