AES256-GCM-SHA384 for openVPN
Posted: Fri Mar 06, 2020 11:01 pm
Hi,
It looks like the SoftEtherVPN can't support AES256-GCM-SHA384 for OpenVPN client. It defaults to AES-128-CBC. Does anybody have any luck enabling the AES256-GCM-SHA384? I built the SoftEther binaries from scratch using the latest openSSL and other libraries. I enabled and verified but the OpenVPN client says the server site is set to AES-128-CBC cipher.
VPN Server/beta1> ServerCipherSet AES256-GCM-SHA384
VPN Server/beta1> ServerCipherGet
Encrypted Algorithm Currently Used by VPN Server:
AES256-GCM-SHA384
However if I create a client config using the server manager, it putst AES-128-CBC / SHA1 in the config file. And if I use this from client, it works. So basically that tells me I have to enable something else on the server side to be able to utilize the new ciphers that are supported.
Client:
Fri Mar 6 02:49:34 2020 UDP link local: (not bound)
Fri Mar 6 02:49:34 2020 UDP link remote: [AF_INET]192.168.0.20:1194
Fri Mar 6 02:49:34 2020 TLS: Initial packet from [AF_INET]192.168.0.20:1194, sid=88a41471 efdbb74f
Fri Mar 6 02:49:34 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Mar 6 02:49:34 2020 VERIFY KU OK
Fri Mar 6 02:49:34 2020 Validating certificate extended key usage
Fri Mar 6 02:49:34 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Fri Mar 6 02:49:34 2020 VERIFY EKU OK
Fri Mar 6 02:49:34 2020 VERIFY OK: depth=0, CN=commsmgr-3847, O=commsmgr-3847, OU=commsmgr-3847, C=US
Fri Mar 6 02:49:34 2020 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-GCM', remote='cipher AES-128-CBC'
Fri Mar 6 02:49:34 2020 WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA1'
Fri Mar 6 02:49:34 2020 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Fri Mar 6 02:49:34 2020 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Fri Mar 6 02:49:34 2020 [commsmgr-3847] Peer Connection Initiated with [AF_INET]192.168.0.20:1194
Fri Mar 6 02:49:35 2020 SENT CONTROL [commsmgr-3847]: 'PUSH_REQUEST' (status=1)
Fri Mar 6 02:49:36 2020 PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 192.168.30.13 192.168.30.14,dhcp-option DNS 192.168.30.1,route-gateway 192.168.30.14,redirect-gateway def1'
Fri Mar 6 02:49:36 2020 OPTIONS IMPORT: timers and/or timeouts modified
Fri Mar 6 02:49:36 2020 OPTIONS IMPORT: --ifconfig/up options modified
Fri Mar 6 02:49:36 2020 OPTIONS IMPORT: route options modified
Fri Mar 6 02:49:36 2020 OPTIONS IMPORT: route-related options modified
Fri Mar 6 02:49:36 2020 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri Mar 6 02:49:36 2020 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Mar 6 02:49:36 2020 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Mar 6 02:49:36 2020 ROUTE: default_gateway=UNDEF
Fri Mar 6 02:49:36 2020 TUN/TAP device tun0 opened
Fri Mar 6 02:49:36 2020 TUN/TAP TX queue length set to 100
Fri Mar 6 02:49:36 2020 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Fri Mar 6 02:49:36 2020 /sbin/ip link set dev tun0 up mtu 1500
Fri Mar 6 02:49:36 2020 /sbin/ip addr add dev tun0 local 192.168.30.13 peer 192.168.30.14
Fri Mar 6 02:49:36 2020 NOTE: unable to redirect default gateway -- Cannot read current default gateway from system
Fri Mar 6 02:49:36 2020 Initialization Sequence Completed
Fri Mar 6 02:49:36 2020 AEAD Decrypt error: cipher final failed
Fri Mar 6 02:49:39 2020 AEAD Decrypt error: cipher final failed
Fri Mar 6 02:49:41 2020 AEAD Decrypt error: cipher final failed
Fri Mar 6 02:49:42 2020 AEAD Decrypt error: cipher final failed
^CFri Mar 6 02:49:45 2020 event_wait : Interrupted system call (code=4)
Thanks,
Ratin
It looks like the SoftEtherVPN can't support AES256-GCM-SHA384 for OpenVPN client. It defaults to AES-128-CBC. Does anybody have any luck enabling the AES256-GCM-SHA384? I built the SoftEther binaries from scratch using the latest openSSL and other libraries. I enabled and verified but the OpenVPN client says the server site is set to AES-128-CBC cipher.
VPN Server/beta1> ServerCipherSet AES256-GCM-SHA384
VPN Server/beta1> ServerCipherGet
Encrypted Algorithm Currently Used by VPN Server:
AES256-GCM-SHA384
However if I create a client config using the server manager, it putst AES-128-CBC / SHA1 in the config file. And if I use this from client, it works. So basically that tells me I have to enable something else on the server side to be able to utilize the new ciphers that are supported.
Client:
Fri Mar 6 02:49:34 2020 UDP link local: (not bound)
Fri Mar 6 02:49:34 2020 UDP link remote: [AF_INET]192.168.0.20:1194
Fri Mar 6 02:49:34 2020 TLS: Initial packet from [AF_INET]192.168.0.20:1194, sid=88a41471 efdbb74f
Fri Mar 6 02:49:34 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Mar 6 02:49:34 2020 VERIFY KU OK
Fri Mar 6 02:49:34 2020 Validating certificate extended key usage
Fri Mar 6 02:49:34 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Fri Mar 6 02:49:34 2020 VERIFY EKU OK
Fri Mar 6 02:49:34 2020 VERIFY OK: depth=0, CN=commsmgr-3847, O=commsmgr-3847, OU=commsmgr-3847, C=US
Fri Mar 6 02:49:34 2020 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-GCM', remote='cipher AES-128-CBC'
Fri Mar 6 02:49:34 2020 WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA1'
Fri Mar 6 02:49:34 2020 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Fri Mar 6 02:49:34 2020 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Fri Mar 6 02:49:34 2020 [commsmgr-3847] Peer Connection Initiated with [AF_INET]192.168.0.20:1194
Fri Mar 6 02:49:35 2020 SENT CONTROL [commsmgr-3847]: 'PUSH_REQUEST' (status=1)
Fri Mar 6 02:49:36 2020 PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 192.168.30.13 192.168.30.14,dhcp-option DNS 192.168.30.1,route-gateway 192.168.30.14,redirect-gateway def1'
Fri Mar 6 02:49:36 2020 OPTIONS IMPORT: timers and/or timeouts modified
Fri Mar 6 02:49:36 2020 OPTIONS IMPORT: --ifconfig/up options modified
Fri Mar 6 02:49:36 2020 OPTIONS IMPORT: route options modified
Fri Mar 6 02:49:36 2020 OPTIONS IMPORT: route-related options modified
Fri Mar 6 02:49:36 2020 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri Mar 6 02:49:36 2020 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Mar 6 02:49:36 2020 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Mar 6 02:49:36 2020 ROUTE: default_gateway=UNDEF
Fri Mar 6 02:49:36 2020 TUN/TAP device tun0 opened
Fri Mar 6 02:49:36 2020 TUN/TAP TX queue length set to 100
Fri Mar 6 02:49:36 2020 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Fri Mar 6 02:49:36 2020 /sbin/ip link set dev tun0 up mtu 1500
Fri Mar 6 02:49:36 2020 /sbin/ip addr add dev tun0 local 192.168.30.13 peer 192.168.30.14
Fri Mar 6 02:49:36 2020 NOTE: unable to redirect default gateway -- Cannot read current default gateway from system
Fri Mar 6 02:49:36 2020 Initialization Sequence Completed
Fri Mar 6 02:49:36 2020 AEAD Decrypt error: cipher final failed
Fri Mar 6 02:49:39 2020 AEAD Decrypt error: cipher final failed
Fri Mar 6 02:49:41 2020 AEAD Decrypt error: cipher final failed
Fri Mar 6 02:49:42 2020 AEAD Decrypt error: cipher final failed
^CFri Mar 6 02:49:45 2020 event_wait : Interrupted system call (code=4)
Thanks,
Ratin