CU 175 - How to update OpenVPN OpenSSL 1 to 3? (edited title)

Virtual Private Networks OpenVPN
1

Hi!

In blog.ipfire.org - IPFire 2.27 - Core Update 175 is available for testing I read this:

OpenSSL 3.1.0

IPFire makes heavy use of this cryptography library, which is why keeping it up to date (without causing any interference to existing installations) is an important task for the development team. Core Update 175 updates OpenSSL to version 3.1.0, for which some work under the hood was necessary, such as ensuring all dependent packages were ready for using OpenSSL’s API, which has changed from the 1.1.x series.

To avoid breaking any custom software IPFire users may run on their installations, OpenSSL 1.1.1’s files remain untouched on existing installations until the release of Core Update 176. However, please note that OpenSSL 1.1.1 is scheduled for end of life on September 11, 2023, and ensure any custom changes are made compatible to OpenSSL 3.1.0 as soon as possible.

I wonder how do I know if I am using OpenSSL1 or OpenSSL3? Am I using it with OpenVPN? What do I need to do? Create new p12-cerificates?

One older certificate have info like this:

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
X509v3 extensions:
X509v3 Basic Constraints:

Do those “Version: 3” and “v3” in the certificate refer to SSL?

2

Run the following command and with CU174 you will get the response shown.

openssl version
OpenSSL 1.1.1t 7 Feb 2023

Yes, but also many other programs in IPFire use it.

No, that is the version of the x509 certificate definition.

No. The openssl-3.x will also work with the certificates created and used from openssl-1.1.1

In Testing CU175 I did find a problem with the older insecure certificates. They would still work on a connection to openssl-3.x bvut if you try to download them in CU175 Testing then you would get an Internal Server error.
I raised a bug for that and already submitted a patch fix for it.

The aim is that any software provided in IPFire will work with openssl-3.x the same as it did with openssl-1.1.1

The note is more for people who are using the openssl command in their own custom script. They need to do their own evaluation that the openssl command(s) they use work the same with openssl-3.x

3 Likes
3

Thank you! OK, I think I understand.

I do not think I have touched anything in the OpenVPN server settings since the middle ages. Now I have:

Protocol: UDP
MTU size: 1400
Destination port: 443
Hash algorithm: SHA (256 bit)
Encryption: AES-CBC (265 bit)
TLS Channel Protection: False

Certificate Authorities and -Keys
Diffie-Hellman-Parameter DH Parameters: (4096 bit)
TLS-Authentification-Key 2048 bit OpenVPN static key

So when 175 released, I should start to create new certificates with SSL 3 to replace the old ones?
Should I also change something in my OpenVPN settings?
Or will changing the server settings break the old road warrior setups?
Or maybe it is worth the extra job as it is “best practice” and I will still replace with new certificates?

4

Any new connections created will have their certificates defined via openssl-3.x. This will mean that those certificates will not be able to have the very old insecure ciphers anymore. This doesn’t apply to you as you are using AES-CBC-256. You could use AES-GCM-256 but the difference is not that great. Both are 256 bit ciphers so good and strong. Also any new certificates created since CU172 will have key lengths of 4096 bits instead of the previous value of 2048 bits.
The old 2048 bit based certificates will still work with openssl-3.x without any change from yourself.

There is nothing that needs to be specifically changed because of the use of openssl-3.x

If you change any server settings then this will require re-creation of all the client certificates.

My view would be yes but then I only have around 5 client connections to re-create.
The view and choice might be a bit different if you have 200 client connections.

Any change to the server settings will apply to all the clients at the same time, so all would need to be updated at the same time.
For instance you don’t have the TLS Channel Protection enabled. From a security point of view TLS Channel Protection is good to be enabled.
https://wiki.ipfire.org/configuration/services/openvpn/config/glob_set#TLS Channel Protection
However if you enable it then all client certificates have to have it used.

For the 4096 bit key client certificates these can be updated client by client, so at your leisure, 2048 bit keys are still good and secure but as time goes on the cracking capability will improve and eventually they will become breakable. 4096 bit keys provides the next level of security.
https://blog.ipfire.org/post/ipfire-2-27-core-update-172-released

Hope the above helps in your decision making about what to change and when.
Feel free to come back with more questions that arise or need further clarification.

2 Likes
5

Thank your for your kind help!

I have decided that it is better to do all the changes and pump up the security when 175 is released, then I do not need to think about it again for many years.

Been reading at wiki.ipfire.org - Global settings and if I want best security, should I change:

  1. First step
    Global settings
    Protocol: UDP = NO CHANGE
    MTU size: 1400 = NO CHANGE
    Destination port: 443 = NO CHANGE
    Hash algorithm: SHA2 (256 bit) = NEW: SHA2 (512 bit)
    Encryption: AES-CBC (265 bit) = NEW: AES-CGM (256 bit)
    TLS Channel Protection: False = NEW: True

Are the above the best settings?

  1. Second step
    New SSLv3 certificates and keys. But how do I change these settings, “Remove X509” is greyed out. (and to what should I change them)?:
    Certificate Authorities and -Keys
    Diffie-Hellman-Parameter DH Parameters: (4096 bit) = NO CHANGE?
    TLS-Authentification-Key 2048 bit OpenVPN static key = NEW: No idea

  2. Third step
    Create new host certificate p12-files and ovpn-files

6

That matches with what I am using and is the strongest currently available options and will give you good protection for many years.

Stop the OpenVPN server first and then the button will no longer be greyed out.

You don’t have to choose anything anymore. The Diffie Hellman setting used to give choices but back in Core Update 172 this was changed to define a fixed Diffie-Hellman file that is 4096 bits.

The TLS-Authentication key only has the one size of 2048 bits.

So just remove the x509 settings and after this has been done you will have an empty OpenVPN screen.
Take note of any settings or nmes/remarks you want to use for the client connections when you remake them as those will also be cleared out when you remove the x509.

After remaking the x509 plus all client certificates and installing on the clients and confirming working, make a backup on the IPFire backup. This will then have the new x509/client configs etc stored in it.

Do not restore from any backup before you removed the x509 otherwise that will restore the old x509 plus the old client connections.

1 Like
7

Thanks for the help @bonnietwin and @cfusco !

So, I did this after updating to Core-Update 175

0. Stop OpenVPN server
Click the “Stop OpenVPN Server” button. Otherwise we can’t save or delete old certificates.

1. Settings
Global Settings
Protocol: UDP
MTU size: 1500

EDIT: With MTU 1500 I got OpenVPN latency problems. When I instead tried 1360, all problems went away. More info here OpenVPN latency problem (was: Can ISP or Router prevent access via OpenVPN to some private not secure sites? Or is it my settings?) - #2 by cfusco

Destination port: 1194
Hash algorithm: SHA2 (512 bit)
Encryption: AES-GCM (256 bit)
TLS Channel Protection: True

Click the “Save” button

2. Take notes of client info
This is the most important step.

Take note of any settings or names/remarks you want to use for the client connections when you remake them.

All these will be cleared out when you remove the x509.

3. Remove x509
Click “Remove x509” button and then confirm you want to delete it.

4. Create new root/host certificates
Click “Generate root/host certificates” button
Fill the form an then click the “Generate root/host certificates” button

If you need help, see here: wiki.ipfire.org - Generate Server certificates and keys

5. Start OpenVPN server
Click the “Start OpenVPN Server” button

6. Recreate files for clients
Under “Connection Status and -Control”, click the “Add” button and recreate the clients you took notes of in step 2.

If you need help, see here: wiki.ipfire.org - Client configuration

7. Make a backup
Go to the menu System - Backup and create a new backup.

This will then have the new x509/client configs etc stored in it.

Do not restore from any backup before you removed the x509 otherwise that will restore the old x509 plus the old client connections.

4 Likes