SSL VPN – OpenVPN 2.4 TLS-Crypt vs Elliptic Curve

openvpnsslvpn

If I understand correctly from OpenVPN 2.4 manual, if one is using ECDH TLS cipher suites then they can set dh none. This will have same security level (or better) as using dh key, is this a correct assumption?
About the tls-auth, the manual says "Use –tls-crypt instead if you want to use the key file to not only authenticate, but also encrypt the TLS control channel.".

Currently I do NOT have tls-auth or tls-crypt setup in configuration but in logs I see

Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 521 bit EC, curve: secp521r1

Does that mean that tls-crypt option is NOT necessary if elliptic curve is used? or what additional security does tls-crypt add if control channel is already encrypted even without this option? and does it make any difference if one is using UDP or TCP?

Thanks!

Best Answer

ECDH and DH are both variants of the Diffie-Hellman key exchange and require an abelian group with computationally complex division. However:
- Generating good finite fields for the DH algorithm is relatively easy (though time consuming), so OpenVPN asks you to do it with openssl dhparam and provide the result with dh <filename>. This way you don't use the predefined groups that might be subject to the Logjam attack, which is within NSA budget. However, factorization in finite fields is a well understood subject, so DH is slower than ECDH with a comparable level of security.
- Generating good elliptic curves is difficult, so you must use the predefined ones and there is no ecdh <filename> option. As for the dh option, you can use dh none with elliptic curves. Division on an elliptic curve is not very well developed, so to have a similar level of security as DH nowadays you need smaller curves.
Even without the tls-auth or tls-crypt options, your data will always be encrypted. The TLS protocol encrypts data with a key obtained in a key exchange, as in the previous point. These options control what to do with the 4 packets of the TLS Handshake:

Usually (as in the HTTPS protocol) they are unencrypted since the peers don't have any prior knowledge of each other. But with OpenVPN you have an advantage: you can configure on the server and all authorized clients a common symmetric key, which will sign or encrypt these 4 packets.

This will allow the server to drop all not signed ClientHello messages, before even allocating resources for the computationally heavy TLS protocol. Hence, it will more easily survive a DDoS attack, where an attacker initiates thousands of connections at once.

Using tls-auth is similar to configuring a common WEP key on a Wi-Fi network, together with a per-client WPA-Enterprise authentication. The main difference is that WEP encryption is heavily broken, whereas HMAC signatures or AES encryption isn't. Therefore you won't be able to reproduce the aforementioned configuration on a Wi-Fi network (it is not supported by software).
The UDP vs TCP choice is a no brainer: use UDP whenever possible. TCP guarantees that all emitted IP packets will not be lost and will arrive in the order they were sent.

This sounds nice, but your VPN tunnel will also transport inner TCP connections. If a packet is lost, both the OpenVPN client and the program that established the inner TCP connection will start retransmitting. However the retransmitted packets from the inner connection will arrive to their destination after those retransmitted by OpenVPN were delivered. This causes unnecessary network traffic.

Edit: A comparison between the strength of DH and ECDH is available e.g. on Keylength.com:

the required size of the DH group is in the column Discrete Logarithm Group,
the size of an elliptic curve with equivalent strength is in the column Elliptic Curve,

For example the following configuration for elliptic curves:

ecdh-curve prime256v1

is equivalent to generating DH parameters with openssl dhparam -out /etc/openvpn/dh.pem 3072 and using:

dh /etc/openvpn/dh.pem

The values provided by the NIST Recommendations correspond roughly to OpenSSL security levels. The default security level is level 1, which means a minimum of 2048 bits for the DH groups and 224 bits for elliptic curves. You can increase it using the tls-cipher option (cf. OpenSSL documentation for the format). E.g. setting:

tls-cipher DEFAULT:@SECLEVEL=4

will cause OpenVPN connections to fail, until you adjust the two settings above to the required group sizes (7680 for DH and 384 for ECDH).

Related Solutions

Apache – How to Fix ‘Logjam’ Vulnerability in Apache (httpd)

From the article you linked, there are three recommended steps to protect yourself against this vulnerability. In principle these steps apply to any software you may use with SSL/TLS but here we will deal with the specific steps to apply them to Apache (httpd) since that is the software in question.

Disable Export Cipher Suites

Dealt with in the configuration changes we'll make in 2. below (!EXPORT near the end of the SSLCipherSuite line is how we'll disable export cipher suites)

Deploy (Ephemeral) Elliptic-Curve Diffie-Hellman (ECDHE)

For this, you need to edit a few settings in your Apache config files - namely SSLProtocol, SSLCipherSuite, SSLHonorCipherOrder to have a "best-practices" setup. Something like the following will suffice:

SSLProtocol             all -SSLv2 -SSLv3

SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

SSLHonorCipherOrder     on

Note: as for which SSLCipherSuite setting to use, this is always changing, and it is a good idea to consult resources such as this one to check for the latest recommended configuration.

3. Generate a Strong, Unique Diffie Hellman Group

To do so, you can run

openssl dhparam -out dhparams.pem 2048.

Note that this will put significant load on the server whilst the params are generated - you can always get around this potential issue by generating the params on another machine and using scp or similar to transfer them onto the server in question for use.

To use these newly-generated dhparams in Apache, from the Apache Documentation:

To generate custom DH parameters, use the openssl dhparam command. Alternatively, you can append the following standard 1024-bit DH parameters from RFC 2409, section 6.2 to the respective SSLCertificateFile file:

(emphasis mine)

which is then followed by a standard 1024-bit DH parameter. From this we can infer that the custom-generated DH parameters may simply be appended to the relevant SSLCertificateFile in question.

To do so, run something similar to the following:

cat /path/to/custom/dhparam >> /path/to/sslcertfile

Alternatively, as per the Apache subsection of the article you originally linked, you may also specify the custom dhparams file you have created if you prefer not to alter the certificate file itself, thusly:

SSLOpenSSLConfCmd DHParameters "/path/to/dhparams.pem"

in whichever Apache config(s) are relevant to your particular SSL/TLS implementation - generally in conf.d/ssl.confor conf.d/vhosts.conf but this will differ depending on how you have configured Apache.

It is worth noting that, as per this link,

Before Apache 2.4.7, the DH parameter is always set to 1024 bits and is not user configurable. This has been fixed in mod_ssl 2.4.7 that Red Hat has backported into their RHEL 6 Apache 2.2 distribution with httpd-2.2.15-32.el6

On Debian Wheezy upgrade apache2 to 2.2.22-13+deb7u4 or later and openssl to 1.0.1e-2+deb7u17. The above SSLCipherSuite does not work perfectly, instead use the following as per this blog:

SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!DHE-RSA-AES256-SHA256:!DHE-RSA-CAMELLIA128-SHA:!DHE-RSA-CAMELLIA256-SHA

You should check whether your Apache version is later than these version numbers depending on your distribution, and if not - update it if at all possible.

Once you have performed the above steps to update your configuration, and restarted the Apache service to apply the changes, you should check that the configuration is as-desired by running the tests on SSLLabs and on the article related to this particular vulnerability.

WARNING – None of the Ciphers Specified Are Supported by the SSL Engine

As explained here you may have to set the ciphers list like this :

sslProtocols = "TLS"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_25‌6_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"

The first part, ECDHE, specifies what key exchange algorithm should be used. [...]

Next up is the authentication algorithm, RSA. [...]

The bulk cipher, AES128-GCM is the main encryption algorithm and used to encrypt all the traffic. [...]

The last part, SHA256, identifies the message digest in use, which verifies the authenticity of messages.

Best Answer

Related Solutions

Apache – How to Fix ‘Logjam’ Vulnerability in Apache (httpd)

WARNING – None of the Ciphers Specified Are Supported by the SSL Engine

Related Topic