Discussion:
[Openvpn-users] openvpn 2.4.1 with gost engine
R.S
2017-04-18 09:25:14 UTC
Permalink
Hello.
I have just build openvpn with openvpn-build with these versions:
OPENSSL_VERSION="${OPENSSL_VERSION:-1.0.2k}"
PKCS11_HELPER_VERSION="${PKCS11_HELPER_VERSION:-1.11}"
LZO_VERSION="${LZO_VERSION:-2.10}"
TAP_WINDOWS_VERSION="${TAP_WINDOWS_VERSION:-9.21.2}"
OPENVPN_VERSION="${OPENVPN_VERSION:-2.4.1}"
OPENVPN_GUI_VERSION="${OPENVPN_GUI_VERSION:-11}"

Compilation success, no problem.
i modified openssl.cnf to include engine gost.
openssl_conf = openssl_def
[ openssl_def ]                
engines = engine_section
[ engine_section ]
gost = gost_section
[gost_section]
default_algorithms=ALL
engine_id=gost

openssl ciphers | tr ":" "\n" | grep GOST
GOST2001-GOST89-GOST89
GOST94-GOST89-GOST89

openssl list-message-digest-algorithms | grep gost
gost-mac
md_gost94
gost-mac
md_gost94

openssl shows me GOST.

------
gost-server.ovpn
-----
dev tap
engine gost
auth gost-mac
cipher gost89
tls-cipher GOST2001-GOST89-GOST89
#comp-lzo yes
ca ca.crt
cert server.crt
key server.key
dh    dhparam.pem
server 10.0.0.0 255.255.255.0
keepalive 10 120
proto tcp
socket-flags TCP_NODELAY
persist-key
persist-tun

openvpn gost-server.ovpn says me
-- Initializing OpenSSL support for engine 'gost'
-- Deprecated TLS cipher name 'GOST2001-GOST89-GOST89', please use IANA name 'TLS_GOSTR341001_WITH_28147_CNT_IMIT'
-- OpenSSL: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match
-- Failed to set restricted TLS cipher list: GOST2001-GOST89-GOST89
-- Exiting due to fatal error

Please help with this problem
David Sommerseth
2017-04-18 11:53:29 UTC
Permalink
On 18/04/17 11:25, R.S wrote:
[...snip...]
Post by R.S
openvpn gost-server.ovpn says me
-- Initializing OpenSSL support for engine 'gost'
-- Deprecated TLS cipher name 'GOST2001-GOST89-GOST89', please use IANA
name 'TLS_GOSTR341001_WITH_28147_CNT_IMIT'
-- OpenSSL: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match
-- Failed to set restricted TLS cipher list: GOST2001-GOST89-GOST89
-- Exiting due to fatal error
Please help with this problem
AFAIR, OpenVPN does not support GOST. It needs some additional patches
[1]. That was considered many years ago, but the interest was so low
and really not asked for so the patch review never completed.

[1]
<http://www.mail-archive.com/openvpn-***@lists.sourceforge.net/msg07278.html>

Those patches was sent for review back in 2012 and this is actually the
first time I can recall anyone asking for GOST. So this is also why it
was never prioritised to get official GOST support into OpenVPN; the
interest for that have been fairly low.

Another part is the question if GOST is considered a good cipher ...
here are some opinions on that from Kenn White:
<https://twitter.com/ECCTLS/status/852193290296463360>
<https://twitter.com/kennwhite/status/632275752210165760>

And the conclusion from the paper the last twee mentions:

"The S-Box used by the last two Russian standards in symmetric
cryptography has a hidden structure which we managed to completely
recover. The knowledge of this decomposition gives us a
significantly more efficient hardware implementation. However,
it is based on sub-components whose lack of cryptographic strength
is puzzling."

So there are strong concerns about the strength and how secure GOST
really is in real life.

These days we recommend using OpenVPN v2.4 which will provides support
for AES-GCM, which is currently considered one of the safer ciphers
options available today in both OpenSSL and mbed TLS.

Of course, if you are deploying this in an environment where GOST is
required for policy compliance, that will make a switch to AES-GCM more
difficult. Unfortunately, GOST support in OpenVPN is currently not
anywhere near to be implemented in the near future.
--
kind regards,

David Sommerseth
OpenVPN Technologies, Inc
Loading...