Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1012664: network-manager-openvpn: --cipher option deprecated in OpenVPN 2.6, no option to set suggested --data-ciphers flag instead
2,028 views
Skip to first unread message
Simon Greaves
Jun 11, 2022, 9:10:03 AM6/11/22
to
Package: network-manager-openvpn
Version: 1.8.18-3
Severity: important
X-Debbugs-Cc: sjgr...@gmail.com
Dear Maintainer,
* What led up to the situation?
I have a subscription to an OpenVPN service which uses the AES-256-CBC
cipher. This was configured using the nm-openvpn-gnome UI and up until
the most recent OpenVPN version worked well albeit with a warning in
the daemon.log file that the --cipher flag was to be deprecated. Now,
having updated OpenVPN, the connection now fail because the flag is
now ignored. OpenVPN logs the suggestion that the cipher I need should
be added to the --data-ciphers list.
from daemon.log:
nm-openvpn[3234]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but
missing in --data-ciphers
(AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher
for cipher negotiations.
...
nm-openvpn[3234]: OPTIONS ERROR: failed to negotiate cipher with
server. Add the server's cipher ('AES-256-CBC') to --data-ciphers
(currently 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305') if you want to
connect to this server.
* What exactly did you do (or not do) that was effective (or
ineffective)?
Just trying to enable the VPN fails due to the required cipher not
being in the --data-ciphers list. There is no obvious way to do this
with the nm-openvpn tool, a quick glance at the source implies that
the --cipher flag is hardcoded there.
I tried adding the --data-cipher list including the AES-256-CBC cipher
to the /etc/default/openvpn file but that didn't seem to help.
* What was the outcome of this action?
I have been trying to recompile the network-manager-openvpn package
from source having modified it but so far have been unsuccessful due
to unfamiliarity with packaging.
* What outcome did you expect instead?
If nm-openvpn passes the correct flags then I expect the connection to
come up and work - it was fully operational with the previous OpenVPN
release. I will try configuring an OpenVPN client config file by hand
but obviously the nm-openvpn tool will need to be updated to reflect
the changes to OpenVPN itself.
-- System Information:
Debian Release: bookworm/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 5.17.0-1-amd64 (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8), LANGUAGE=en_IE:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages network-manager-openvpn depends on:
ii adduser 3.121
ii libc6 2.33-7
ii libglib2.0-0 2.72.1-1
ii libnm0 1.38.0-2
ii network-manager 1.38.0-2
ii openvpn 2.6.0~git20220518+dco-2
network-manager-openvpn recommends no packages.
network-manager-openvpn suggests no packages.
-- no debconf information
Version: 1.8.18-3
Severity: important
X-Debbugs-Cc: sjgr...@gmail.com
Dear Maintainer,
* What led up to the situation?
I have a subscription to an OpenVPN service which uses the AES-256-CBC
cipher. This was configured using the nm-openvpn-gnome UI and up until
the most recent OpenVPN version worked well albeit with a warning in
the daemon.log file that the --cipher flag was to be deprecated. Now,
having updated OpenVPN, the connection now fail because the flag is
now ignored. OpenVPN logs the suggestion that the cipher I need should
be added to the --data-ciphers list.
from daemon.log:
nm-openvpn[3234]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but
missing in --data-ciphers
(AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher
for cipher negotiations.
...
nm-openvpn[3234]: OPTIONS ERROR: failed to negotiate cipher with
server. Add the server's cipher ('AES-256-CBC') to --data-ciphers
(currently 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305') if you want to
connect to this server.
* What exactly did you do (or not do) that was effective (or
ineffective)?
Just trying to enable the VPN fails due to the required cipher not
being in the --data-ciphers list. There is no obvious way to do this
with the nm-openvpn tool, a quick glance at the source implies that
the --cipher flag is hardcoded there.
I tried adding the --data-cipher list including the AES-256-CBC cipher
to the /etc/default/openvpn file but that didn't seem to help.
* What was the outcome of this action?
I have been trying to recompile the network-manager-openvpn package
from source having modified it but so far have been unsuccessful due
to unfamiliarity with packaging.
* What outcome did you expect instead?
If nm-openvpn passes the correct flags then I expect the connection to
come up and work - it was fully operational with the previous OpenVPN
release. I will try configuring an OpenVPN client config file by hand
but obviously the nm-openvpn tool will need to be updated to reflect
the changes to OpenVPN itself.
-- System Information:
Debian Release: bookworm/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 5.17.0-1-amd64 (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8), LANGUAGE=en_IE:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages network-manager-openvpn depends on:
ii adduser 3.121
ii libc6 2.33-7
ii libglib2.0-0 2.72.1-1
ii libnm0 1.38.0-2
ii network-manager 1.38.0-2
ii openvpn 2.6.0~git20220518+dco-2
network-manager-openvpn recommends no packages.
network-manager-openvpn suggests no packages.
-- no debconf information
Gard Spreemann
Jun 21, 2022, 7:10:04 AM6/21/22
to
Hello,
I'm also affected by this bug. Inspection of the upstream code shows
that the NetworkManager OpenVPN plugin has no notion of the
--data-ciphers flag of OpenVPN. The previously used --cipher flag, which
NM does know about, used to imply appending the cipher to the
--data-ciphers list, but that is no longer the case as of OpenVPN 2.6 [1].
I've attached a very rudamentary patch that adds support for
--data-ciphers to network-manager-openvpn, and passes the corresponding
string on as an OpenVPN argument. The patch is a bit crude, and treats
--data-ciphers _exactly_ like --ciphers was already treated. That might
not be appropriate, as the former has the structure of a colon-separated
list, and any GUI/TUI interface might want to reflect that
visually/functionally. My patch treats it as an opaque string.
With the patch, one can in a network-manager-openvpn VPN connection add
an entry of the form
data-ciphers = WHATEVER
to the .data field of the VPN connection, and WHATEVER will be passed on
to OpenVPN's --data-ciphers argument.
I'll try to have this patch upstreamed, but in the meantime it might be
appropriate for inclusion into Debian so as not to break people's
NM-managed VPN connections upon upgrading OpenVPN.
PS: Simon, you incidate that you are having trouble due to being
unfamiliar with Debian packaging. Do let me know if you'd like me to
provide a precompiled package with the patch included.
[1] https://github.com/OpenVPN/openvpn/blob/0dbcaba4f301c21e68a5cd032a4b56eb75c17c37/Changes.rst
Best,
Gard
I'm also affected by this bug. Inspection of the upstream code shows
that the NetworkManager OpenVPN plugin has no notion of the
--data-ciphers flag of OpenVPN. The previously used --cipher flag, which
NM does know about, used to imply appending the cipher to the
--data-ciphers list, but that is no longer the case as of OpenVPN 2.6 [1].
I've attached a very rudamentary patch that adds support for
--data-ciphers to network-manager-openvpn, and passes the corresponding
string on as an OpenVPN argument. The patch is a bit crude, and treats
--data-ciphers _exactly_ like --ciphers was already treated. That might
not be appropriate, as the former has the structure of a colon-separated
list, and any GUI/TUI interface might want to reflect that
visually/functionally. My patch treats it as an opaque string.
With the patch, one can in a network-manager-openvpn VPN connection add
an entry of the form
data-ciphers = WHATEVER
to the .data field of the VPN connection, and WHATEVER will be passed on
to OpenVPN's --data-ciphers argument.
I'll try to have this patch upstreamed, but in the meantime it might be
appropriate for inclusion into Debian so as not to break people's
NM-managed VPN connections upon upgrading OpenVPN.
PS: Simon, you incidate that you are having trouble due to being
unfamiliar with Debian packaging. Do let me know if you'd like me to
provide a precompiled package with the patch included.
[1] https://github.com/OpenVPN/openvpn/blob/0dbcaba4f301c21e68a5cd032a4b56eb75c17c37/Changes.rst
Best,
Gard
Gard Spreemann
Jun 21, 2022, 7:40:04 AM6/21/22
to
A prebuilt package with the patch can be found at
https://nonempty.org/packages/sid/network-manager-openvpn/
-- Gard
https://nonempty.org/packages/sid/network-manager-openvpn/
-- Gard
Thomas Löscher
Jun 23, 2022, 3:30:04 AM6/23/22
to
Hello,
there is already an open issue on upstream project:
https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/-/issues/97
perhaps, if more people express a need for this modification, it will
get some attention.
best regards
Thomas
there is already an open issue on upstream project:
https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/-/issues/97
perhaps, if more people express a need for this modification, it will
get some attention.
best regards
Thomas
Gard Spreemann
Jun 23, 2022, 3:50:03 AM6/23/22
to
-- Gard
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
0 new messages