search

FreePBX / issue-tracker

The unified FreePBX issue tracker.
https://www.freepbx.org
GNU General Public License v3.0
11 stars 1 forks source link

[bug]: OpenVPN Digium D65 Requires Update #492

Open KSRyanMerritt opened 1 month ago

KSRyanMerritt commented 1 month ago

FreePBX Version

FreePBX 17

Issue Description

024-10-11 00:51:34 client17/72.194.10.73:44011 TLS: soft reset sec=3318/3318 bytes=700805/67108864 pkts=1410/0 2024-10-11 00:51:34 client17/72.194.10.73:44011 VERIFY OK: depth=1, CN=FreePBX 2024-10-11 00:51:34 client17/72.194.10.73:44011 VERIFY OK: depth=0, CN=client17 2024-10-11 00:51:34 client17/72.194.10.73:44011 peer info: IV_VER=2.3.2 2024-10-11 00:51:34 client17/72.194.10.73:44011 peer info: IV_PLAT=linux 2024-10-11 00:51:34 client17/72.194.10.73:44011 Control Channel: TLSv1, cipher TLSv1.0 ECDHE-RSA-AES256-SHA, peer certificate: 2048 bit RSA, signature: RSA-SHA256 2024-10-11 00:51:34 client17/72.194.10.173:44011 WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.7. 2024-10-11 00:51:34 client17/72.194.10.173:44011 WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.7.

Operating Environment

asterisk -V Asterisk 18.24.1

cat /etc/os-release PRETTY_NAME="Debian GNU/Linux 12 (bookworm)" NAME="Debian GNU/Linux" VERSION_ID="12" VERSION="12 (bookworm)" VERSION_CODENAME=bookworm ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/"

openvpn --version OpenVPN 2.6.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] library versions: OpenSSL 3.0.13 30 Jan 2024, LZO 2.10 DCO version: N/A Originally developed by James Yonan Copyright (C) 2002-2023 OpenVPN Inc sales@openvpn.net Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_dco=yes enable_dco_arg=yes enable_debug=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_option_checking=no enable_pam_dlopen=no enable_pedantic=no enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_unit_tests=no enable_werror=no enable_win32_dll=yes enable_wolfssl_options_h=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_openssl_engine=auto with_sysroot=no

Relevant log output

Digium D65 has old OpenVPN Version 2.3.2 which is insecure and not allowed to connect to Debian's installed version of OpenVPN which is 2.6.3.  The only way to get this to connect is to enable legacy mode, which is a security risk.  Could you please update the OpenVPN client?

cat /etc/openvpn/sysadmin_server1.conf

tls-cert-profile insecure
providers legacy default
compat-mode 2.3.0
KSRyanMerritt commented 1 day ago

@kguptasangoma I am unsure if this recent release of System Admin was an attempt to fix the VPN issue listed here, but this broke every system with a Digium D Series phone connecting to a VPN.

System Admin Version: 17.0.2.3

Issue: VPN Server generates files with compatibility settings in /etc/openvpn/clients/sysadmin_client34.conf

These do not work directly on the phone VPN config for us. If they are applied to the VPN phone config, then the phone cannot connect to VPN. They do however work the way I have them above applied to the /etc/openvpn/sysadmin_server1.conf

Here is the output that the new update creates that does not work on the Digium D Series phones, if this needs to be submitted as a separate bug please let me know.

# Configuration automatically generated via Sysadmin RPM
# MODIFICATIONS TO THIS FILE WILL BE OVERWRITTEN.
# Generated at: Tue, 12 Nov 2024 18:04:39 +0000
client
dev tun
proto udp
resolv-retry 60
nobind
persist-key
persist-tun
providers legacy default
data-ciphers BF-CBC
tls-cipher "DEFAULT:@SECLEVEL=0" 
tls-version-min 1.0 
remote-cert-tls server
ca sysadmin_ca.crt
cert sysadmin_client34.crt
key sysadmin_client34.key
comp-lzo
verb 3
reneg-sec 3600
data-ciphers-fallback BF-CBC
remote xx.xx.xx.xx 1194
kguptasangoma commented 1 day ago

hi @KSRyanMerritt

We didnt do any fixes related with cert/ssl recently. do you know which version of sysadmin was working for you so i can try to see the list of fixes?

KSRyanMerritt commented 1 day ago

@kguptasangoma The working version is the version before this recent release of System Admin which is 17.0.1.98 once we upgraded our PBX's to System Admin Version: 17.0.2.3 it starts generating these VPN file changes.

kguptasangoma commented 1 day ago

let me check thanks for the update @KSRyanMerritt

KSRyanMerritt commented 10 hours ago

@kguptasangoma turns out this is actually present in System Admin Version: 17.0.1.96 as well