search

OpenVPN / openvpn-build

OpenVPN Build
325 stars 239 forks source link

Configure OpenSSL while Building #257

Open Emrehan opened 2 years ago

Emrehan commented 2 years ago

Hi,

Is it possible to add config file to OpenSSL that is used by OpenVPN? I want to change supported ciphers and remove weak ones. I know I can use parameters like --cipher but I want to change "Client Hello" message in Wireshark capture.

cron2 commented 2 years ago

Hi,

On Wed, Jun 08, 2022 at 04:26:07AM -0700, Emrehan ??LHAN wrote:

Is it possible to add config file to OpenSSL that is used by OpenVPN? I want to change supported ciphers and remove weak ones. I know I can use parameters like --cipher but I want to change "Client Hello" message in Wireshark capture.

To influence TLS ciphers, do not use --cipher but --tls-cipher and tls-groups (TLS 1.0-1.2) and --tls-ciphersuites (TLS 1.3).

Alternatively, "--tls-cert-profile preferred" or "suiteb".

gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany @.***

Emrehan commented 2 years ago

Hi,

Thanks for your answer. It solved most of my problems. I can change ciphers with --tls-cipher and --tls-ciphersuites and I can change cipher & signature algorithms with --tls-cert-profile.

--tls-cert-profile suiteb remove more than I want and --tls-cert-profile preferred has 3 more signature algorithms that I want to remove.

Is there any way to remove signature algorithm (digest)?

lstipakov commented 2 years ago

You could put your OpenSSL config file to C:\Program Files\OpenVPN\ssl\openssl.cnf - this will be used by OpenVPN at OpenSSL initialization.

Emrehan commented 2 years ago

I do not install OpenVPN actually. I use exe file that is located in my project file. Is it still work if I put a config file to same directory?

lstipakov commented 2 years ago

It should work with latest releases.

Emrehan commented 2 years ago

I'm using version 2.4.11, how can I check if it is support or not?

cron2 commented 2 years ago

Hi,

On Fri, Jun 10, 2022 at 01:45:20AM -0700, Emrehan ??LHAN wrote:

I'm using version 2.4.11, how can I check if it is support or not?

Please upgrade to 2.5.7 - the 2.4 code base is old, and out of support.

gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany @.***

flyhigao commented 2 years ago

same require here. @Emrehan how do you solve this?

Emrehan commented 2 years ago

same require here. @Emrehan how do you solve this?

Hey

If you use newer version of OpenVPN, you can just add openssl.conf file. There are lots of example of it in the internet.

If not,

--tls-ciphersuites --tls-cipher --tls-cert-profile

Options should fix most of the cases. Howver, if you want more control over it, I rebuild OpenVPN by changing source code. I added some lines to use openssl library in openvpn source code. You can follow this option to get how it works ( --tls-cert-profile)

Hope it helps