Open stephane-rochoy-stormshield opened 7 months ago
flichtenheld
commented
7 months ago Indeed. Introduced by e950ca1b9fca58e97aacedc5c0229856aa1e4e86 in 2.6.2. Probably not a lot of people are hitting this since OpenVPN is usually compiled with LZO support and hopefully compression usage is going down due to security recommendations. But should definitely be fixed.
flichtenheld
commented
7 months ago 
stephane-rochoy-stormshield
commented
7 months ago Was hit after moving from LZO to LZ4 to get better performances. But if I understand correctly, the recommendation is to fully disable compression?
flichtenheld
commented
7 months ago Was hit after moving from LZO to LZ4 to get better performances. But if I understand correctly, the recommendation is to fully disable compression?
Yes, disabling compression is generally advised. New DCO kernel drivers for OpenVPN don't even support it. Quoting the man page for --compress:
Security Considerations
Compression and encryption is a tricky combination. If an attacker knows or is able to control (parts of) the plain-text of packets that contain secrets, the attacker might be able to extract the secret if compression is enabled. See e.g. the CRIME and BREACH attacks on TLS and VORACLE on VPNs which also leverage to break encryption. If you are not entirely sure that the above does not apply to your traffic, you are advised to not enable compression.
stephane-rochoy-stormshield
commented
7 months ago Ok, got it. Thanks for your time!
https://github.com/OpenVPN/openvpn/blob/54475711eb119f6fbb263880fca08d4b10df752a/src/openvpn/comp.c#L189-L204
LZ4 is wrongly mixed into the condition at line 198.