Ребята, в последней версии PFSENSE убрали алгоритм шифрования данных BF-CBC — и правильно сделали. Кроме того, в скором времени OpenVPN тоже прекратит поддержку предварительно общих ключей.
Кто как решает вопрос с site-to-site VPN на OpenVPN? Я не вижу, как в Unifi сменить BF-CBC и SHA1. Даже логи Unifi жалуются на это, но самое тупое — они не дают нам настроить свои параметры.
Nov 09 13:07:15 UniFiDreamMachine openvpn[21786]: Outgoing Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Nov 09 13:07:15 UniFiDreamMachine openvpn[21786]: WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.6.
Nov 09 13:07:15 UniFiDreamMachine openvpn[21786]: Outgoing Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 09 13:07:15 UniFiDreamMachine openvpn[21786]: Incoming Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Nov 09 13:07:15 UniFiDreamMachine openvpn[21786]: WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.6.
Кто как решает вопрос с site-to-site VPN на OpenVPN? Я не вижу, как в Unifi сменить BF-CBC и SHA1. Даже логи Unifi жалуются на это, но самое тупое — они не дают нам настроить свои параметры.
Nov 09 13:07:15 UniFiDreamMachine openvpn[21786]: Outgoing Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Nov 09 13:07:15 UniFiDreamMachine openvpn[21786]: WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.6.
Nov 09 13:07:15 UniFiDreamMachine openvpn[21786]: Outgoing Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 09 13:07:15 UniFiDreamMachine openvpn[21786]: Incoming Static Key Encryption: Cipher 'BF-CBC' initialized with 128 bit key
Nov 09 13:07:15 UniFiDreamMachine openvpn[21786]: WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.6.