openvpn-build icon indicating copy to clipboard operation
openvpn-build copied to clipboard

Published 20 hours ago verified publisher icon OpenVPN

Configure OpenSSL while Building

Open Emrehan opened this issue 3 years ago • 9 comments

Hi,

Is it possible to add config file to OpenSSL that is used by OpenVPN? I want to change supported ciphers and remove weak ones. I know I can use parameters like --cipher but I want to change "Client Hello" message in Wireshark capture.

Emrehan avatar Jun 08 '22 11:06 Emrehan

Hi,

On Wed, Jun 08, 2022 at 04:26:07AM -0700, Emrehan ??LHAN wrote:

Is it possible to add config file to OpenSSL that is used by OpenVPN? I want to change supported ciphers and remove weak ones. I know I can use parameters like --cipher but I want to change "Client Hello" message in Wireshark capture.

To influence TLS ciphers, do not use --cipher but --tls-cipher and tls-groups (TLS 1.0-1.2) and --tls-ciphersuites (TLS 1.3).

Alternatively, "--tls-cert-profile preferred" or "suiteb".

gert

"If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany @.***

cron2 avatar Jun 08 '22 11:06 cron2

Hi,

Thanks for your answer. It solved most of my problems. I can change ciphers with --tls-cipher and --tls-ciphersuites and I can change cipher & signature algorithms with --tls-cert-profile.

--tls-cert-profile suiteb remove more than I want and --tls-cert-profile preferred has 3 more signature algorithms that I want to remove.

Is there any way to remove signature algorithm (digest)?

Emrehan avatar Jun 09 '22 10:06 Emrehan

You could put your OpenSSL config file to C:\Program Files\OpenVPN\ssl\openssl.cnf - this will be used by OpenVPN at OpenSSL initialization.

lstipakov avatar Jun 09 '22 12:06 lstipakov

I do not install OpenVPN actually. I use exe file that is located in my project file. Is it still work if I put a config file to same directory?

Emrehan avatar Jun 10 '22 08:06 Emrehan

It should work with latest releases.

lstipakov avatar Jun 10 '22 08:06 lstipakov

I'm using version 2.4.11, how can I check if it is support or not?

Emrehan avatar Jun 10 '22 08:06 Emrehan

Hi,

On Fri, Jun 10, 2022 at 01:45:20AM -0700, Emrehan ??LHAN wrote:

I'm using version 2.4.11, how can I check if it is support or not?

Please upgrade to 2.5.7 - the 2.4 code base is old, and out of support.

gert

"If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany @.***

cron2 avatar Jun 10 '22 16:06 cron2

same require here. @Emrehan how do you solve this?

flyhigao avatar Sep 08 '22 06:09 flyhigao

same require here. @Emrehan how do you solve this?

Hey

If you use newer version of OpenVPN, you can just add openssl.conf file. There are lots of example of it in the internet.

If not,

--tls-ciphersuites --tls-cipher --tls-cert-profile

Options should fix most of the cases. Howver, if you want more control over it, I rebuild OpenVPN by changing source code. I added some lines to use openssl library in openvpn source code. You can follow this option to get how it works ( --tls-cert-profile)

Hope it helps

Emrehan avatar Sep 08 '22 07:09 Emrehan