[Openvpn-users] security advisory for 1.0.3 concerning CFB, OFB, and DES ciphers

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

This advisory is only relevant for people using the --cipher option to use
either a CFB or OFB mode cipher or a DES cipher.  It does not affect anyone
using OpenVPN's default cipher, BF-CBC.

* If you try to use a CFB or OFB mode cipher, OpenVPN fails to warn you that
you also need to use the --rand-iv option.

* The --rand-iv option currently does not guarantee that each IV is unique
for a given key.  Uniqueness of IV is a requirement for for CFB and OFB mode
ciphers.  OpenVPN normally uses IVs equal in size to the cipher block size
which is usually 64 bits.  There is a 50% probability that if you forward
2^32 packets, there will be two packets that have the same IV.  The next
release of OpenVPN will ensure that each IV is unique when used with a CFB
or OFB mode cipher.

* If you use a DES cipher, for example DES-EDE3-CBC, OpenVPN does not check
that its randomly generated key is of odd parity and is not a weak or
semi-weak key.

I will fix all these issues in 1.1.0 which I hope to have out by the end of
this weekend.

Thanks,
Jim Yonan

[Openvpn-users] security advisory for 1.0.3 concerning CFB, OFB, and DES ciphers

Robust and flexible VPN network tunnelling

[Openvpn-users] security advisory for 1.0.3 concerning CFB, OFB, and DES ciphers