New default cipher suite (#991)

* New ciphers enabled * Update CHANGELOG.md * Switch ecparam to secp384r1 * Change CertificateType to ECDSA384
2025-06-05 22:54:01 +02:00 · 2018-06-27 18:22:45 +03:00 · 2018-06-27 18:22:45 +03:00 · 4ca8c03e3c
commit 4ca8c03e3c
parent b061df6631
7 changed files with 29 additions and 25 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,7 @@
+## 04 Jun 2018
+### Changed
+- Switched to [new cipher suite](https://github.com/trailofbits/algo/issues/981)
+
 ## 24 May 2018
 ### Changed
 - Switched to Ubuntu 18.04
--- a/docs/client-linux.md
+++ b/docs/client-linux.md
@ -73,6 +73,6 @@ In this example we'll assume the IP of our Algo VPN server is `1.2.3.4` and the
    * For the later 2 options, hover to option in the settings to see a description
  * Cipher proposal:
    * Check *Enable custom proposals*
-    * IKE: `aes128gcm16-prfsha512-ecp256,aes128-sha2_512-prfsha512-ecp256,aes128-sha2_384-prfsha384-ecp256`
-    * ESP: `aes128gcm16-ecp256,aes128-sha2_512-prfsha512-ecp256`
+    * IKE: `aes256gcm16-prfsha512-ecp384,aes256-sha2_512-prfsha512-ecp384,aes256-sha2_384-prfsha384-ecp384`
+    * ESP: `aes256gcm16-ecp384,aes256-sha2_512-prfsha512-ecp384`
 * Apply and turn the connection on, you should now be connected
--- a/docs/client-windows.md
+++ b/docs/client-windows.md
@ -48,12 +48,12 @@ Add-VpnConnection @addVpnParams

 $setVpnParams = @{
    ConnectionName = $VpnName
-    AuthenticationTransformConstants = "GCMAES128"
-    CipherTransformConstants = "GCMAES128"
-    EncryptionMethod = "AES128"
+    AuthenticationTransformConstants = "GCMAES256"
+    CipherTransformConstants = "GCMAES256"
+    EncryptionMethod = "AES256"
    IntegrityCheckMethod = "SHA384"
-    DHGroup = "ECP256"
-    PfsGroup = "ECP256"
+    DHGroup = "ECP384"
+    PfsGroup = "ECP384"
    Force = $true
 }
 Set-VpnConnectionIPsecConfiguration @setVpnParams
--- a/roles/vpn/defaults/main.yml
+++ b/roles/vpn/defaults/main.yml
@ -25,8 +25,8 @@ strongswan_enabled_plugins:

 ciphers:
  defaults:
-    ike: aes128gcm16-prfsha512-ecp256!
-    esp: aes128gcm16-ecp256!
+    ike: aes256gcm16-prfsha512-ecp384!
+    esp: aes256gcm16-ecp384!
  compat:
-    ike: aes128gcm16-prfsha512-ecp256,aes128-sha2_512-prfsha512-ecp256,aes128-sha2_384-prfsha384-ecp256!
-    esp: aes128gcm16-ecp256,aes128-sha2_512-prfsha512-ecp256!
+    ike: aes256gcm16-prfsha512-ecp384,aes256-sha2_512-prfsha512-ecp384,aes256-sha2_384-prfsha384-ecp384!
+    esp: aes256gcm16-ecp384,aes256-sha2_512-prfsha512-ecp384!
--- a/roles/vpn/tasks/openssl.yml
+++ b/roles/vpn/tasks/openssl.yml
@ -42,9 +42,9 @@

  - name: Build the CA pair
    shell: >
-      {{ openssl_bin }} ecparam -name prime256v1 -out ecparams/prime256v1.pem &&
+      {{ openssl_bin }} ecparam -name secp384r1 -out ecparams/secp384r1.pem &&
      {{ openssl_bin }} req -utf8 -new
-      -newkey ec:ecparams/prime256v1.pem
+      -newkey ec:ecparams/secp384r1.pem
      -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName={{ subjectAltName }}"))
      -keyout private/cakey.pem
      -out cacert.pem -x509 -days 3650
@ -71,7 +71,7 @@
  - name: Build the server pair
    shell: >
      {{ openssl_bin }} req -utf8 -new
-      -newkey ec:ecparams/prime256v1.pem
+      -newkey ec:ecparams/secp384r1.pem
      -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName={{ subjectAltName }}"))
      -keyout private/{{ IP_subject_alt_name }}.key
      -out reqs/{{ IP_subject_alt_name }}.req -nodes
@ -93,7 +93,7 @@
  - name: Build the client's pair
    shell: >
      {{ openssl_bin }} req -utf8 -new
-      -newkey ec:ecparams/prime256v1.pem
+      -newkey ec:ecparams/secp384r1.pem
      -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ item }}"))
      -keyout private/{{ item }}.key
      -out reqs/{{ item }}.req -nodes
--- a/roles/vpn/templates/client_windows.ps1.j2
+++ b/roles/vpn/templates/client_windows.ps1.j2
@ -169,12 +169,12 @@ function Add-AlgoVPN {

    $setVpnParams = @{
        ConnectionName = $VpnName
-        AuthenticationTransformConstants = "GCMAES128"
-        CipherTransformConstants = "GCMAES128"
-        EncryptionMethod = "AES128"
+        AuthenticationTransformConstants = "GCMAES256"
+        CipherTransformConstants = "GCMAES256"
+        EncryptionMethod = "AES256"
        IntegrityCheckMethod = "SHA384"
-        DHGroup = "ECP256"
-        PfsGroup = "ECP256"
+        DHGroup = "ECP384"
+        PfsGroup = "ECP384"
        Force = $true
    }
    Set-VpnConnectionIPsecConfiguration @setVpnParams
--- a/roles/vpn/templates/mobileconfig.j2
+++ b/roles/vpn/templates/mobileconfig.j2
@ -60,9 +60,9 @@
                <key>ChildSecurityAssociationParameters</key>
                <dict>
                    <key>DiffieHellmanGroup</key>
-                    <integer>19</integer>
+                    <integer>20</integer>
                    <key>EncryptionAlgorithm</key>
-                    <string>AES-128-GCM</string>
+                    <string>AES-256-GCM</string>
                    <key>IntegrityAlgorithm</key>
                    <string>SHA2-512</string>
                    <key>LifeTimeInMinutes</key>
@ -81,9 +81,9 @@
                <key>IKESecurityAssociationParameters</key>
                <dict>
                    <key>DiffieHellmanGroup</key>
-                    <integer>19</integer>
+                    <integer>20</integer>
                    <key>EncryptionAlgorithm</key>
-                    <string>AES-128-GCM</string>
+                    <string>AES-256-GCM</string>
                    <key>IntegrityAlgorithm</key>
                    <string>SHA2-512</string>
                    <key>LifeTimeInMinutes</key>
@ -94,7 +94,7 @@
                <key>PayloadCertificateUUID</key>
                <string>{{ pkcs12_PayloadCertificateUUID }}</string>
                <key>CertificateType</key>
-                <string>ECDSA256</string>
+                <string>ECDSA384</string>
                <key>ServerCertificateIssuerCommonName</key>
                <string>{{ IP_subject_alt_name }}</string>
                <key>RemoteAddress</key>