From 4ca8c03e3c952981ada128525e6ee5039a520af6 Mon Sep 17 00:00:00 2001
From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com>
Date: Wed, 27 Jun 2018 18:22:45 +0300
Subject: [PATCH] New default cipher suite (#991)
* New ciphers enabled
* Update CHANGELOG.md
* Switch ecparam to secp384r1
* Change CertificateType to ECDSA384
---
CHANGELOG.md | 4 ++++
docs/client-linux.md | 4 ++--
docs/client-windows.md | 10 +++++-----
roles/vpn/defaults/main.yml | 8 ++++----
roles/vpn/tasks/openssl.yml | 8 ++++----
roles/vpn/templates/client_windows.ps1.j2 | 10 +++++-----
roles/vpn/templates/mobileconfig.j2 | 10 +++++-----
7 files changed, 29 insertions(+), 25 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index da71536..897352b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 04 Jun 2018
+### Changed
+- Switched to [new cipher suite](https://github.com/trailofbits/algo/issues/981)
+
## 24 May 2018
### Changed
- Switched to Ubuntu 18.04
diff --git a/docs/client-linux.md b/docs/client-linux.md
index a24eda1..94a6445 100644
--- a/docs/client-linux.md
+++ b/docs/client-linux.md
@@ -73,6 +73,6 @@ In this example we'll assume the IP of our Algo VPN server is `1.2.3.4` and the
* For the later 2 options, hover to option in the settings to see a description
* Cipher proposal:
* Check *Enable custom proposals*
- * IKE: `aes128gcm16-prfsha512-ecp256,aes128-sha2_512-prfsha512-ecp256,aes128-sha2_384-prfsha384-ecp256`
- * ESP: `aes128gcm16-ecp256,aes128-sha2_512-prfsha512-ecp256`
+ * IKE: `aes256gcm16-prfsha512-ecp384,aes256-sha2_512-prfsha512-ecp384,aes256-sha2_384-prfsha384-ecp384`
+ * ESP: `aes256gcm16-ecp384,aes256-sha2_512-prfsha512-ecp384`
* Apply and turn the connection on, you should now be connected
diff --git a/docs/client-windows.md b/docs/client-windows.md
index d7d8915..6e071cf 100644
--- a/docs/client-windows.md
+++ b/docs/client-windows.md
@@ -48,12 +48,12 @@ Add-VpnConnection @addVpnParams
$setVpnParams = @{
ConnectionName = $VpnName
- AuthenticationTransformConstants = "GCMAES128"
- CipherTransformConstants = "GCMAES128"
- EncryptionMethod = "AES128"
+ AuthenticationTransformConstants = "GCMAES256"
+ CipherTransformConstants = "GCMAES256"
+ EncryptionMethod = "AES256"
IntegrityCheckMethod = "SHA384"
- DHGroup = "ECP256"
- PfsGroup = "ECP256"
+ DHGroup = "ECP384"
+ PfsGroup = "ECP384"
Force = $true
}
Set-VpnConnectionIPsecConfiguration @setVpnParams
diff --git a/roles/vpn/defaults/main.yml b/roles/vpn/defaults/main.yml
index 2efc124..f969fb2 100644
--- a/roles/vpn/defaults/main.yml
+++ b/roles/vpn/defaults/main.yml
@@ -25,8 +25,8 @@ strongswan_enabled_plugins:
ciphers:
defaults:
- ike: aes128gcm16-prfsha512-ecp256!
- esp: aes128gcm16-ecp256!
+ ike: aes256gcm16-prfsha512-ecp384!
+ esp: aes256gcm16-ecp384!
compat:
- ike: aes128gcm16-prfsha512-ecp256,aes128-sha2_512-prfsha512-ecp256,aes128-sha2_384-prfsha384-ecp256!
- esp: aes128gcm16-ecp256,aes128-sha2_512-prfsha512-ecp256!
+ ike: aes256gcm16-prfsha512-ecp384,aes256-sha2_512-prfsha512-ecp384,aes256-sha2_384-prfsha384-ecp384!
+ esp: aes256gcm16-ecp384,aes256-sha2_512-prfsha512-ecp384!
diff --git a/roles/vpn/tasks/openssl.yml b/roles/vpn/tasks/openssl.yml
index 053470f..af19ae2 100644
--- a/roles/vpn/tasks/openssl.yml
+++ b/roles/vpn/tasks/openssl.yml
@@ -42,9 +42,9 @@
- name: Build the CA pair
shell: >
- {{ openssl_bin }} ecparam -name prime256v1 -out ecparams/prime256v1.pem &&
+ {{ openssl_bin }} ecparam -name secp384r1 -out ecparams/secp384r1.pem &&
{{ openssl_bin }} req -utf8 -new
- -newkey ec:ecparams/prime256v1.pem
+ -newkey ec:ecparams/secp384r1.pem
-config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName={{ subjectAltName }}"))
-keyout private/cakey.pem
-out cacert.pem -x509 -days 3650
@@ -71,7 +71,7 @@
- name: Build the server pair
shell: >
{{ openssl_bin }} req -utf8 -new
- -newkey ec:ecparams/prime256v1.pem
+ -newkey ec:ecparams/secp384r1.pem
-config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName={{ subjectAltName }}"))
-keyout private/{{ IP_subject_alt_name }}.key
-out reqs/{{ IP_subject_alt_name }}.req -nodes
@@ -93,7 +93,7 @@
- name: Build the client's pair
shell: >
{{ openssl_bin }} req -utf8 -new
- -newkey ec:ecparams/prime256v1.pem
+ -newkey ec:ecparams/secp384r1.pem
-config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ item }}"))
-keyout private/{{ item }}.key
-out reqs/{{ item }}.req -nodes
diff --git a/roles/vpn/templates/client_windows.ps1.j2 b/roles/vpn/templates/client_windows.ps1.j2
index 93269c7..4ffce67 100644
--- a/roles/vpn/templates/client_windows.ps1.j2
+++ b/roles/vpn/templates/client_windows.ps1.j2
@@ -169,12 +169,12 @@ function Add-AlgoVPN {
$setVpnParams = @{
ConnectionName = $VpnName
- AuthenticationTransformConstants = "GCMAES128"
- CipherTransformConstants = "GCMAES128"
- EncryptionMethod = "AES128"
+ AuthenticationTransformConstants = "GCMAES256"
+ CipherTransformConstants = "GCMAES256"
+ EncryptionMethod = "AES256"
IntegrityCheckMethod = "SHA384"
- DHGroup = "ECP256"
- PfsGroup = "ECP256"
+ DHGroup = "ECP384"
+ PfsGroup = "ECP384"
Force = $true
}
Set-VpnConnectionIPsecConfiguration @setVpnParams
diff --git a/roles/vpn/templates/mobileconfig.j2 b/roles/vpn/templates/mobileconfig.j2
index b8013df..9a342b4 100644
--- a/roles/vpn/templates/mobileconfig.j2
+++ b/roles/vpn/templates/mobileconfig.j2
@@ -60,9 +60,9 @@
ChildSecurityAssociationParameters
DiffieHellmanGroup
- 19
+ 20
EncryptionAlgorithm
- AES-128-GCM
+ AES-256-GCM
IntegrityAlgorithm
SHA2-512
LifeTimeInMinutes
@@ -81,9 +81,9 @@
IKESecurityAssociationParameters
DiffieHellmanGroup
- 19
+ 20
EncryptionAlgorithm
- AES-128-GCM
+ AES-256-GCM
IntegrityAlgorithm
SHA2-512
LifeTimeInMinutes
@@ -94,7 +94,7 @@
PayloadCertificateUUID
{{ pkcs12_PayloadCertificateUUID }}
CertificateType
- ECDSA256
+ ECDSA384
ServerCertificateIssuerCommonName
{{ IP_subject_alt_name }}
RemoteAddress