WARNING: INSECURE cipher with block size less than 128 bit (64 bit).

[ozburn]

Hello Cad,

      Suggestion as an improove to security..!!

The default cipher allows an attack called SWEET32 , Recommended to use AES-256-CBC.!

You can look at client Log to see the same recomendation ;) i will list mine below..!!

Tue Oct 10 16:03:43 2017 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Tue Oct 10 16:03:43 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Oct 10 16:03:43 2017 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Oct 10 16:03:43 2017 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Tue Oct 10 16:03:43 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Oct 10 16:03:43 2017 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
Tue Oct 10 16:03:43 2017 interactive service msg_channel=776
Tue Oct 10 16:03:43 2017 open_tun
Tue Oct 10 16:03:43 2017 TAP-WIN32 device [Ethernet 2] opened: \.\Global{3F7CD79B-4334-40C2-8848-361FAD70394F}.tap
Tue Oct 10 16:03:43 2017 TAP-Windows Driver Version 9.21

Tue Oct 10 16:21:42 2017 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.

[cad]

@ozburn Could you run $ openvpn --version on your client computer and server computer and then post the output here?

[ozburn]

root@stargate:/root# openvpn --version
OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2017
library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. sales@openvpn.net
Compile time defines: enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=yes enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_maintainer_mode=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_win32_dll=yes enable_x509_alt_username=yes with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='${prefix}/lib/openvpn' with_sysroot=no
root@stargate:/root#