GNOME Bugzilla – Bug 746429
Strong HMAC authentication (SHA256, SHA512) that is supported by OpenVPN cannot be selected
Last modified: 2016-03-24 20:54:57 UTC
OpenVPN currently supports more HMAC authentication options than can be chosen in network-manager-openvpn, like: - SHA256; - SHA384; - SHA512. I would like to use network-manager-openvpn with a stronger authentication option than MD-5 and SHA-1, but this is currently not possible, as these options cannot be selected in the OpenVPN Advanced Options window. Downstream Ubuntu Bug is here: https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/1217094
The problem is that NetworkManager builds a bad command line script. To fix this specific issue, it is really as simple as updating NM to pass the additional CLI option: --auth <hash> For example, for sha512, just pass: --auth sha512 to the built parameter via /usr/sbin/openvpn ... A bigger problem though is that Networkmanager should support .ovpn (openvpn conf files). Currently, NM does not allow users to import them, but this would fix MANY other issues where users complain that NM is not accepting their parameters. If NM wants to work properly with existing .ovpn files, all that needs to be done is to accept a config file from the user in the GUI and then build the CLI parameters to include the --config <ovpn-file>. Eg: /usr/sbin/openvpn ... --config myconfig.ovpn ...
(In reply to Kristian Erik Hermansen from comment #1) > The problem is that NetworkManager builds a bad command line script. To fix > this specific issue, it is really as simple as updating NM to pass the > additional CLI option: --auth <hash> > > For example, for sha512, just pass: --auth sha512 to the built parameter via > /usr/sbin/openvpn ... > > A bigger problem though is that Networkmanager should support .ovpn (openvpn > conf files). Currently, NM does not allow users to import them, but this > would fix MANY other issues where users complain that NM is not accepting > their parameters. If NM wants to work properly with existing .ovpn files, > all that needs to be done is to accept a config file from the user in the > GUI and then build the CLI parameters to include the --config <ovpn-file>. > > Eg: /usr/sbin/openvpn ... --config myconfig.ovpn ... NetworkManager does not allow that because then it cannot control the options that are passed in the opaque ovpn file. E.g. a malicious used could pass a script that is executed by openvpn (ipchange, route-up, etc.). Also, NM depends on being called back by openvpn when something happens. That's why it passes '--up "nm-openvpn-service-openvpn-helper"' to openvpn. Every option that is understood by NM-openvpn plugin must be individually added. There is no easy way around that.
OK, but what about support for sha512 then? Is that explicitly dnied for some reason?
(In reply to Kristian Erik Hermansen from comment #3) > OK, but what about support for sha512 then? Is that explicitly dnied for > some reason? It's just not implemented yet. This is a very valid feature request (thank you for that)... ~somebody~ should add this functionality...
The issue seems to be here, in the fact that the --auth option is NOT passed by default and not being overridden to send the non-default hashes such as SHA512: """ $ nl NetworkManager-openvpn-1.0.0/properties/auth-helpers.c | egrep '\-\-auth' -A40 1004 /* Add default option which won't pass --auth to openvpn */ 1005 gtk_list_store_append (store, &iter); 1006 gtk_list_store_set (store, &iter, 1007 HMACAUTH_COL_NAME, _("Default"), 1008 HMACAUTH_COL_DEFAULT, TRUE, -1); 1009 /* Add options */ 1010 for (item = items; *item; item++) { 1011 const char *name = NULL; 1012 if (!strcmp (*item, NM_OPENVPN_AUTH_NONE)) 1013 name = _("None"); 1014 else if (!strcmp (*item, NM_OPENVPN_AUTH_RSA_MD4)) 1015 name = _("RSA MD-4"); 1016 else if (!strcmp (*item, NM_OPENVPN_AUTH_MD5)) 1017 name = _("MD-5"); 1018 else if (!strcmp (*item, NM_OPENVPN_AUTH_SHA1)) 1019 name = _("SHA-1"); 1020 else if (!strcmp (*item, NM_OPENVPN_AUTH_SHA224)) 1021 name = _("SHA-224"); 1022 else if (!strcmp (*item, NM_OPENVPN_AUTH_SHA256)) 1023 name = _("SHA-256"); 1024 else if (!strcmp (*item, NM_OPENVPN_AUTH_SHA384)) 1025 name = _("SHA-384"); 1026 else if (!strcmp (*item, NM_OPENVPN_AUTH_SHA512)) 1027 name = _("SHA-512"); 1028 else if (!strcmp (*item, NM_OPENVPN_AUTH_RIPEMD160)) 1029 name = _("RIPEMD-160"); 1030 else 1031 g_assert_not_reached (); 1032 gtk_list_store_append (store, &iter); 1033 gtk_list_store_set (store, &iter, 1034 HMACAUTH_COL_NAME, name, 1035 HMACAUTH_COL_VALUE, *item, 1036 HMACAUTH_COL_DEFAULT, FALSE, -1); 1037 if (hmacauth && !strcmp (*item, hmacauth)) { 1038 gtk_combo_box_set_active_iter (box, &iter); 1039 active_initialized = TRUE; 1040 } 1041 } """
With latest NM/editor/plugin all the supported HMAC algorithms seem to be working, including SHA512. I'm closing this, please reopen if needed.