OpenVPN CA

Discussions for BiPAC 8900 series: 8900AX-1600, 8900AX-2400, 8900X
SPAU00
Posts: 39
Joined: Mon Oct 28, 2019 8:35 am

Re: OpenVPN CA

Post by SPAU00 »

nightcustard wrote: Wed Jan 20, 2021 1:40 pm After I read through this thread, I disabled the Billion OpenVPN server and reverted to another device on my network where you can change the root cert. I'm no security expert but surely a cooked-in certificate is a big 'no no'?
Correct.

Using your own words, the "cooked-in certificate" is identical on all Billion VPN routers regardless of model.

It shouldn't be necessary to use another server device (with software) to host a custom certificate on the remote network. The Billion router is the server but unfortunately with a very public CA.
billion_fan
Posts: 5374
Joined: Tue Jul 19, 2011 4:30 pm

Re: OpenVPN CA

Post by billion_fan »

SPAU00 wrote: Wed Jan 20, 2021 10:32 pm
nightcustard wrote: Wed Jan 20, 2021 1:40 pm After I read through this thread, I disabled the Billion OpenVPN server and reverted to another device on my network where you can change the root cert. I'm no security expert but surely a cooked-in certificate is a big 'no no'?
Correct.

Using your own words, the "cooked-in certificate" is identical on all Billion VPN routers regardless of model.

It shouldn't be necessary to use another server device (with software) to host a custom certificate on the remote network. The Billion router is the server but unfortunately with a very public CA.
Our engineers have stated they are looking into it, lets see what they come up with :D
adeux001
Posts: 9
Joined: Fri Mar 29, 2019 2:55 pm

Re: OpenVPN CA

Post by adeux001 »

nightcustard wrote: Wed Jan 20, 2021 1:40 pm ...I'm no security expert but surely a cooked-in certificate is a big 'no no'?
Correct, and while we are at it the cypher suites could do with an update the server still offers SHA1.

Take a look at wikipedia:
Since 2005, SHA-1 has not been considered secure against well-funded opponents; as of 2010 many organizations have recommended its replacement. NIST formally deprecated use of SHA-1 in 2011 and disallowed its use for digital signatures in 2013. As of 2020, chosen-prefix attacks against SHA-1 are practical. As such, it is recommended to remove SHA-1 from products as soon as possible
billion_fan
Posts: 5374
Joined: Tue Jul 19, 2011 4:30 pm

Re: OpenVPN CA

Post by billion_fan »

adeux001 wrote: Tue Jan 26, 2021 9:18 pm
nightcustard wrote: Wed Jan 20, 2021 1:40 pm ...I'm no security expert but surely a cooked-in certificate is a big 'no no'?
Correct, and while we are at it the cypher suites could do with an update the server still offers SHA1.

Take a look at wikipedia:
Since 2005, SHA-1 has not been considered secure against well-funded opponents; as of 2010 many organizations have recommended its replacement. NIST formally deprecated use of SHA-1 in 2011 and disallowed its use for digital signatures in 2013. As of 2020, chosen-prefix attacks against SHA-1 are practical. As such, it is recommended to remove SHA-1 from products as soon as possible
I'll make the suggestion to our engineers :)
billion_fan
Posts: 5374
Joined: Tue Jul 19, 2011 4:30 pm

Re: OpenVPN CA

Post by billion_fan »

billion_fan wrote: Wed Jan 27, 2021 10:05 am
adeux001 wrote: Tue Jan 26, 2021 9:18 pm
nightcustard wrote: Wed Jan 20, 2021 1:40 pm ...I'm no security expert but surely a cooked-in certificate is a big 'no no'?
Correct, and while we are at it the cypher suites could do with an update the server still offers SHA1.

Take a look at wikipedia:
Since 2005, SHA-1 has not been considered secure against well-funded opponents; as of 2010 many organizations have recommended its replacement. NIST formally deprecated use of SHA-1 in 2011 and disallowed its use for digital signatures in 2013. As of 2020, chosen-prefix attacks against SHA-1 are practical. As such, it is recommended to remove SHA-1 from products as soon as possible
I'll make the suggestion to our engineers :)
Attached is firmware 2.52.d46a2

FW Release Notes :

1. “User can generate random CA on OpenVPN server”.

2. “Added new OpenVPN HMAC Authentication for more security support for SHA256, SHA384, SHA512”.

To Generate new random CA , you will need to make sure the following is set

1. OpenVPN server set to “Disable”.

2. Routers system up time must be updated to the latest current local time.
You do not have the required permissions to view the files attached to this post.
SPAU00
Posts: 39
Joined: Mon Oct 28, 2019 8:35 am

Re: OpenVPN CA

Post by SPAU00 »

billion_fan wrote: Tue Mar 09, 2021 10:08 am
billion_fan wrote: Wed Jan 27, 2021 10:05 am
adeux001 wrote: Tue Jan 26, 2021 9:18 pm

Correct, and while we are at it the cypher suites could do with an update the server still offers SHA1.

Take a look at wikipedia:

I'll make the suggestion to our engineers :)
Attached is firmware 2.52.d46a2

FW Release Notes :

1. “User can generate random CA on OpenVPN server”.

2. “Added new OpenVPN HMAC Authentication for more security support for SHA256, SHA384, SHA512”.

To Generate new random CA , you will need to make sure the following is set

1. OpenVPN server set to “Disable”.

2. Routers system up time must be updated to the latest current local time.
Can you confirm this update is appropriate for units purchased in Australia?
billion_fan
Posts: 5374
Joined: Tue Jul 19, 2011 4:30 pm

Re: OpenVPN CA

Post by billion_fan »

SPAU00 wrote: Wed Mar 10, 2021 4:31 am
billion_fan wrote: Tue Mar 09, 2021 10:08 am
billion_fan wrote: Wed Jan 27, 2021 10:05 am

I'll make the suggestion to our engineers :)
Attached is firmware 2.52.d46a2

FW Release Notes :

1. “User can generate random CA on OpenVPN server”.

2. “Added new OpenVPN HMAC Authentication for more security support for SHA256, SHA384, SHA512”.

To Generate new random CA , you will need to make sure the following is set

1. OpenVPN server set to “Disable”.

2. Routers system up time must be updated to the latest current local time.
Can you confirm this update is appropriate for units purchased in Australia?
I don't think so, as our device is configured for UK ISP's.

(you should be able to request the official AU firmware from support@firstint.com.au)
nightcustard
Posts: 66
Joined: Sat Nov 03, 2012 2:50 pm

Re: OpenVPN CA

Post by nightcustard »

BF - Many thanks for providing this update - before I give it a whirl though, could you please confirm I can transfer settings into this new firmware from a backup made from d46? I would imagine so but you never know.....
billion_fan
Posts: 5374
Joined: Tue Jul 19, 2011 4:30 pm

Re: OpenVPN CA

Post by billion_fan »

nightcustard wrote: Thu Mar 11, 2021 9:04 pm BF - Many thanks for providing this update - before I give it a whirl though, could you please confirm I can transfer settings into this new firmware from a backup made from d46? I would imagine so but you never know.....
Yes you can

You can upgrade the device with 'Current Settings' option used to retain all settings
nightcustard
Posts: 66
Joined: Sat Nov 03, 2012 2:50 pm

Re: OpenVPN CA

Post by nightcustard »

Ah yes! Thanks BF - I'd forgotten there is an option to retain current settings. Always wise to make a backup though ;-)
I've applied the firmware update, changed the cipher encryption and HMAC auth from the defaults and renewed the certificate (which did change).
The firmware update process seemed a little odd though - I thought you should see a progress bar after pressing 'Upgrade' but the router's admin page gave no indication the router was undergoing the update other than after a while being replaced by a frowning smiley and the message 'Invalid response'. However, after my blood pressure had increased slightly, normal function was restored and all now appears well.
Post Reply