Missing Diffie-Hellman-Groups

Bug #1938284 reported by Maxim Korezkij
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Security Advisory
Won't Fix
Undecided
Unassigned
neutron
In Progress
Wishlist
Unassigned

Bug Description

The values for the pfs (perfect forward secrecy) when creating an ike or ipsec policy are limited to the Diffie-Hellman-Groups 2,5 and 14.

Strongswan as the default provider supports more than these 3 groups, e.g. group20(ecp384).

Tags: vpnaas
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-vpnaas (master)
Changed in neutron:
status: New → In Progress
Changed in neutron:
importance: Undecided → Medium
tags: added: vpnaas
Changed in neutron:
importance: Medium → Wishlist
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron-vpnaas (master)

Change abandoned by "Maxim Korezkij <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/neutron-vpnaas/+/802714
Reason: Abandon because no time. Feel free to reopen.

Revision history for this message
Enrico Kern (flyersa) wrote :

Can we finally implement this patch? Those groups are outdated since years. Clients request to support higher DH groups. Patch is also there, why not implement it?

Enrico Kern (flyersa)
information type: Public → Public Security
Revision history for this message
Jeremy Stanley (fungi) wrote :

Note that you've changed the information type of this bug to Public Security, indicating it represents a possible security vulnerability. Since the OpenStack Vulnerability Management Team (VMT) does not officially oversee[*] the neutron-vpnaas deliverable, I'm adding a security advisory task with a Won't Fix status to indicate we're not tracking this for any future advisory publication.

[*] https://security.openstack.org/repos-overseen.html

Changed in ossa:
status: New → Won't Fix
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron-lib (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron-lib/+/898828

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-vpnaas (master)
Revision history for this message
Bodo Petermann (bpetermann) wrote :

The patches above add not only the DH groups 15 to 31 but also more choices for encryption algorithm (to support AES CCM and AES GCM modes) and auth algorithms (to support aes-xcbc and aes-cmac).

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.