75 replies to this topic

[dolphs]

OK as I was just curious I flashed oATV-6.0 on my ET10000.

Indeed as written earlier, ovpn 2.4 has been installed on the box as well the corresponding openssl 1.0.2 version is present.

Just for the members that are interested to see visual results, I herewith paste these :

 

 

1/ installing ovpn on ET10000

root@et10000:~# opkg list |grep vpn
 openvpn clients.
 This was formerly part of the openvpn package.
openvpn - 2.4.0-r0 - A full-featured SSL VPN solution via tun device.
openvpn-sample - 2.4.0-r0 - A full-featured SSL VPN solution via tun device.


root@et10000:~# opkg install openvpn
Installing kernel-module-tun (4.8.3) on root.
Downloading http://feeds2.mynonpublic.com/6.0/et10000/et10000/kernel-module-tun_4.8.3-r0.0_et10000.ipk.
Installing openvpn (2.4.0) on root.
Downloading http://feeds2.mynonpublic.com/6.0/et10000/mips32el/openvpn_2.4.0-r0_mips32el.ipk.
Configuring kernel-module-tun.
Configuring openvpn.


root@et10000:~# openssl version
OpenSSL 1.0.2j  26 Sep 2016


root@et10000:~# openvpn --version
OpenVPN 2.4.0 mipsel-oe-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jan 18 2017
library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.09
Originally developed by James Yonan
Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes 
enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes 
enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no 
enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no 
enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no 
enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_libtool_sysroot=/home/oe1/atvm60/build-enviroment/builds/openatv/release/et10000/tmp/sysroots/et10000 with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins'

2/ openssl speed results on ET10000 with aes-256-cbc and aes-128-cbc

for the results I guess this topic can be updated in the near future; I could add dm8000 ( lol ) and vu+uno4k.

Just for this once I added results here

root@et10000:~# openssl speed -elapsed -evp aes-256-cbc -multi 8

<snip snip>
Got: +F:22:aes-256-cbc:2458048.00:2682986.67:2736042.67:2801322.67:2790741.33 from 7
OpenSSL 1.0.2j  26 Sep 2016
built on: reproducible build, date unspecified
options:bn(64,32) rc4(idx,int) des(idx,risc2,16,long) aes(partial) idea(int) blowfish(idx)
compiler: mipsel-oe-linux-gcc  -mel -mabi=32 -mhard-float -march=mips32 --sysroot=/home/oe1/atvm60/build-enviroment/builds/openatv/release/et10000/tmp/sysroots/et10000 -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN          -DTERMIO -Os -pipe -g -feliminate-unused-debug-types -fdebug-prefix-map=/home/oe1/atvm60/build-enviroment/builds/openatv/release/et10000/tmp/work/et10000-oe-linux/openssl/1.0.2j-r0.6=/usr/src/debug/openssl/1.0.2j-r0.6 -fdebug-prefix-map=/home/oe1/atvm60/build-enviroment/builds/openatv/release/et10000/tmp/sysroots/x86_64-linux= -fdebug-prefix-map=/home/oe1/atvm60/build-enviroment/builds/openatv/release/et10000/tmp/sysroots/et10000= -Wall -Wa,--noexecstack -DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS
evp              19445.77k    21538.85k    22325.58k    22622.21k    22559.54k



root@et10000:~# openssl speed -elapsed -evp aes-128-cbc -multi 8

evp              24828.34k    28019.09k    29742.64k    30054.98k    30055.55k

imho this should be sufficient to stream 15Mbit HD channels 1-1 ( thus without transcoding and assuming the other end has similar or even better results )

 

thanks guys by doing a fresh install it cleared up things somewhat more for me.

 

keep up the good work, highly appreciated ( not just by me )!

[SpaceRat]

BTW:

This part of the output ...

root@et10000:~# opkg list |grep vpn
 openvpn clients.
 This was formerly part of the openvpn package.

... was easy-rsa

root@quadbox ~ # opkg list easy-rsa
easy-rsa - 2.2.0-r0 - Simple shell based CA utility
 This package eases the creation of certificates, for example for
 openvpn clients.
 .
 This was formerly part of the openvpn package.

[Pippin]

Hi Dolphs,

 

Would you be so kind to compare that result

openssl speed -elapsed -evp aes-256-cbc -multi 8

to

openssl speed -elapsed -evp aes-256-gcm -multi 8

?

Just to get an idea how these boxes without AES-NI benefit from AES-GCM.

 

As you probably know by now, these OpenSSL speed test results have no meaning with regards to real world performance

 

Thank you.

[dolphs]

as requested

gcm instead of cbc both 128 and 256 ( additional service ;-) )

answer seems to be NO unfortunately:

root@et10000:/tmp# openssl speed -elapsed -evp aes-256-gcm -multi 8

<snip snip>
evp              11956.11k    12709.46k    12905.75k    12947.61k    12951.55k



root@et10000:/tmp# openssl speed -elapsed -evp aes-128-gcm -multi 8

<snip snip>
evp              13489.35k    14675.06k    14972.46k    15088.60k    15085.37k

Edited by dolphs, 19 January 2017 - 13:55.

[Pippin]

 Ok, looking good actually

 

AES-GCM includes the hashing, AES-CBC does not.

To compare more correctly could you do

openssl speed -elapsed -evp aes-256-cbc-hmac-sha1 -multi 8

as an extra-extra service

 

Thanks.

[dolphs]

hi MMD sorry but aes-256-cbc-hmac-sha1 is an unknown cipher or digest:

root@et10000:/tmp# openssl speed -elapsed -evp aes-256-cbc-hmac-sha1 -multi 8
aes-256-cbc-hmac-sha1 is an unknown cipher or digest

" at your service ! "

© PF

 

 

[Pippin]

Hmm. sh*t

 

How about aes-128-cbc-hmac-sha1?

[Pippin]

Ah yes I see now, that command is only available for OpenSSL 1.0.1.

 

If the hashing was included in the AES-CBC test, you would see a performance hit of at least ~50%, probably even more.

[dolphs]

How about aes-128-cbc-hmac-sha1?

 

aes-128-cbc-hmac-sha1 is an unknown cipher or digest, same issue unfortunately
 

[SpaceRat]

Just for info:
[openssl] Function and security fixes - https://github.com/o...e62ad9b769eb085
[ca-certificates] Update 2016-01-04 to 2016-11-30 - https://github.com/o...f88dfd52c1bc209
[openvpn] Bump to 2.4.0 and add easy-rsa to feeds - https://github.com/o...78f121be98af112

Those changes will be in the next builds of
- OpenATV 5.3
- OpenBH 0.6
- OpenEight
- OpenHDF 5.5
- OpenMips
- OpenSPA 6.0
- OpenViX 4.2

While I left the version of OpenSSL at 1.0.2g (Updating to OpenSSL 1.0.2j would have caused a whole welter of changes thanks to lib hell, e.g. in python-cryptography, python-pycrypto and many more, but I'm just an idiot), I incorporated all CVE patches from Ubuntu (Their LTS Ubuntu also uses 1.0.2g and thus gets security patches rather than version updates).

[Erik Slagter]

Spacerat, stop trolling please. For the moment I assume you really know better (also about OpenPLi) than you're ranting about. And if not, I think you should shut even more.

[daveraver]

The first post of this thread is not updated, I made changes on wiki to convert .crt files different way that 1st. post indicates, so visit the wiki, but if some moderator can edit 1st post it would be better, this is the piece to change, in cursive and underlined the range to replace:

 

Follow this guide,

https://blog.didiers...ssl-on-windows/

up to finish these three last steps:

set RANDFILE=c:\demo\.rnd
set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg
c:\OpenSSL-Win32\bin\openssl.exe

Now, in this mode, you can convert .key file to .pem for server files, to put in stb at /etc/openvpn/

$ openssl> rsa -in filename.key -out filename.key.pem -outform PEM

The ca.crt and server.crt file, we have to open the certificate in windows OS and select details tab> copy file> convert to binary DER x509 and select destination folder to save.

Then we convert the ca.cer and server.cer files to .pem file:

OpenSSL>x509 -inform DER -in filename.cer -outform PEM -out filename.pem

All these conversions to .pem extension are based on openvpn --help binnary information of our instalation of openvpn in our STB, maybe it's not necessary.

 

This is something I forget when I updated the wiki some weeks ago. But finally I discovered it's not necessary to conver to .pem files to put in our STB, I think so. So be free to do what you want.

Thank you.

Edited by daveraver, 7 March 2017 - 18:30.

[daveraver]

openvpn setup wiki updated,

 

Regards,

David.

[daveraver]

hi, previous update was about use the generated original cert/key files and not use the certs/keys converted to .pem file extensions.
pem file extension is to run tls server.

Now, I have updated the wiki to use other cipher type, before that I only was able to use cipher bf-cbc. cipher change is very easy, but I haven't realise up to now.

greetings.

[daveraver]

Could anybody explain if the line

auth SHA256

It gives effect on server conexion on any certificate files or we have to build key/cert files preparing it to use auth SHA256?
If somebody can explain we win on security putting cipher AES-256-CBC and auth SHA256... I am quite lost on this new parameters, eventhough I use them. And last thing, what about tls server, it is able to limit the number of clients, dont it? And how would it be to configure it? last tls version is 1.2... buffff, what a disorder. Could anyone put in order my new doubts???
thanks!

Edited by daveraver, 16 March 2017 - 11:17.

[daveraver]

ok, sha check sent packets integrity, it doesnt matter the cert files, and cipher AES-256-CBC is safer than BF-CBC...cheers!