New default cipher suite

[jackivanov]

Closes #981

[dguido]

It looks like we forgot one additional place. I tried setting it up on macOS and could not connect. Here's the syslog from the server:

Jun  9 19:16:58 algo-test charon: 08[CFG]   certificate "CN=dan" key: 384 bit ECDSA
Jun  9 19:16:58 algo-test charon: 08[CFG]   using trusted ca certificate "CN=104.236.56.111"
Jun  9 19:16:58 algo-test charon: 08[CFG] checking certificate status of "CN=dan"
Jun  9 19:16:58 algo-test charon: 08[CFG] ocsp check skipped, no ocsp found
Jun  9 19:16:58 algo-test charon: 08[CFG] certificate status is not available
Jun  9 19:16:58 algo-test charon: 08[CFG]   certificate "CN=104.236.56.111" key: 384 bit ECDSA
Jun  9 19:16:58 algo-test charon: 08[CFG]   reached self-signed root ca with a path length of 0
Jun  9 19:16:58 algo-test charon: 08[LIB] signature scheme ECDSA-256 not supported by private key
Jun  9 19:16:58 algo-test charon: 08[IKE] signature validation failed, looking for another key
Jun  9 19:16:58 algo-test charon: 08[CFG]   using certificate "CN=dan"
Jun  9 19:16:58 algo-test charon: 08[CFG]   certificate "CN=dan" key: 384 bit ECDSA
Jun  9 19:16:58 algo-test charon: 08[CFG]   using trusted ca certificate "CN=104.236.56.111"
Jun  9 19:16:58 algo-test charon: 08[CFG] checking certificate status of "CN=dan"
Jun  9 19:16:58 algo-test charon: 08[CFG] ocsp check skipped, no ocsp found
Jun  9 19:16:58 algo-test charon: 08[CFG] certificate status is not available
Jun  9 19:16:58 algo-test charon: 08[CFG]   certificate "CN=104.236.56.111" key: 384 bit ECDSA
Jun  9 19:16:58 algo-test charon: 08[CFG]   reached self-signed root ca with a path length of 0
Jun  9 19:16:58 algo-test charon: 08[LIB] signature scheme ECDSA-256 not supported by private key
Jun  9 19:16:58 algo-test charon: 08[IKE] signature validation failed, looking for another key
Jun  9 19:16:58 algo-test charon: 08[IKE] processing INTERNAL_IP4_ADDRESS attribute
Jun  9 19:16:58 algo-test charon: 08[IKE] processing INTERNAL_IP4_DHCP attribute
Jun  9 19:16:58 algo-test charon: 08[IKE] processing INTERNAL_IP4_DNS attribute
Jun  9 19:16:58 algo-test charon: 08[IKE] processing INTERNAL_IP4_NETMASK attribute
Jun  9 19:16:58 algo-test charon: 08[IKE] processing INTERNAL_IP6_ADDRESS attribute
Jun  9 19:16:58 algo-test charon: 08[IKE] processing INTERNAL_IP6_DHCP attribute
Jun  9 19:16:58 algo-test charon: 08[IKE] processing INTERNAL_IP6_DNS attribute
Jun  9 19:16:58 algo-test charon: 08[IKE] processing (25) attribute

[TC1977]

Installation attempt on AWS from a Mac failed.

(env) Thomass-MacBook-Pro:algo-new_cipher_suite admin$ ./algo

  What provider would you like to use?
    1. DigitalOcean
    2. Amazon EC2
    3. Microsoft Azure
    4. Google Compute Engine
    5. Scaleway
    6. OpenStack (DreamCompute optimised)
    7. Install to existing Ubuntu 16.04 server (Advanced)

Enter the number of your desired provider
: 2

Enter your aws_access_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html)
Note: Make sure to use an IAM user with an acceptable policy attached (see https://github.com/trailofbits/algo/blob/master/docs/deploy-from-ansible.md).
[pasted values will not be displayed]
[AKIA...]: 

Enter your aws_secret_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html)
[pasted values will not be displayed]
[ABCD...]: 

Name the vpn server:
[algo]: 


  What region should the server be located in?
    1.   us-east-1           US East (N. Virginia)
    2.   us-east-2           US East (Ohio)
    3.   us-west-1           US West (N. California)
    4.   us-west-2           US West (Oregon)
    5.   ca-central-1        Canada (Central)
    6.   eu-central-1        EU (Frankfurt)
    7.   eu-west-1           EU (Ireland)
    8.   eu-west-2           EU (London)
    9.   eu-west-3           EU (Paris)
    10.  ap-northeast-1      Asia Pacific (Tokyo)
    11.  ap-northeast-2      Asia Pacific (Seoul)
    12.  ap-northeast-3      Asia Pacific (Osaka-Local)
    13.  ap-southeast-1      Asia Pacific (Singapore)
    14.  ap-southeast-2      Asia Pacific (Sydney)
    15.  ap-south-1          Asia Pacific (Mumbai)
    16.  sa-east-1           South America (São Paulo)

Enter the number of your desired region:
[1]: 1

Do you want macOS/iOS clients to enable "VPN On Demand" when connected to cellular networks?
[y/N]: y

Do you want macOS/iOS clients to enable "VPN On Demand" when connected to Wi-Fi?
[y/N]: y

List the names of trusted Wi-Fi networks (if any) that macOS/iOS clients exclude from using the VPN (e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi)
: 

Do you want to install a DNS resolver on this VPN server, to block ads while surfing?
[y/N]: y

Do you want each user to have their own account for SSH tunneling?
[y/N]: n

Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure)
[y/N]: n

Do you want to retain the CA key? (required to add users in the future, but less secure)
[y/N]: n
 [WARNING]: While constructing a mapping from /Users/admin/Downloads/algo-new_cipher_suite/roles/cloud-scaleway/tasks/main.yml, line 73, column 11,
found a duplicate dict key (enable_ipv6). Using last defined value only.


PLAY [Configure the server] **************************************************************************************************************************

TASK [Gathering Facts] *******************************************************************************************************************************
ok: [localhost]

TASK [Local pre-tasks] *******************************************************************************************************************************
included: /Users/admin/Downloads/algo-new_cipher_suite/playbooks/local.yml for localhost

TASK [Generate the SSH private key] ******************************************************************************************************************
changed: [localhost]

TASK [Generate the SSH public key] *******************************************************************************************************************
ok: [localhost]

TASK [Change mode for the SSH private key] ***********************************************************************************************************
ok: [localhost]

TASK [Ensure the dynamic inventory exists] ***********************************************************************************************************
changed: [localhost]

TASK [cloud-ec2 : set_fact] **************************************************************************************************************************
ok: [localhost]

TASK [cloud-ec2 : Locate official AMI for region] ****************************************************************************************************
ok: [localhost]

TASK [cloud-ec2 : set_fact] **************************************************************************************************************************
ok: [localhost]

TASK [cloud-ec2 : include_tasks] *********************************************************************************************************************
included: /Users/admin/Downloads/algo-new_cipher_suite/roles/cloud-ec2/tasks/cloudformation.yml for localhost

TASK [cloud-ec2 : Deploy the template] ***************************************************************************************************************
fatal: [localhost]: FAILED! => {"changed": true, "events": ["StackEvent AWS::CloudFormation::Stack algo UPDATE_ROLLBACK_COMPLETE", "StackEvent AWS::CloudFormation::Stack algo UPDATE_ROLLBACK_COMPLETE_CLEANUP_IN_PROGRESS", "StackEvent AWS::EC2::EIP ElasticIP UPDATE_COMPLETE", "StackEvent AWS::EC2::EIP ElasticIP UPDATE_IN_PROGRESS", "StackEvent AWS::EC2::Instance EC2Instance UPDATE_COMPLETE", "StackEvent AWS::CloudFormation::Stack algo UPDATE_ROLLBACK_IN_PROGRESS", "StackEvent AWS::EC2::Instance EC2Instance UPDATE_FAILED", "StackEvent AWS::CloudFormation::Stack algo UPDATE_IN_PROGRESS", "StackEvent AWS::CloudFormation::Stack algo CREATE_COMPLETE", "StackEvent AWS::EC2::EIP ElasticIP CREATE_COMPLETE", "StackEvent AWS::EC2::EIP ElasticIP CREATE_IN_PROGRESS", "StackEvent AWS::EC2::EIP ElasticIP CREATE_IN_PROGRESS", "StackEvent AWS::EC2::Instance EC2Instance CREATE_COMPLETE", "StackEvent AWS::EC2::Instance EC2Instance CREATE_IN_PROGRESS", "StackEvent AWS::EC2::Instance EC2Instance CREATE_IN_PROGRESS", "StackEvent AWS::EC2::SubnetRouteTableAssociation RouteSubnet CREATE_COMPLETE", "StackEvent AWS::EC2::SubnetCidrBlock SubnetIPv6 CREATE_COMPLETE", "StackEvent AWS::EC2::SubnetRouteTableAssociation RouteSubnet CREATE_IN_PROGRESS", "StackEvent AWS::EC2::SubnetRouteTableAssociation RouteSubnet CREATE_IN_PROGRESS", "StackEvent AWS::EC2::SubnetCidrBlock SubnetIPv6 CREATE_IN_PROGRESS", "StackEvent AWS::EC2::SubnetCidrBlock SubnetIPv6 CREATE_IN_PROGRESS", "StackEvent AWS::EC2::Route Route CREATE_COMPLETE", "StackEvent AWS::EC2::Route RouteIPv6 CREATE_COMPLETE", "StackEvent AWS::EC2::SecurityGroup InstanceSecurityGroup CREATE_COMPLETE", "StackEvent AWS::EC2::SecurityGroup InstanceSecurityGroup CREATE_IN_PROGRESS", "StackEvent AWS::EC2::Route Route CREATE_IN_PROGRESS", "StackEvent AWS::EC2::SecurityGroup InstanceSecurityGroup CREATE_IN_PROGRESS", "StackEvent AWS::EC2::Route RouteIPv6 CREATE_IN_PROGRESS", "StackEvent AWS::EC2::Route Route CREATE_IN_PROGRESS", "StackEvent AWS::EC2::Route RouteIPv6 CREATE_IN_PROGRESS", "StackEvent AWS::EC2::Subnet Subnet CREATE_COMPLETE", "StackEvent AWS::EC2::VPCGatewayAttachment VPCGatewayAttachment CREATE_COMPLETE", "StackEvent AWS::EC2::VPCCidrBlock VPCIPv6 CREATE_COMPLETE", "StackEvent AWS::EC2::RouteTable RouteTable CREATE_COMPLETE", "StackEvent AWS::EC2::VPCGatewayAttachment VPCGatewayAttachment CREATE_IN_PROGRESS", "StackEvent AWS::EC2::VPCCidrBlock VPCIPv6 CREATE_IN_PROGRESS", "StackEvent AWS::EC2::Subnet Subnet CREATE_IN_PROGRESS", "StackEvent AWS::EC2::VPCGatewayAttachment VPCGatewayAttachment CREATE_IN_PROGRESS", "StackEvent AWS::EC2::RouteTable RouteTable CREATE_IN_PROGRESS", "StackEvent AWS::EC2::VPCCidrBlock VPCIPv6 CREATE_IN_PROGRESS", "StackEvent AWS::EC2::Subnet Subnet CREATE_IN_PROGRESS", "StackEvent AWS::EC2::RouteTable RouteTable CREATE_IN_PROGRESS", "StackEvent AWS::EC2::InternetGateway InternetGateway CREATE_COMPLETE", "StackEvent AWS::EC2::VPC VPC CREATE_COMPLETE", "StackEvent AWS::EC2::InternetGateway InternetGateway CREATE_IN_PROGRESS", "StackEvent AWS::EC2::InternetGateway InternetGateway CREATE_IN_PROGRESS", "StackEvent AWS::EC2::VPC VPC CREATE_IN_PROGRESS", "StackEvent AWS::EC2::VPC VPC CREATE_IN_PROGRESS", "StackEvent AWS::CloudFormation::Stack algo CREATE_IN_PROGRESS"], "log": ["AWS::EC2::Instance EC2Instance UPDATE_FAILED: The instance ID 'i-06c47190527687aed' does not exist (Service: AmazonEC2; Status Code: 400; Error Code: InvalidInstanceID.NotFound; Request ID: 1774f399-0a44-4bd8-98ef-1b64ff12cdaa)"], "output": "Problem with UPDATE. Rollback complete", "stack_outputs": {"ElasticIP": "18.232.199.252"}, "stack_resources": [{"last_updated_time": "2018-06-26T04:31:45.682000+00:00", "logical_resource_id": "EC2Instance", "physical_resource_id": "i-06c47190527687aed", "resource_type": "AWS::EC2::Instance", "status": "UPDATE_COMPLETE", "status_reason": null}, {"last_updated_time": "2018-06-26T04:31:47.503000+00:00", "logical_resource_id": "ElasticIP", "physical_resource_id": "18.232.199.252", "resource_type": "AWS::EC2::EIP", "status": "UPDATE_COMPLETE", "status_reason": null}, {"last_updated_time": "2018-06-05T14:40:16.065000+00:00", "logical_resource_id": "InstanceSecurityGroup", "physical_resource_id": "sg-26a1a26e", "resource_type": "AWS::EC2::SecurityGroup", "status": "CREATE_COMPLETE", "status_reason": null}, {"last_updated_time": "2018-06-05T14:39:50.947000+00:00", "logical_resource_id": "InternetGateway", "physical_resource_id": "igw-f6a1f58e", "resource_type": "AWS::EC2::InternetGateway", "status": "CREATE_COMPLETE", "status_reason": null}, {"last_updated_time": "2018-06-05T14:40:29.012000+00:00", "logical_resource_id": "Route", "physical_resource_id": "algo-Route-145ZTCVH81BP4", "resource_type": "AWS::EC2::Route", "status": "CREATE_COMPLETE", "status_reason": null}, {"last_updated_time": "2018-06-05T14:40:28.338000+00:00", "logical_resource_id": "RouteIPv6", "physical_resource_id": "algo-RouteI-1G6JB4V226EOL", "resource_type": "AWS::EC2::Route", "status": "CREATE_COMPLETE", "status_reason": null}, {"last_updated_time": "2018-06-05T14:40:50.277000+00:00", "logical_resource_id": "RouteSubnet", "physical_resource_id": "rtbassoc-71023a0e", "resource_type": "AWS::EC2::SubnetRouteTableAssociation", "status": "CREATE_COMPLETE", "status_reason": null}, {"last_updated_time": "2018-06-05T14:39:54.777000+00:00", "logical_resource_id": "RouteTable", "physical_resource_id": "rtb-ed2aee92", "resource_type": "AWS::EC2::RouteTable", "status": "CREATE_COMPLETE", "status_reason": null}, {"last_updated_time": "2018-06-05T14:40:10.305000+00:00", "logical_resource_id": "Subnet", "physical_resource_id": "subnet-9bc15c94", "resource_type": "AWS::EC2::Subnet", "status": "CREATE_COMPLETE", "status_reason": null}, {"last_updated_time": "2018-06-05T14:40:46.967000+00:00", "logical_resource_id": "SubnetIPv6", "physical_resource_id": "subnet-cidr-assoc-f575ffc5", "resource_type": "AWS::EC2::SubnetCidrBlock", "status": "CREATE_COMPLETE", "status_reason": null}, {"last_updated_time": "2018-06-05T14:39:50.843000+00:00", "logical_resource_id": "VPC", "physical_resource_id": "vpc-3fd5df44", "resource_type": "AWS::EC2::VPC", "status": "CREATE_COMPLETE", "status_reason": null}, {"last_updated_time": "2018-06-05T14:40:09.941000+00:00", "logical_resource_id": "VPCGatewayAttachment", "physical_resource_id": "algo-VPCGat-7P11OQF1XZFJ", "resource_type": "AWS::EC2::VPCGatewayAttachment", "status": "CREATE_COMPLETE", "status_reason": null}, {"last_updated_time": "2018-06-05T14:40:09.846000+00:00", "logical_resource_id": "VPCIPv6", "physical_resource_id": "vpc-cidr-assoc-c8e8f1a5", "resource_type": "AWS::EC2::VPCCidrBlock", "status": "CREATE_COMPLETE", "status_reason": null}]}

TASK [cloud-ec2 : debug] *****************************************************************************************************************************
ok: [localhost] => {
    "fail_hint": [
        "Sorry, but something went wrong!", 
        "Please check the troubleshooting guide.", 
        "https://trailofbits.github.io/algo/troubleshooting.html"
    ]
}

TASK [cloud-ec2 : fail] ******************************************************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Failed as requested from task"}

PLAY RECAP *******************************************************************************************************************************************
localhost                  : ok=11   changed=2    unreachable=0    failed=2   

[TC1977]

Installation attempt onto an AWS Ubuntu 18.04 instance using the local installation option succeeded, and Mac connected successfully to the VPN.

[jackivanov]

EC2 works well. Try to delete the stack and deploy it from scratch. It looks like you are redeploying the existing stack

[TC1977]

Thanks! After deleting the cloudformation stack and deploying a new stack, it installed fine on EC2 from a Mac, and the Mac connects to the VPN and can access websites.