1

We use Odoo ERP in our office and there is a statement in the documentation which says:

Whether it's accessed via website/web client or the webservice, Odoo transmits authentication information in cleartext. This means a secure deployment of Odoo must use HTTPS3.

It got me thinking since we mainly access the server locally or through PPTP VPN connection do we still need to secure the connection using SSL?

And if so, how do we achieve it since SSL is tied to a domain name while we only use IP Address.

I read that Windows PPTP VPN has built in encryption engine is it secure enough?

And there is this concern about sniffing software like wireshark that can decrypt local wifi WPA2PSK connection. Tutorial to do that. And we also access the server through public WiFi connection which means that the key is shared to everyone.

What is the best way to secure all of these connections (LAN, Wifi LAN, PPTP VPN)?

William Wino
  • 111
  • 1

3 Answers3

1

Go for HTTPS.

All else aside, your VPN is likely not terminating on your Odoo, so it would potentially be possible to sniff the credentials as they transit between the system running your VPN server, and the one running Odoo.

Implementing HTTPS would ensure the communication (and credentials) are encrypted up to the Odoo server.

As a starting point, you can generate a self-signed cert using openssl with:

openssl req -newkey rsa:2048 -keyout server.key -out server.pem -subj "/CN=myserver/O=myCorp"

You could also look into something like cfssl (https://github.com/cloudflare/cfssl) to generate a 'proper' PKI with a CA and server/client certs.

In all honesty, FQDN would be nice (and you could make it easy by editing your /etc/hosts, or system-specific equivalent), but isn't required. You can, all else aside, add IP addresses to certificates (as a SAN - Subject Alternative Name) that would be considered 'valid'.

The main issue is that unless you import your CA chain into your browser/device cert store, you will still get warnings about self-signed certs. You should try and avoid that - getting people used to ignoring security warnings is a Bad Thing ©.

It sounds like you would be better off using your VPN for routing purposes only (basically, so that you can always speak to your system at the same RFC1918 address), and avoid exposing all this to the internet at wide until you know you have everything nice and locked down.

iwaseatenbyagrue
  • 3,631
  • 1
  • 12
  • 24
0

How secure is the password in this context? Insecure

Why?

  • PPTP is known to be insecure from a MITM perspective.
  • HTTPS is secure if properly setup. In this case it sounds like the cert is issued to a hostname but users access the site using an IP. The browser is most likely flagging the connection as insecure. This is another MITM opportunity.

Why not use HTTPS with a FQDN and a cert issued from a public CA?

localhost
  • 1
  • If I'm not wrong, to properly use FQDN I need a static internet IP address as opposed to just a an IP on my local network. The internet in my country is mostly pretty slow and unstable so we prefer to access server locally. Though occasionally we access the server through VPN connection. – William Wino Aug 31 '16 at 17:09
  • But I actually am not that familiar with FQDN and how to implement that in my server. Can you please enlighten me. – William Wino Aug 31 '16 at 17:17
  • If you self-sign, you can use IP addresses (and then put the self-signed cert in the browser's truststore), but that would only work with a static ip. – crovers Aug 31 '16 at 20:09
  • A static IP is not required for a cert. The cert needs to match the FQDN for a browser to trust. You can accommodate a dynamic IP using a dynamic DNS service or by using host file entries. – localhost Sep 07 '16 at 16:20
0

There are other solutions to the problem.

Using (for example) stunnel, its possible to tie authentication to the presented certificate (more specifically, its hash) rather than the combination of ca cert, cert signature, cn record and dns record.

In effect the trust model is the same as for ssh - which could equally be used for protecting the traffic.

But if you already have a conventional https configuration in place, then simply use a fully tunnelled vpn connection and point the resolver to your hosts file, or a server accessed via the vpn. PPTP is not good enough; use ipsec, openvpn or similar.

symcbean
  • 18,278
  • 39
  • 73
  • Hi, I've stumbled upon this Stunnel tutorial https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ssl-tunnel-using-stunnel-on-ubuntu. It's pretty clear, does implementing stunnel also solve the PPTP MITM problem? – William Wino Aug 31 '16 at 18:55
  • Stunnel doesn't fix pptp, it provides a secure method of encapsulating connections (which is the failed intention of pptp). – symcbean Aug 31 '16 at 19:08
  • What if I just port forward the connection from the router to connect remotely, is that okay? – William Wino Aug 31 '16 at 19:11
  • No, without some form of encryption people on both sides of the router can stll see the cleartext. – symcbean Aug 31 '16 at 19:16
  • Then I still don't get the Stunnel, can you ELI5 to me about the Stunnel, about how it works? – William Wino Aug 31 '16 at 19:27
  • Its a generic ssl proxy which exposexs the ability to configure its behaviour (e.g. to use ssh like server authentication set verifypeer=yes, store a copy of the server cert locally referenced by cafile/capath and set the verification mode to 2) – symcbean Aug 31 '16 at 19:34
  • That wasn't much of an ELI5 haha. In what scenario is Stunnel used? I'm sorry I asked a lot it's because I am still new to computer security. Usually I just code the main logic and let someone else do the securing. – William Wino Sep 01 '16 at 02:32
  • Let me rephrase the question this way: Is there a sure way to secure a local OPEN network connection to the application without requiring users in that local network to connect to the internet? – William Wino Sep 01 '16 at 02:39