[Ach] reverted 41091bb2c3fe5396d6c8d9261236068a12726f91
Pepi Zawodsky
pepi.zawodsky at maclemon.at
Fri Dec 27 21:09:28 CET 2013
On 27.12.2013, at 21:02, Adi Kriegisch <adi at kriegisch.at> wrote:
I think the whole cipherB string isn't necessary at all: it is meant for
> a diverse set of clients to provide a good level of compatibility. OpenVPN
> only needs to be able to talk to OpenVPN -- but in a backwards compatible
> way allowing older client versions to connect too. So, I think recommending
> just one or two DHE-AES (256 or 128 bit?) ciphers and probably add some
> ECDHE ciphers (just like in cipherA). AFAIK older versions of OpenVPN do
> not support TLSv1.2, so directly using cipherA isn't possible.
Some small boxes, like ALIX, have AES-128 hardware accelleration and are used a lot for home-to-office VPN connections or site-2-site. Using 256bit AES drops throughput from about 20Mbit/s down to 8Mbit/s. That may or may not be an issue. In the end, one usually knows which clients connect to an OpenVPN server. Also this shall be a call to update implementations to 2.3 and up. I personally consider backwards compatibility less of an issue as for example with browsers.
Best regards
Pepi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20131227/a9d69f27/attachment.sig>
More information about the Ach
mailing list