[Ach] OpenVPN

L. Aaron Kaplan kaplan at cert.at
Mon Nov 25 20:56:37 CET 2013 

On Nov 25, 2013, at 8:52 PM, christian mock <cm at coretec.at> wrote:

> On Mon, Nov 25, 2013 at 08:13:24PM +0100, L. Aaron Kaplan wrote:
> 
>>> tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
>>             ^^^^ this
>> 
>> is just used for the control channel and not for the actual stream.
> 
> noted.
> 
>>> Is your openvpn built with gnutls?
>> With openssl 
>> 
>>> Because mine (Debian Wheezy) shows
>>> the openssl names with --list-tls (e.g. DHE-RSA-AES256-SHA)...
>>> 
>> wierd. Mine says:
>> 
>> # /usr/sbin/openvpn --show-tls
>> Available TLS Ciphers,
>> listed in order of preference:
>> 
>> TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
> [...]
>> Which version of openvpn du you use?
> 
> $ openvpn --version
> OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jun 18 2013
> Originally developed by James Yonan
> Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales at openvpn.net>
> 
>  $ ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --libexecdir=${prefix}/lib/openvpn --disable-maintainer-mode --disable-dependency-tracking CFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security CPPFLAGS=-D_FORTIFY_SOURCE=2 CXXFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security FFLAGS=-g -O2 LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now --enable-password-save --host=x86_64-linux-gnu --build=x86_64-linux-gnu --prefix=/usr --mandir=${prefix}/share/man --with-ifconfig-path=/sbin/ifconfig --with-route-path=/sbin/route
> 
> Compile time defines:  ENABLE_CLIENT_SERVER ENABLE_DEBUG ENABLE_EUREPHIA ENABLE_FRAGMENT ENABLE_HTTP_PROXY ENABLE_MANAGEMENT ENABLE_MULTIHOME ENABLE_PASSWORD_SAVE ENABLE_PORT_SHARE ENABLE_SOCKS USE_CRYPTO USE_LIBDL USE_LZO USE_PF_INET6 USE_PKCS11 USE_SSL
> 
> 
# /usr/sbin/openvpn --version
OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Jun 18 2013
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales at openvpn.net>
Compile time defines: enable_crypto=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_eurephia=yes enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=no enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_maintainer_mode=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_win32_dll=yes enable_x509_alt_username=no with_crypto_library=openssl with_gnu_ld=yes with_ifconfig_path=/sbin/ifconfig with_mem_check=no with_plugindir='${prefix}/lib/openvpn' with_route_path=/sbin/route with_sysroot=no


>> BTW: mine does not understand --list-tls, only --show-tls
> 
> that was a typo, it's --show-tls.
> 
>> 
>> a.
>> 
>>> cm.
>>> 
>>> -- 
>>> Christian Mock                          Wiedner Hauptstr. 15
>>> Senior Security Engineer                1040 Wien
>>> CoreTEC IT Security Solutions GmbH      +43-1-5037273
>>> FN 214709 z
>>> 
>>> .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
>>> CoreTEC: Web Application Audit - Damit so etwas nicht passiert!
>>> 
>>> http://heise.de/-1260559
>>> 
>>> .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
>>> _______________________________________________
>>> Ach mailing list
>>> Ach at lists.cert.at
>>> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>> 
>> --- 
>> // L. Aaron Kaplan <kaplan at cert.at> - T: +43 1 5056416 78
>> // CERT Austria - http://www.cert.at/
>> // Eine Initiative der nic.at GmbH - http://www.nic.at/
>> // Firmenbuchnummer 172568b, LG Salzburg
>> 
>> 
>> 
>> 
> 
> 
> 
> -- 
> Christian Mock                          Wiedner Hauptstr. 15
> Senior Security Engineer                1040 Wien
> CoreTEC IT Security Solutions GmbH      +43-1-5037273
> FN 214709 z
> 
> .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
> CoreTEC: Web Application Audit - Damit so etwas nicht passiert!
> 
> http://heise.de/-1260559
> 
> .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach

--- 
// L. Aaron Kaplan <kaplan at cert.at> - T: +43 1 5056416 78
// CERT Austria - http://www.cert.at/
// Eine Initiative der nic.at GmbH - http://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20131125/c36b1c73/attachment.sig>

More information about the Ach mailing list