[Ach] OpenVPN

David Durvaux david.durvaux at gmail.com
Mon Nov 25 21:47:35 CET 2013 

Hello,

In my case, I did the OpenVPN testing on a laptop running the testing
version of Debian.
I can extract version if needed.

Kr,

David


2013/11/25 L. Aaron Kaplan <kaplan at cert.at>

>
> On Nov 25, 2013, at 8:52 PM, christian mock <cm at coretec.at> wrote:
>
> > On Mon, Nov 25, 2013 at 08:13:24PM +0100, L. Aaron Kaplan wrote:
> >
> >>> tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
> >>             ^^^^ this
> >>
> >> is just used for the control channel and not for the actual stream.
> >
> > noted.
> >
> >>> Is your openvpn built with gnutls?
> >> With openssl
> >>
> >>> Because mine (Debian Wheezy) shows
> >>> the openssl names with --list-tls (e.g. DHE-RSA-AES256-SHA)...
> >>>
> >> wierd. Mine says:
> >>
> >> # /usr/sbin/openvpn --show-tls
> >> Available TLS Ciphers,
> >> listed in order of preference:
> >>
> >> TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
> > [...]
> >> Which version of openvpn du you use?
> >
> > $ openvpn --version
> > OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia]
> [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jun 18 2013
> > Originally developed by James Yonan
> > Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales at openvpn.net>
> >
> >  $ ./configure --build=x86_64-linux-gnu --prefix=/usr
> --includedir=${prefix}/include --mandir=${prefix}/share/man
> --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var
> --libexecdir=${prefix}/lib/openvpn --disable-maintainer-mode
> --disable-dependency-tracking CFLAGS=-g -O2 -fPIE -fstack-protector
> --param=ssp-buffer-size=4 -Wformat -Werror=format-security
> CPPFLAGS=-D_FORTIFY_SOURCE=2 CXXFLAGS=-g -O2 -fPIE -fstack-protector
> --param=ssp-buffer-size=4 -Wformat -Werror=format-security FFLAGS=-g -O2
> LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now --enable-password-save
> --host=x86_64-linux-gnu --build=x86_64-linux-gnu --prefix=/usr
> --mandir=${prefix}/share/man --with-ifconfig-path=/sbin/ifconfig
> --with-route-path=/sbin/route
> >
> > Compile time defines:  ENABLE_CLIENT_SERVER ENABLE_DEBUG ENABLE_EUREPHIA
> ENABLE_FRAGMENT ENABLE_HTTP_PROXY ENABLE_MANAGEMENT ENABLE_MULTIHOME
> ENABLE_PASSWORD_SAVE ENABLE_PORT_SHARE ENABLE_SOCKS USE_CRYPTO USE_LIBDL
> USE_LZO USE_PF_INET6 USE_PKCS11 USE_SSL
> >
> >
> # /usr/sbin/openvpn --version
> OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11]
> [eurephia] [MH] [IPv6] built on Jun 18 2013
> Originally developed by James Yonan
> Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales at openvpn.net>
> Compile time defines: enable_crypto=yes enable_debug=yes
> enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown
> enable_dlopen_self=unknown enable_dlopen_self_static=unknown
> enable_eurephia=yes enable_fast_install=yes enable_fragment=yes
> enable_http_proxy=yes enable_iproute2=no enable_libtool_lock=yes
> enable_lzo=yes enable_lzo_stub=no enable_maintainer_mode=no
> enable_management=yes enable_multi=yes enable_multihome=yes
> enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no
> enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes
> enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes
> enable_selinux=no enable_server=yes enable_shared=yes
> enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes
> enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no
> enable_systemd=no enable_win32_dll=yes enable_x509_alt_username=no
> with_crypto_library=openssl with_gnu_ld=yes
> with_ifconfig_path=/sbin/ifconfig with_mem_check=no
> with_plugindir='${prefix}/lib/openvpn' with_route_path=/sbin/route
> with_sysroot=no
>
>
> >> BTW: mine does not understand --list-tls, only --show-tls
> >
> > that was a typo, it's --show-tls.
> >
> >>
> >> a.
> >>
> >>> cm.
> >>>
> >>> --
> >>> Christian Mock                          Wiedner Hauptstr. 15
> >>> Senior Security Engineer                1040 Wien
> >>> CoreTEC IT Security Solutions GmbH      +43-1-5037273
> >>> FN 214709 z
> >>>
> >>> .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
> >>> CoreTEC: Web Application Audit - Damit so etwas nicht passiert!
> >>>
> >>> http://heise.de/-1260559
> >>>
> >>> .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
> >>> _______________________________________________
> >>> Ach mailing list
> >>> Ach at lists.cert.at
> >>> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
> >>
> >> ---
> >> // L. Aaron Kaplan <kaplan at cert.at> - T: +43 1 5056416 78
> >> // CERT Austria - http://www.cert.at/
> >> // Eine Initiative der nic.at GmbH - http://www.nic.at/
> >> // Firmenbuchnummer 172568b, LG Salzburg
> >>
> >>
> >>
> >>
> >
> >
> >
> > --
> > Christian Mock                          Wiedner Hauptstr. 15
> > Senior Security Engineer                1040 Wien
> > CoreTEC IT Security Solutions GmbH      +43-1-5037273
> > FN 214709 z
> >
> > .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
> > CoreTEC: Web Application Audit - Damit so etwas nicht passiert!
> >
> > http://heise.de/-1260559
> >
> > .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
> > _______________________________________________
> > Ach mailing list
> > Ach at lists.cert.at
> > http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>
> ---
> // L. Aaron Kaplan <kaplan at cert.at> - T: +43 1 5056416 78
> // CERT Austria - http://www.cert.at/
> // Eine Initiative der nic.at GmbH - http://www.nic.at/
> // Firmenbuchnummer 172568b, LG Salzburg
>
>
>
>
>
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>
>


-- 
David DURVAUX
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20131125/1f1f8a78/attachment.html>

More information about the Ach mailing list