[Ach] OpenVPN and ACH

Aaron Zauner azet at azet.org
Thu Feb 19 16:56:05 CET 2015

Aaron Zauner wrote:
> Hi,
> L. Aaron Kaplan wrote:
>> No, I disagree. Not mentioning OpenVPN and the issues you are seeing 
>> makes the guide *weaker* than having it in there with *clear* warnings.
>> Why? Because people will use OpenVPN *anyway*.
>> No matter if you remove the OpenVPN section or not.
>> Better to have a clear message on this.
> Ok. So how does our guide exactly help people that use OpenVPN anyway?
> Nothing in this document improves the default security as shipped with
> OpenVPN.

E.g. the server configuration file in our repo currently ships with:


# Attention: it must fit in 256 bytes, so not the infamous CipherStringB!
cipher AES-256-CBC
auth SHA384

# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.


Of course this cipherstring is bogus since it automatically falls back
to AES256-SHA. Compression on the VPN link layer is also enabled while
it is unclear how different compression algorithms interfere with TLS
encrypted traffic.

Upstream OpenVPN defaults and configurations shipped are identical.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20150219/ef294ff9/attachment.sig>

More information about the Ach mailing list