[Ach] OpenVPN and ACH

Aaron Zauner azet at azet.org
Thu Feb 19 21:07:24 CET 2015

Reed Loden wrote:
>> # Enable compression on the VPN link.
>> # If you enable it here, you must also
>> # enable it in the client config file.
>> comp-lzo
> Why are you enabling compression on an SSL link? That possibly makes you
> vulnerable to things like CRIME.

That's what I just stated, right?

> Again, another reason why ACH needs a thoroughly-researched OpenVPN
> hardening section and not just ignoring it because it doesn't support
> AEAD. People will do the wrong thing, so let's give them the best
> possible options/config to use in OpenVPN's current state.

Some of the CBC attacks are actually more worrisome than CRIME-like
attacks. I agree that this needs to be done properly, which is why I've
removed the current section, since it's obviously identical to upstream,
does not enhance security in any way and is not well tested nor researched.

In any case upstream AEAD support is something we should push for.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20150219/468d5978/attachment.sig>

More information about the Ach mailing list