[Ach] SWEET32/CVE-2016-2183

Akendo akendo at akendo.eu
Wed Aug 24 21:19:07 CEST 2016

The openvpn configuration includes a keepalive parameter with following
values: 10 120

you think this is sufficient? Whereby I'm uncertain about the function
in OpenVPN in regards to your statement.

best regards

On 08/24/2016 08:43 PM, Hanno Böck wrote:
> On Wed, 24 Aug 2016 19:24:22 +0200
> Akendo <akendo at akendo.eu> wrote:
>> As far I see this, when following the recommendation for server like
>> nginx or OpenVPN 3DES is disabled and it should not be an issue,
>> correct?
> There's probably not a whole lot for the bettercrypto guide, yet this
> has some interesting aspects.
> One that I think hasn't come up a lot before is limiting keepalive
> connections. We actually thought about that during writing the GCM
> nonce paper as well. Crypto attacks that require a lot of data to be
> encrypted *with the same key* can be effectively mitigated with a
> practically irrelevant performance hit if you limit requests over one
> connection to - let's say - 100 (like apache does).
> What might also be interesting is looking into more unusual protocols
> that might still use blowfish or 3des. It was used in SSH, but lately
> OpenSSH has aggressively deprecated everything old. These ciphers were
> more or less considered secure. While the block collission issue is not
> really new, it may not have been known so widely.
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach

More information about the Ach mailing list