[Ach] SWEET32/CVE-2016-2183

René Pfeiffer lynx at luchs.at
Wed Aug 24 21:41:26 CEST 2016


On Aug 24, 2016 at 2127 +0200, Hanno Böck appeared and said:
> On Wed, 24 Aug 2016 21:19:07 +0200
> Akendo <akendo at akendo.eu> wrote:
> 
> > The openvpn configuration includes a keepalive parameter with
> > following values: 10 120
> > 
> > you think this is sufficient? Whereby I'm uncertain about the function
> > in OpenVPN in regards to your statement.
> 
> I have no idea what keepalive means in the context of OpenVPN. My
> suggestion was regarding http.
> 
> Honestly I only learned that openvpn basically uses its own crypto
> quite recently. I don't really understand why they don't simply use
> TLS. Probably an interesting research project to look closer into this.

I believe it's because they have to deal with long-lived VPN connection
that "feature" packet loss. OpenVPN implements the transport via UDP
(although TCP can be used, too). The implementation pre-dates QUIC and
DTLS (initial release of OpenVPN was 2001).

I volunteer to help for the closer look since I use OpenVPN extensively.

Cheers,
René.

-- 
  )\._.,--....,'``.  fL  Let GNU/Linux work for you while you take a nap.
 /,   _.. \   _\  (`._ ,. R. Pfeiffer <lynx at luchs.at> + http://web.luchs.at/
`._.-(,_..'--(,_..'`-.;.'  - System administration + Consulting + Teaching -
Got mail delivery problems?  https://web.luchs.at/information/blockedmail.php
Warning: Do _NOT_ send emails with HTML content to my address! No guarantees!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: not available
URL: <http://lists.cert.at/pipermail/ach/attachments/20160824/2d1d9b15/attachment.sig>


More information about the Ach mailing list