[Ach] SWEET32/CVE-2016-2183

René Pfeiffer lynx at luchs.at
Wed Aug 24 21:48:46 CEST 2016


On Aug 24, 2016 at 2119 +0200, Akendo appeared and said:
> The openvpn configuration includes a keepalive parameter with following
> values: 10 120
> 
> you think this is sufficient? Whereby I'm uncertain about the function
> in OpenVPN in regards to your statement.

OpenVPN uses the keepalive parameter to determin if the remote end is still
reachable. It is usually used to tune OpenVPN tunnels to lossy or high
latency network links. This means that it is different from Apache's
implementation.

In order to protect your OpenVPN setup I suggest using the ciphers
discussed in the Bettyrcrypto guide (AES is a good choice). Furthermore I
recommend

- using the shared key created by "openvpn --genkey --secret" to lock out
  scans,
- using X.509 keys and certificates with a private CA (the only option
  which can take advantage of perfect forward secrecy).

Cheers,
René.

-- 
  )\._.,--....,'``.  fL  Let GNU/Linux work for you while you take a nap.
 /,   _.. \   _\  (`._ ,. R. Pfeiffer <lynx at luchs.at> + http://web.luchs.at/
`._.-(,_..'--(,_..'`-.;.'  - System administration + Consulting + Teaching -
Got mail delivery problems?  https://web.luchs.at/information/blockedmail.php
Warning: Do _NOT_ send emails with HTML content to my address! No guarantees!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: not available
URL: <http://lists.cert.at/pipermail/ach/attachments/20160824/978b79fd/attachment.sig>


More information about the Ach mailing list