[Ach] OpenVPN and ACH
Aaron Zauner
azet at azet.org
Thu Feb 19 16:56:05 CET 2015
Aaron Zauner wrote:
> Hi,
>
> L. Aaron Kaplan wrote:
>> No, I disagree. Not mentioning OpenVPN and the issues you are seeing
>> makes the guide *weaker* than having it in there with *clear* warnings.
>> Why? Because people will use OpenVPN *anyway*.
>> No matter if you remove the OpenVPN section or not.
>> Better to have a clear message on this.
>>
>
> Ok. So how does our guide exactly help people that use OpenVPN anyway?
> Nothing in this document improves the default security as shipped with
> OpenVPN.
>
E.g. the server configuration file in our repo currently ships with:
```
...
# Attention: it must fit in 256 bytes, so not the infamous CipherStringB!
tls-cipher
DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
cipher AES-256-CBC
auth SHA384
# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo
...
```
Of course this cipherstring is bogus since it automatically falls back
to AES256-SHA. Compression on the VPN link layer is also enabled while
it is unclear how different compression algorithms interfere with TLS
encrypted traffic.
Upstream OpenVPN defaults and configurations shipped are identical.
Aaron
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20150219/ef294ff9/attachment.sig>
More information about the Ach
mailing list