On 10/24/2011 11:03 AM, Jan Just Keijser wrote:
Adriaan de Jong wrote:
Unfortunately BF isn't supported in PolarSSL though.
Do you have any other suggestions? I'm open to most ideas other than "implement
blowfish" :)
hmmm then perhaps the default should be changed to AES-128 ?
That's an interesting option, but changing that default might cause even
more pain :)
I foresee a lot of openvpn-users mails and forums hits from people
saying stuff like 'I am running opevpn 2.1 on the server using default
settings and am connecting using openvpn 2.3/polarssl and bla bla' :
we need to think about how we want to tackle issues like that (is
there a way to determine at runtime which version of which SSL
implementation is used? OpenSSL has such a (runtime!) call.
You can see the local SSL implementation in the header, but not the
remote one (at the moment).
The ideal solution would be to set a 'crypto negotiation phase' during
which the client and server negotiate about the available crypto
routines, pretty much like the "standard" TLS/SSL protocol does (and
which is done on the OpenVPN control channel, but not on the data
channel).
That might be a good idea, as long as there are good filter options to
enforce policy. It would probably require a protocol change though.
Adriaan
