Hi, On Thu, Mar 25, 2021 at 01:01:20AM +0100, Arne Schwabe wrote: > The non-TLS mode is a relict from OpenVPN 1.x or 2.0. When tls mode was > introduce the advantages of TLS over non-tls were small but tls mode > evolved to include a lot more features. (NCP, multipeer, AEAD ciphers to name > a few).
I think the most prominent benefit is "use of a session key which is
independent of the shared secret", so perfect forward secrecy even if
the secret is lost. The "features" are a nice benefit, but PFS is
the truly important part, no?
> Today VPN that use --secret are mainly used because of its relative easy to
> setup and requiring to setup a PKI. This shortcoming of TLS mode should be
> addressed now with the peer-fingerprint option.
This is fine, I'd say.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
