-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/03/13 21:17, jack seth wrote: > I can't connect to my openvpn server using the option 'tls-cipher > TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA'. This is the only change I > made to the server and client configs. They were working perfectly > before this. Here are the relevant log info
You cannot arbitrarily change the authentication mode of TLS without understanding what you have done and taken care to supply the necessary authentication components. The short answer for you: don't use any TLS cipher-suites unless they begin with TLS-DHE-RSA. More details below. RSA is one type of asymmetric encryption that uses RSA keypairs to perform the cryptographic verification between peers. OpenVPN used in a TLS mode with RSA requires RSA keypairs and valid X.509 certificates as the basis for authentication. If you intended to user client-based username/password authentication, read about --auth-user-pass-verify and - --auth-user-pass in the manpage. By selecting an SRP authentication method, you are asking for a completely different mode of operation that is based on establishing a session encryption key based on passwords. This does not work in OpenVPN's context because the concept of a client or server's commonName is bound to the X.509 certificate field by the same name. Thus, you cannot use SRP with openvpn without significant modification to the openvpn program. You said this was "the only change you made" and this is why you get TLS negotiation errors: SRP is completely different than certificates, and you are apparently using RSA-based X.509 certificates and then attempting to use a non-certificate based TLS authentication model. Put another way: you are trying to put a square peg in a round hole. Stick with the TLS ciphers that begin with TLS-DHE-RSA. DHE (an Ephemeral Diffie-Hellman exchange) provides forward-secrecy, and RSA is required when you have RSA keypairs. DSA keys are another option, but are less secure as spec requires them to be exactly 1024 bits (general advice today is to use 2048-bit RSA keys.) As noted above, you cannot "just enable" a DSA mode without actually generating DSA keypairs and associated signed certificates. I'll also note that unless you are running a git-master build of openvpn, you are currently limited to TLSv1.0 cipher-suites; specifically, this means you cannot (with openvpn 2.3.2 or earlier) use any TLS cipher-suites that use GCM. A git-master commit adds TLS-negotiation support if you wish to try out these ciphers. People wishing to review this feature under Windows can also see an unofficial pre-release build project I started here: http://sourceforge.net/projects/openvpnpreviews/ - -- Josh -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (GNU/Linux) iQGcBAEBAgAGBQJSd/d6AAoJENcx2Xpgb9RjL5UMAJjxsPIQJOVl4Yb9txPiZE6z NoZwsq7rR93Kmlm1M77qnu15gtFdcfzMbq15fmRoNeLDEYNLOzQZD6ziV77tqHrK tzIiNarmfmtGezj9JKfzTykZZ4QVxHDzMYxXDiKxcALVlRrxPY852ZoD1RAhvWxg DmH2AXAc0h2YmroHYYiQ1uoKd9bbL0mNdTm2FkbbDgNS/cm7lapyUWzjNkr8PbDm 2FzmNuk0JQmWeSKWTAKcJ6szMYpxF6rMybE8SmwzxzTS8xbOr+TPrV1phegQzjG2 j0gZaD5hS4AgRcGqcBSVcpFQ+DTZYfJKmJWGCjDrdqLT7ZchS0iP8ULBuToL5jHy nDDCXFzuS3BN6ZfWYZ6752b6tfyPQER8uCvvM6i6vMhg7YcEMlwxeJ1pREDQnZji MOV0oyC9u+WN0gD7Bw+u3204GX/mAo6FbZYgAHznnWSIUusadrTPT5vzH5KtxpVG 00qczb5eiwkttt4k1b7KJafM/naVdroTFsDmP4PLsg== =jBAy -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
