> Message: 1 > Date: Mon, 04 Nov 2013 13:37:31 -0600 > From: Josh Cepek <josh.ce...@usa.net> > Subject: Re: [Openvpn-users] Can't connect using tls-cipher > TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA > To: openvpn-users@lists.sourceforge.net > Message-ID: <l594mb$l3g$1...@ger.gmane.org> > Content-Type: text/plain; charset=ISO-8859-1 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 11/03/13 21:17, jack seth wrote: >> I can't connect to my openvpn server using the option 'tls-cipher >> TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA'. This is the only change I >> made to the server and client configs. They were working perfectly >> before this. Here are the relevant log info > > You cannot arbitrarily change the authentication mode of TLS without > understanding what you have done and taken care to supply the necessary > authentication components. > > The short answer for you: don't use any TLS cipher-suites unless they > begin with TLS-DHE-RSA. More details below. > > RSA is one type of asymmetric encryption that uses RSA keypairs to > perform the cryptographic verification between peers. OpenVPN used in a > TLS mode with RSA requires RSA keypairs and valid X.509 certificates as > the basis for authentication. If you intended to user client-based > username/password authentication, read about --auth-user-pass-verify and > - --auth-user-pass in the manpage. > > By selecting an SRP authentication method, you are asking for a > completely different mode of operation that is based on establishing a > session encryption key based on passwords. This does not work in > OpenVPN's context because the concept of a client or server's commonName > is bound to the X.509 certificate field by the same name. Thus, you > cannot use SRP with openvpn without significant modification to the > openvpn program. > > You said this was "the only change you made" and this is why you get TLS > negotiation errors: SRP is completely different than certificates, and > you are apparently using RSA-based X.509 certificates and then > attempting to use a non-certificate based TLS authentication model. Put > another way: you are trying to put a square peg in a round hole. > > Stick with the TLS ciphers that begin with TLS-DHE-RSA. DHE (an > Ephemeral Diffie-Hellman exchange) provides forward-secrecy, and RSA is > required when you have RSA keypairs. DSA keys are another option, but > are less secure as spec requires them to be exactly 1024 bits (general > advice today is to use 2048-bit RSA keys.) As noted above, you cannot > "just enable" a DSA mode without actually generating DSA keypairs and > associated signed certificates. > > I'll also note that unless you are running a git-master build of > openvpn, you are currently limited to TLSv1.0 cipher-suites; > specifically, this means you cannot (with openvpn 2.3.2 or earlier) use > any TLS cipher-suites that use GCM. A git-master commit adds > TLS-negotiation support if you wish to try out these ciphers. People > wishing to review this feature under Windows can also see an unofficial > pre-release build project I started here: > http://sourceforge.net/projects/openvpnpreviews/ > > - -- > Josh > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.20 (GNU/Linux) > > iQGcBAEBAgAGBQJSd/d6AAoJENcx2Xpgb9RjL5UMAJjxsPIQJOVl4Yb9txPiZE6z > NoZwsq7rR93Kmlm1M77qnu15gtFdcfzMbq15fmRoNeLDEYNLOzQZD6ziV77tqHrK > tzIiNarmfmtGezj9JKfzTykZZ4QVxHDzMYxXDiKxcALVlRrxPY852ZoD1RAhvWxg > DmH2AXAc0h2YmroHYYiQ1uoKd9bbL0mNdTm2FkbbDgNS/cm7lapyUWzjNkr8PbDm > 2FzmNuk0JQmWeSKWTAKcJ6szMYpxF6rMybE8SmwzxzTS8xbOr+TPrV1phegQzjG2 > j0gZaD5hS4AgRcGqcBSVcpFQ+DTZYfJKmJWGCjDrdqLT7ZchS0iP8ULBuToL5jHy > nDDCXFzuS3BN6ZfWYZ6752b6tfyPQER8uCvvM6i6vMhg7YcEMlwxeJ1pREDQnZji > MOV0oyC9u+WN0gD7Bw+u3204GX/mAo6FbZYgAHznnWSIUusadrTPT5vzH5KtxpVG > 00qczb5eiwkttt4k1b7KJafM/naVdroTFsDmP4PLsg== > =jBAy > -----END PGP SIGNATURE-----
Thanks Josh for the education. I will try one of the other methods you suggested. I just chose the one I did because it was at the top of the list on the server. Is there a site or document that one could read that discusses some of these nuances? ------------------------------------------------------------------------------ November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
