Hi there I've seen a few people claim it's "more secure" to force the clients to use stronger ciphers via the "tls-cipher" option: it's stops MiTM attacks from spoofing lower-quality connections.
However, surely that depends on when the negotiation occurs? If it occurs after the TLS auth section, surely that would have picked up the MiTM and ditched the connection anyway? And what about "tls-auth"? We use that, so wouldn't that have break MiTM anyway? What I'd rather do is keep the clients as "open" as possible and make as many cipher/etc decisions as possible on the server, so I'd rather not define tls-cipher on the clients, only the server. So am I correct in saying that an openvpn network using tls-auth plus client certs should be effectively immune to MiTM attacks, thereby making it OK to leave as much decision making as possible to the server? Thanks! -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
