Hi Jason, On 01/09/14 00:55, Jason Haar wrote: > Hi there > > I've seen a few people claim it's "more secure" to force the clients to > use stronger ciphers via the "tls-cipher" option: it's stops MiTM > attacks from spoofing lower-quality connections. > > However, surely that depends on when the negotiation occurs? If it > occurs after the TLS auth section, surely that would have picked up the > MiTM and ditched the connection anyway? And what about "tls-auth"? We > use that, so wouldn't that have break MiTM anyway? > > What I'd rather do is keep the clients as "open" as possible and make as > many cipher/etc decisions as possible on the server, so I'd rather not > define tls-cipher on the clients, only the server. So am I correct in > saying that an openvpn network using tls-auth plus client certs should > be effectively immune to MiTM attacks, thereby making it OK to leave as > much decision making as possible to the server? the 'tls-cipher' negotiation is the first part of any OpenVPN connection. It is used to initialize the contol channel authentication. The control channel init phase can be strengthened with the 'tls-auth' option, which causes openvpn to drop any packets that are not signed with the right key.
In my opinion the *clients* do not need to specify a stronger list of tls-ciphers, but the server should. If the openvpn server only offers strong ciphers for negotiating the control channel setup then any clients that want to use weak ciphers are automatically excluded. If a weak tls-cipher is chosen then a MitM attack is theoretically possible , or at least someone might be able to decipher the control channel part too quickly. The data channel part is not affected by this. Hope this clarifies things, JJK PS I'll get back to you on the udp fragment stuff later this week - I need to run some tests to validate my claims ------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
