On 14/12/16 07:54, Kevin Long wrote: > 1. Use easy-rsa3 or equivalent openssl commands to generate your > keys/certificates using elliptic curve (instead of RSA).
I'm no crypto expert, but I believe there are some concerns about EC and post-quantum computing, where it is believed that RSA will be somewhat stronger (or do I confuse this with AES?). To my knowledge, there are nobody saying RSA-4096 are broken or weak. > 2. Use the new —tis-crypt feature rather than just —tis-auth (openvpn 2.4 ) Yes, this will definitely help, and it is even slated as a kind of "poor mans post-quantum solution" until we have something better. > 3. Set tls-minimum to 1.2 on both client/server Sounds reasonable. It sure protects against any downgrade attacks. But on the other hand: If using --tls-crypt/--tls-auth, this can anyhow only happen by one of the clients you have shared a static key with. > 4. Use a great tls-cipher that utilizes elliptic curve : > TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 ( ?? ) > 5. Use a great cipher for openvpn data channel: AES-256-GCM (openvpn > 2.4) ( ?? ) If you use OpenVPN 2.4 on both sides, the crypto will be upgraded to the strongest one by default. No need to tie yourself to specific configuration settings. From my own client log file, where I do not have --cipher nor --tls-cipher. Both sides run a 2.4_rc/git master version. Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key Now, the interesting detail here is that my certificates are not EC certificates, but it has negotiated ECDHE-RSA-AES256-GCM-SHA384 for the control channel. (But EC certificates goes further than just ECDHE and AES-256-GCM) For more on the deeper crypto details, I'll leave that to Steffan as he understands all of this far better. -- kind regards, David Sommerseth OpenVPN Technologies, Inc
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
