Hi, I hope that some experts here will be able to tell me if my VPN provider uses weak encryption standards with regards to encryption/decryption of control channel authentication and data channel? Thanks.
Below is a sample of a redacted config file: remote-random remote somevpn.com 443 proto tcp-client tls-client dev tun persist-tun persist-key nobind pull redirect-gateway def1 route-delay 3 auth-user-pass password.txt verb 3 remote-cert-tls server key-direction 1 cipher AES-256-CBC auth SHA512 mute-replay-warnings script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf <ca> -----BEGIN CERTIFICATE----- Large chunks of alphanumeric text -----END CERTIFICATE----- </ca> <tls-auth> # # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- Large chunks of alphanumeric text -----END OpenVPN Static key V1----- </tls-auth> Below is the client-side log when my machine is trying to connect to one of the VPN servers. It has been redacted for clarity: Wed Dec 7 08:27:54 2016 OpenVPN 2.3.14 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Dec 7 2016 Wed Dec 7 08:27:54 2016 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.08 Wed Dec 7 08:27:54 2016 WARNING: file 'password.txt' is group or others accessible Wed Dec 7 08:27:54 2016 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Wed Dec 7 08:27:54 2016 Control Channel Authentication: tls-auth using INLINE static key file Wed Dec 7 08:27:54 2016 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Wed Dec 7 08:27:54 2016 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication (redacted for clarity) Wed Dec 7 08:27:56 2016 Validating certificate key usage Wed Dec 7 08:27:56 2016 ++ Certificate has key usage 00a0, expects 00a0 Wed Dec 7 08:27:56 2016 VERIFY KU OK Wed Dec 7 08:27:56 2016 Validating certificate extended key usage Wed Dec 7 08:27:56 2016 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Wed Dec 7 08:27:56 2016 VERIFY EKU OK Wed Dec 7 08:27:56 2016 VERIFY OK: depth=0, CN=de1-4096 Wed Dec 7 08:27:57 2016 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Wed Dec 7 08:27:57 2016 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication Wed Dec 7 08:27:57 2016 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Wed Dec 7 08:27:57 2016 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication Wed Dec 7 08:27:57 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
