Hi, On 14-12-16 17:31, Sebastian Rubenstein wrote: > I hope that some experts here will be able to tell me if my VPN provider uses > weak encryption standards with regards to encryption/decryption of control > channel authentication and data channel? Thanks. > > Below is a sample of a redacted config file: > > tls-client
This means you're using TLS for forward secrecy, and are refreshing you data channel keys (at least) hourly. That's good. > remote-cert-tls server You are checking that you are connecting to someone with a *server* certificate (so not just some other client pretending to be a server). > cipher AES-256-CBC > auth SHA512 You are using AES-256-CBC for data channel encryption, which is very strong, and HMAC-SHA512 for data channel authentication, which is very strong too (frankly, overly strong. SHA256 gives you 32 bytes per packet overhead instead of 64, and is also very strong). > key-direction 1 > <tls-auth> > # > # 2048 bit OpenVPN static key > # > -----BEGIN OpenVPN Static key V1----- > > Large chunks of alphanumeric text > > -----END OpenVPN Static key V1----- > </tls-auth> You're using TLS-auth to protect against mitm attacks on your TLS connection, which is very good. key-directing 1 means you are using different keys for client-server and server-client traffic, which is good too. > Wed Dec 7 08:27:57 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 > ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA Your private key is RSA-4096, which is plenty strong too. You might want to consider elliptic curve certificates to gain some connection setup speed, but you will probably not gain any extra security by that. So, all in all, very decent setup. Once you move to OpenVPN 2.4 (which is nearing release), you switch from --tls-auth to --tls-crypt for some "poor-man's" post-quantum security, and use AES-256-GCM for more efficiency on the data channel. -Steffan ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
