Hi, On 07-10-18 10:39, t...@thlu.de wrote: > OS: Debian 9.5, Raspian 9.4 > Openvpn: 2.4.6 > > Is it possible to confirm, that ECDH is really used? I have done 3 > tries, and it seems, all of them come to the same result: > > 1 (old): > dh /etc/openvpn/dh.pem > tls-auth /etc/openvpn/ta.key 0 > > 2: > dh none > ecdh-curve secp384r1 > tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 > tls-crypt /etc/openvpn/ta.key > > 3: > dh /etc/openvpn/dh.pem > ecdh-curve secp384r1 > tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 > tls-crypt /etc/openvpn/ta.key > > The Log-Result (Verb 3) is allways the same. > Sun Oct 7 10:16:48 2018 123.123.123.123:6577 Control Channel: TLSv1.2, > cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
This log line shows you that the setup is using ECDH for this connection. > How I can determine differences in the result of my settings, to > evaluate the security? If you want to enforce ECDH, you should set 'dh none', such as in your second example config. At the other size, set a non-ECDH cipher suite such as TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 to verify that the connection will fail if the other side doesn't want to do ECDH. For ECDH-only it's probably best to set 'dh none', but not set tls-cipher or ecdh-cipher. In recent OpenVPN versions the defaults are sane and if you get a new, better, cooler openvpn/openssl version in the future, your config won't restrict you from using the new, better, cooler crypto it might offer. -Steffan _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
