On 06/11/19 15:14, Gert Doering wrote:
Hi,
On Wed, Nov 06, 2019 at 02:58:22PM +0100, David Sommerseth wrote:
We discussed last year at the hackathon a possibility to add a kind of plugin
interface to exchange the PRF with something else. Another option would be to
have a new --prf option to be able to switch to a stronger PRF function. But
if we can't easily swap out the PRF function unless both sides does the same,
otherwise the data channel key will be different on each side of the tunnel -
which won't work well with symmetric encryption.
This might actually be pushable... NCP_VERSION 2.0?
What might work is this:
- client pushes a flag that it can do PRF2 (for lack of a better name)
- server decides whether it wants to do PRF or PRF2 for this client
- if we decide to go for PRF2, then push an option to the client to
(re)adjust the session keys
JM2CW,
JJK
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
