# lsb_release -a
Description: Debian GNU/Linux 10 (buster)
Release: 10
Codename: buster
# openvpn --version
OpenVPN 2.4.8 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 13 2019
library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10
Hello @all
Every year once I check my OpenVPN settings to see if everything is up to date. This was a log entry last year that showed that
DHE has agreed on an ephemeral key:
Sun Oct 7 10:16:48 2018 123.123.123.123:6577 Control Channel: TLSv1.2, cipher
TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Now it looks different on the control channel ... none of the two cipher suites in conf are used. Regardless of my settings the
same another suite is always used, so I'm afraid it's a static key again. Now I think possibly there is a problem... ? I looked
at the verbosed logs and searched the web, but I can't find a helping clue anywhere.
Settings Server ECDH:
dh none
ecdh-curve secp384r1
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
# grep -i channel openvpn_udp.log
Thu Nov 14 10:35:04 2019 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Thu Nov 14 10:35:04 2019 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Nov 14 10:35:04 2019 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Thu Nov 14 10:35:04 2019 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Nov 14 10:37:03 2019 3.137.231.167:15653 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA
Thu Nov 14 10:37:04 2019 3.137.231.167:15653 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Nov 14 10:37:04 2019 3.137.231.167:15653 Incoming Data Channel: Cipher
'AES-256-GCM' initialized with 256 bit key
Setttings Server RSA:
dh /etc/openvpn/keys/dh.pem
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
# grep -i channel openvpn_udp.log
Thu Nov 14 10:41:46 2019 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Thu Nov 14 10:41:46 2019 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Nov 14 10:41:46 2019 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Thu Nov 14 10:41:46 2019 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Nov 14 10:41:59 2019 3.137.231.167:17461 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA
Thu Nov 14 10:42:00 2019 3.137.231.167:17461 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Nov 14 10:42:00 2019 3.137.231.167:17461 Incoming Data Channel: Cipher
'AES-256-GCM' initialized with 256 bit key
Is there a Problem? Thank you!
Best Regards
TomL
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
