Hi, On Thu, Nov 14, 2019 at 11:35:43AM +0100, Thomas Luening wrote: > Now it looks different on the control channel ... none of the two cipher > suites in conf are used. Regardless of my settings the > same another suite is always used, so I'm afraid it's a static key again. Now > I think possibly there is a problem... ? I looked > at the verbosed logs and searched the web, but I can't find a helping clue > anywhere.
As David explained in great detail just last week, the data channel keying
is seeded from the TLS handshake. Always.
So unless you decide to run OpenVPN without TLS (which you can, but which
has not been recommended since 10+ years), you will never have a static
key for data channel.
> Settings Server ECDH:
> dh none
> ecdh-curve secp384r1
> tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
This is control channel.
> # grep -i channel openvpn_udp.log
> Thu Nov 14 10:37:04 2019 3.137.231.167:15653 Outgoing Data Channel: Cipher
> 'AES-256-GCM' initialized with 256 bit key
>
> Thu Nov 14 10:37:04 2019 3.137.231.167:15653 Incoming Data Channel: Cipher
> 'AES-256-GCM' initialized with 256 bit key
This is data channel. The 256 bit key is generated from the TLS key material.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
