Changes between Initial Version and Version 1 of Ticket #410, comment 2


Ignore:
Timestamp:
05/29/14 18:11:44 (6 years ago)
Author:
Steffan Karger
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #410, comment 2

    initial v1  
    1 Ah, yes. The {{--dh}} option is for 'normal' DH only, it has nothing to do with ECDH. As cron2 said, this is kept required on purpose, because many users just copy a config file from somewhere and expect everything to be secure. Henceforth, it should be hard to misconfigure OpenVPN.
     1Ah, yes. The {{{--dh}}} option is for 'normal' DH only, it has nothing to do with ECDH. As cron2 said, this is kept required on purpose, because many users just copy a config file from somewhere and expect everything to be secure. Henceforth, it should be hard to misconfigure OpenVPN. So, at least for now, you'll have to feed in a valid dh-file.
    22
    33To enforce ECDH currently, you could use for example {{{--tls-cipher 'DEFAULT:!EXP:!SRP:!PSK:!kRSA:!DH'}}} or even enforce the few cipher suites you do trust, like {{{--tls-cipher 'TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384'}}} (or whatever your client-sever combinations support). Do note that not all ciphers from {{{--show-tls}}} can actually be used, OpenSSL is unfortunately not very cooperative in compiling a reliable cipher list.