Changes between Initial Version and Version 1 of Ticket #410, comment 2
- Timestamp:
- 05/29/14 18:11:44 (10 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #410, comment 2
initial v1 1 Ah, yes. The {{ --dh}} option is for 'normal' DH only, it has nothing to do with ECDH. As cron2 said, this is kept required on purpose, because many users just copy a config file from somewhere and expect everything to be secure. Henceforth, it should be hard to misconfigure OpenVPN.1 Ah, yes. The {{{--dh}}} option is for 'normal' DH only, it has nothing to do with ECDH. As cron2 said, this is kept required on purpose, because many users just copy a config file from somewhere and expect everything to be secure. Henceforth, it should be hard to misconfigure OpenVPN. So, at least for now, you'll have to feed in a valid dh-file. 2 2 3 3 To enforce ECDH currently, you could use for example {{{--tls-cipher 'DEFAULT:!EXP:!SRP:!PSK:!kRSA:!DH'}}} or even enforce the few cipher suites you do trust, like {{{--tls-cipher 'TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384'}}} (or whatever your client-sever combinations support). Do note that not all ciphers from {{{--show-tls}}} can actually be used, OpenSSL is unfortunately not very cooperative in compiling a reliable cipher list.