Changes between Version 6 and Version 7 of Hardening


Ignore:
Timestamp:
04/17/14 14:02:14 (10 years ago)
Author:
JoshC
Comment:

fix TLS version references. TLSv1.2 works starting with 2.3.3

Legend:

Unmodified
Added
Removed
Modified

  • Hardening

    v6 v7  
    22
    33= Hardening OpenVPN =
    4 
    5 This is a work in progress.
    64
    75A number of things can be done to harden OpenVPN's security. This is a non-exclusive list of ways to harden OpenVPN on a number of levels.
     
    4543== Use of --tls-cipher ==
    4644
    47 By default, OpenVPN accepts a wide range of possible TLS cipher-suites; hardened systems should limit this to an acceptable list (which can be just 1) cipher as shown with `openvpn --show-tls`. '''As of OpenVPN 2.3.3, only TLSv1.0 RSA ciphers are usable'''. You should use a DHE cipher-suite as well for forward-secrecy.
     45By default, OpenVPN accepts a wide range of possible TLS cipher-suites; hardened systems should limit this to an acceptable list (which can be just 1) cipher as shown with `openvpn --show-tls`. '''Up to OpenVPN 2.3.2, only TLSv1.0 RSA ciphers are usable'''. You should use a DHE cipher-suite as well for forward-secrecy.
    4846
    49 A git-master (slated to be included in >=2.3.4) enables support for TLSv1.2 cipher-suites, but note that requiring only TLSv1.2 cipher-suites is not backwards-compat with <=2.3.3 clients; your server/client may accept both a TLSv1.0 and TLSv1.2 option though.
     47OpenVPN 2.3.3 enables support for TLSv1.2 cipher-suites, but note that requiring only TLSv1.2 cipher-suites is not backwards-compat with <=2.3.3 clients; your server/client may accept both a TLSv1.0 and TLSv1.2 option though, allowing older (pre-2.3.3) clients to connect as well.
    5048
    5149It's wise to use as small of a list as possible for your `--tls-cipher` option. Exceptions could include if you wish to provide the client their choice of several acceptable options.
     
    6361  * ^Avoid all EXPORT cipher suites: EXPORT is specified to be weak many years ago^
    6462
    65 The following are TLSv1.2 DHE + RSA choices, requiring a compatible peer (git-master today, and targeted for a future >=2.3.4 version.):
     63The following are TLSv1.2 DHE + RSA choices, requiring a compatible peer running at least OpenVPN 2.3.3:
    6664
    6765* TLS-DHE-RSA-WITH-AES-256-GCM-SHA384