[Openvpn-users] OpenVPN Hardening

Discussion:

Joaquin Henriquez

2017-03-22 14:23:29 UTC

Hi
Today, OpenVPN does not support TLS-ECDHE-* or more exotic cipher-suites as there is no elliptic curve support currently.

https://community.openvpn.net/openvpn/wiki/Hardening

Is this statement still true?

Cause I try:
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

Thanks
Joaquin

Joaquin Henriquez

2017-03-22 15:14:18 UTC

Permalink

Some of the major features are AEAD (GCM) cipher and Elliptic Curve DH key exchange support,

So that answer my question.

-----Original Message-----
From: Joaquin Henriquez
Sent: 22 March 2017 14:23
To: 'openvpn-***@lists.sourceforge.net'
Subject: OpenVPN Hardening

Hi
Today, OpenVPN does not support TLS-ECDHE-* or more exotic cipher-suites as there is no elliptic curve support currently.

https://community.openvpn.net/openvpn/wiki/Hardening

Is this statement still true?

Cause I try:
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

Thanks
Joaquin

Steffan Karger

2017-03-26 18:01:16 UTC

Permalink

Post by Joaquin Henriquez

Post by Joaquin Henriquez
Today, OpenVPN does not support TLS-ECDHE-* or more exotic cipher-suites as there is no elliptic curve support currently.
https://community.openvpn.net/openvpn/wiki/Hardening
Is this statement still true?
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

Some of the major features are AEAD (GCM) cipher and Elliptic Curve DH key exchange support,
So that answer my question.

Indeed. If both ends are 2.4+, ECDH and ECSDA should just work.

The hardening page is somewhat outdated. I updated the section on
--tls-cipher a bit, but the whole page could use some more love...

-Steffan