From mboxrd@z Thu Jan 1 00:00:00 1970 From: ummeegge To: development@lists.ipfire.org Subject: Re: [PATCH v3] OpenVPN: New AES-GCM cipher for N2N and RW Date: Mon, 26 Feb 2018 07:48:12 +0100 Message-ID: <1519627692.20950.11.camel@ipfire.org> In-Reply-To: <1519578370.24148.1.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4884230234522268571==" List-Id: --===============4884230234522268571== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Michael, Am Sonntag, den 25.02.2018, 17:06 +0000 schrieb Michael Tremer via Development: > Hi, >=20 > I suppose this looks alright. OK >=20 > Does OpenVPN 2.4 support ChaCha20-Poly1305, too? Yes, but i think only via the '--tls-cipher' directive which IPFire currently do not supports via WUI. Made a quick try over the server.conf.local and the additional configuration. server.conf.local entries: tls-version-min 1.2 tls-cipher TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256 whereby the server logs points the following out:=C2=A0 Feb 26 07:19:47 ipfire-prime openvpnserver[10190]:=C2=A0=C2=A0=C2=A0cipher_li= st =3D 'TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256' But in general we step into a new crypto era with OpenVPN since ECC is now fu= lly integrated in OpenVPN. Under the hood we will discover now also ECDHE for the control channel withou= t changing anything so the EC crypto is now partly available=C2=A0 with Core 120. But pure elliptic curve crypto is also possible e.g. https://forums.openvpn.net/viewtopic.php?t=3D23227 but this would be a huge amount of changes in ovpnmain.cgi but may it is wort= h it. Let=C2=B4s see... >=20 > -Michael Greetings, Erik --===============4884230234522268571==--