From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH v3] OpenVPN: New AES-GCM cipher for N2N and RW
Date: Mon, 26 Feb 2018 10:24:50 +0000 [thread overview]
Message-ID: <1519640690.5664.31.camel@ipfire.org> (raw)
In-Reply-To: <1519627692.20950.11.camel@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 2241 bytes --]
Hi,
some ECC in OpenVPN would be really nice. We have that in IPsec for quite a
while now and it makes the tunnels come up a lot faster and we can assume that
it is more secure, too.
ChaCha20-Poly1305 is quite interesting, too. It is an AEAD just like AES-*-GCM.
It is supposed to be really fast on mobile devices and an alternative to AES. We
only have one other alternative to AES which is Camellia. But that one does not
seem to receive a lot of love these days.
In contrast to Camellia, AES is usually hardware-accelerated whereas ChaCha20
can be implemented very efficiently in software that it does not consume too
much CPU time at all. Perfect for mobile to save battery life.
Probably there is not very good support for ChaCha20-Poly1305 out there. So AES
will be the default, but we would have a very good alternative for anyone who
know what they are doing.
Best,
-Michael
On Mon, 2018-02-26 at 07:48 +0100, ummeegge wrote:
> Hi Michael,
>
> Am Sonntag, den 25.02.2018, 17:06 +0000 schrieb Michael Tremer via
> Development:
> > Hi,
> >
> > I suppose this looks alright.
>
> OK
>
> >
> > Does OpenVPN 2.4 support ChaCha20-Poly1305, too?
>
> Yes, but i think only via the '--tls-cipher' directive which IPFire
> currently do not supports via WUI. Made a quick try over the
> server.conf.local and the additional configuration.
>
> server.conf.local entries:
>
> tls-version-min 1.2
> tls-cipher TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256
>
> whereby the server logs points the following out:
>
> Feb 26 07:19:47 ipfire-prime openvpnserver[10190]: cipher_list = 'TLS-ECDHE-
> RSA-WITH-CHACHA20-POLY1305-SHA256'
>
> But in general we step into a new crypto era with OpenVPN since ECC is now
> fully integrated in OpenVPN.
>
> Under the hood we will discover now also ECDHE for the control channel without
> changing anything so the EC crypto is now partly available
> with Core 120.
>
> But pure elliptic curve crypto is also possible e.g.
> https://forums.openvpn.net/viewtopic.php?t=23227
> but this would be a huge amount of changes in ovpnmain.cgi but may it is worth
> it. Let´s see...
>
> >
> > -Michael
>
> Greetings,
>
> Erik
>
next prev parent reply other threads:[~2018-02-26 10:24 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-14 12:45 [PATCH] OpenVPN: Introduce new " Erik Kapfer
2018-02-14 14:28 ` ummeegge
2018-02-14 14:40 ` [PATCH v2] " Erik Kapfer
2018-02-14 19:11 ` ummeegge
2018-02-14 20:23 ` Michael Tremer
2018-02-15 6:09 ` ummeegge
2018-02-15 10:59 ` Michael Tremer
2018-02-15 13:30 ` ummeegge
2018-02-14 20:20 ` Michael Tremer
2018-02-15 5:02 ` ummeegge
2018-02-15 10:42 ` Michael Tremer
2018-02-15 13:35 ` ummeegge
2018-02-25 13:49 ` [PATCH v3] OpenVPN: New " Erik Kapfer
2018-02-25 17:06 ` Michael Tremer
2018-02-26 6:48 ` ummeegge
2018-02-26 10:24 ` Michael Tremer [this message]
2018-02-27 6:23 ` ummeegge
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1519640690.5664.31.camel@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox