Hi Michael,
Am Sonntag, den 25.02.2018, 17:06 +0000 schrieb Michael Tremer via Development:
Hi,
I suppose this looks alright.
OK
Does OpenVPN 2.4 support ChaCha20-Poly1305, too?
Yes, but i think only via the '--tls-cipher' directive which IPFire currently do not supports via WUI. Made a quick try over the server.conf.local and the additional configuration.
server.conf.local entries:
tls-version-min 1.2 tls-cipher TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256
whereby the server logs points the following out:
Feb 26 07:19:47 ipfire-prime openvpnserver[10190]: cipher_list = 'TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256'
But in general we step into a new crypto era with OpenVPN since ECC is now fully integrated in OpenVPN.
Under the hood we will discover now also ECDHE for the control channel without changing anything so the EC crypto is now partly available with Core 120.
But pure elliptic curve crypto is also possible e.g. https://forums.openvpn.net/viewtopic.php?t=23227 but this would be a huge amount of changes in ovpnmain.cgi but may it is worth it. Let´s see...
-Michael
Greetings,
Erik