Menu
▾
▴
Re: [Openvpn-users] Client connection difference between tls-auth and tls-crypt
|
From: David S. <op...@sf...> - 2017-03-31 20:15:21
|
On 31/03/17 17:53, saa...@ke... wrote: > I've been testing the new tls-crypt option and noticed a difference when > connecting to the server. > > With tls-auth enabled, if the defined algorithm for "auth" differs in > client and server, the client can't successfully connect. > "Initialization Sequence Completed" is never printed. > > Now, with tls-crypt, if the defined algorithm for "auth" differs in > client and server, the client connects just fine, "Initialization > Sequence Completed" is printed but the server prints > "Authenticate/Decrypt packet error: packet HMAC authentication failed". > > The client also prints this message, if it receives data from the server. > > The error itself is clear and expected, but why does the connection > "succeed" with tls-crypt, whereas it doesn't complete with tls-auth? Steffan Karger is the authority here. But if I recall correctly, --tls-crypt does not depend on --auth at all. It uses AES256-CTR for the encryption with HMAC-SHA256 for the authentication. This cannot be changed. For a way more detailed explanation, see the commit message introducing --tls-crypt: <https://github.com/OpenVPN/openvpn/commit/c6e24fa3e16c32f9b427e360fd07102f613aa5c6> -- kind regards, David Sommerseth |
