Menu
▾
▴
Re: [Openvpn-users] weak tls-ciphers with openvpn 2.4
|
From: Magnus K. <mk...@gm...> - 2018-08-07 10:40:22
|
Sorry, did not reply to list as well. 2018-08-07 12:34 GMT+02:00 Magnus Kroken <mk...@gm...>: > Hi Eike > > 2018-08-07 11:22 GMT+02:00 Eike Lohmann <e.l...@ic...>: >> tls-cipher "TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-DSS-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA:TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA" >> >> but If I try to use the 2nd,3rd and 4th I always get, only the first is working: >> TLS-DHE-RSA-WITH-AES-256-CBC-SHA >> >> TLS error: The server has no TLS ciphersuites in common with the client. Your >> --tls-cipher setting might be too restrictive. >> >> >> 3 of 4 are not in the --show-tls list: > > Actually, only the first is in your --show-tls list. The second cipher > in your list is a TLS-DHE-DSS-* cipher, none of those are listed in > your --show-tls. > > --show-tls lists all the TLS cipher that your current TLS library > supports. If a cipher is not listed, OpenVPN cannot use it. In > addition, the cipher suites you can use depend on the type of server > private key you have - RSA, ECDSA or DSA (a.k.a. DSS, not sure which > is more accurate). If you have an RSA keys (most widespread OpenVPN > guides will lead you to create RSA keys), the 2nd and 4th cipher > suites in your list will not be available, because they require a DSA > key (but as already said, your TLS library also need to support it). > I'm not sure if DSA will work, I've never seen it used or suggested > with OpenVPN, so I'd work towards using RSA-based cipher suites (if > old hardware is the issue, ECDSA is probably out of the question). > >> What are my options right now, if I try to support old hardware routers? > > Recompile your TLS library while enabling support for the required > cipher suite parts is probably the easiest path. Also check that your > key type matches your cipher suite. > > Regards > /Magnus |
