On 8/4/2013 2:47 PM, James Yonan wrote: > However, to make cipher/auth negotiation really work, there are a few > more things that are needed. For one, the client would need to push a > list of supported cipher/auth methods, so the server can choose a > mutually supported combination. Another possibility is to have OpenVPN > leverage on the preexisting TLS ciphersuite negotiation, so as to use > the same cipher/auth settings as TLS. > > Some of this was discussed recently in the TLS versioning thread on > openvpn-devel: > > http://sourceforge.net/mailarchive/forum.php?thread_name=1CED409804E2164C8104F9E623B08B901455DE1C69%40FOXDFT02.FOX.local&forum_name=openvpn-devel
Speaking of which, some interesting discussions in http://www.slideshare.net/astamos/bh-slides WRT to the current state of crypto technologies and the ability to change cryptography in the field when design weaknesses are discovered. ECC support and OpenVPN is mentioned as being broken ? ---Mike > > James > > * The 3.0 branch is currently used by the OpenVPN Connect clients for > Android and iOS. Source core for the core is available from > http://staging.openvpn.net/openvpn3/ > > On 01/08/2013 09:07, Jan Just Keijser wrote: >> Hi Gert, >> >> Gert Doering wrote: >>> Hi, >>> >>> On Thu, Aug 01, 2013 at 12:02:55PM +0200, Jan Just Keijser wrote: >>> >>>> It should be possible to add negotiation without completely breaking >>>> backwards compatibility; right now, when a server pushes an option to >>>> the client that is unrecognized the client will print a warning but it >>>> will not abort. This could be used to push a 'negotation request' - if >>>> the client responds then a negotation phase can start , during which the >>>> encryption key, hashing cipher, MTU settings etc can be negotiated. If >>>> the client does not respond the server would need to assume that it's a >>>> 2.3 or older client. >>>> >>> >>> Maybe I'm a bit naive, but since the data layer cipher is independent of >>> the TLS cipher anyway, can't we just "push cipher xxx"? >>> >>> Or is push/pull crypted with the data layer cipher? >>> >>> >> good question and one that I've asked myself as well - there seems to >> be something funny going on with the data layer cipher (or auth parm) . >> I remember that I tried making the cipher and auth settings pushable and >> failed miserably. The flow of when and how the data cipher (and digest) >> are set up seems to be complicated and may happen (partially) *before* >> the options are pushed. >> Perhaps someone else (JamesY?) can comment on this. >> >> cheers, >> >> JJK >> >> >> >> ------------------------------------------------------------------------------ >> Get your SQL database under version control now! >> Version control is standard for application code, but databases havent >> caught up. So what steps can you take to put your SQL databases under >> version control? Why should you start doing it? Read more to find out. >> http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk >> >> >> >> _______________________________________________ >> Openvpn-devel mailing list >> Openvpn-devel@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/openvpn-devel >> > > ------------------------------------------------------------------------------ > Get your SQL database under version control now! > Version control is standard for application code, but databases havent > caught up. So what steps can you take to put your SQL databases under > version control? Why should you start doing it? Read more to find out. > http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk > _______________________________________________ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel > > -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, m...@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/
