On Sun, Sep 18, 2016 at 8:25 AM, Steffan Karger <stef...@karger.me> wrote:

> Hi,
> On 27 July 2016 at 16:42, Steffan Karger <steffan.kar...@fox-it.com>
> wrote:
> > Our customers, as well as community users, have asked for encryption of
> > control channel packets to hide their certificate (containing perhaps
> > the users' name or organisation), or to provide some basic form of
> > post-quantum security (see e.g. trac #633).
> >
> > We've been thinking about this for a while, and would like to implement
> > such a feature.  I've attached a proposal for an extension of tls-auth
> > to achieve this in OpenVPN.  Comments and/or questions are very welcome.
> >  I hope to be able to start implementing this soon.
> I just pushed an experimental branch with --tls-crypt support:
> https://github.com/syzzer/openvpn/tree/tls-crypt-preview
> Any comments and test results or very much welcome.

Not qualified to comment on the implementation details, but the feature
looks very useful to have. Arguably its too early to plan for a
post-quantum world, but encrypting control channel packets is nice..
Does this mean that --tls-crypt will imply --tls-auth with the same
key-file (or make the latter redudnant?). The man-page description in the
patch appears to imply so, but not very clear..

Openvpn-devel mailing list

Reply via email to