On 18/01/17 19:17, David Sommerseth wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 18/01/17 18:19, debbie10t wrote: >> Hi, >> >> I have following config: >> >> >> ** Server Win10 (as per default generally) v2.4.0 with --auth >> *RSA-SHA512* --ncp-disable >> >> Log file shows: >> >> Wed Jan 18 17:04:34 2017 us=914797 Outgoing Control Channel >> Authentication: Using 512 bit message hash '*SHA512*' for HMAC >> authentication Wed Jan 18 17:04:34 2017 us=914797 Incoming Control >> Channel Authentication: Using 512 bit message hash '*SHA512*' for >> HMAC authentication >> >> >> ** Client Linux (as per default generally) v2.4.0 with --auth >> *RSA-SHA512* >> >> Log file shows: >> >> Wed Jan 18 17:05:00 2017 us=778089 Outgoing Control Channel >> Authentication: Using 512 bit message hash '*SHA512*' for HMAC >> authentication Wed Jan 18 17:05:00 2017 us=778182 Incoming Control >> Channel Authentication: Using 512 bit message hash '*SHA512*' for >> HMAC authentication >> >> The connection works but .. >> >> Because there is another digest called SHA512 why does the log >> *not* reflect the config correctly ? eg: hash '*RSA-SHA512*' >> >> (This had me very confused for sometime today) > > I am on thin ice here, as I've not dug much into the naming schemes of > the various algorithms. > > But ... I am fairly confident the hashing reference in the log refers > purely to the hashing algorithm, which most commonly is MD* or SHA* > variants (there are a few exceptions). > > And as I understand the code, the RSA-* stuff is just ignored, as that > is not used by by HMAC functions in our code. So using --auth SHA512 > would provide the same result. >
Hi David, thanks for your reply On your explanation I tested with mixing things up. Server --auth SHA512** --ncp-disable Client --auth RSA-SHA512** (** Also the other way around) and I was able to connect any way around !! and ping etc .. I was badly distracted earlier on so may have not done restarts properly or more likely use SHA256 not 512 on one or other ends .. FTR --ncp-disable helped me focus a *lot* , recommended step for diagnostic problems. This question was related to trying to test mattock's aslr/dep version (which I can now test more thoroughly) and also to this forum post: https://forums.openvpn.net/viewtopic.php?f=4&t=23241 As you can see, it looks like I may have been wrong on that too :( (We all make mistakes) If you would like to improve my answer please do. If not, I will update tomorrow. Also, I received this from pippin (Thank you pippin): <q> Found it: http://security.stackexchange.com/questions/91908/using-rsa-sha-as-instead-hmac-in-openvpn </q> Shared: it also has an detailed explanation. Highest Regards R ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
