SK> Hi,
SK> On 18-07-17 17:46, Gregory Sloop wrote:
>> Does anyone know definitively what key encryptions/decryptions the iOS
>> client will properly handle? [And if there's any difference using unfied
>> vs non-unified setups.]
SK> The iOS client is not part of the current community development, but
SK> maintained by OpenVPN Technologies. You could try to get in touch with
SK> them.
SK> That said, I see no reason why it could not support AES-encrypted keys.
SK> The 2.x community code base even uses AES-encrypted test keys (PEM, not
SK> PKCS12), and those work with both OpenSSL and mbed TLS crypto backends
SK> (just tested as for back as PolarSSL 1.2, but earlier versions probably
SK> too).
SK> -Steffan
Thanks.
Yeah, these same unified configs with the AES-256 encrypted keys work just fine
on the Windows and OSX versions of OpenVPN/TunnelBlick. Thus I expected them to
work without issue on iOS. [Exact same config installed fine on OSX for the
same client.]
My problem at the moment is I don't have an iOS device where I can easily test,
and this client is more than an hour away from me physically - so "testing"
isn't very easy. [They're a very non-tech savvy client.]
So, I hate to try to "test" on this client - by sending several different
unified configs with different key encryptions, hoping to luck onto the right
combination.
---
Perhaps another line of thought.
The unified config I sent looks like this
---
client
dev tun
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-256-cbc
auth sha256
remote-cert-tls server
verb 3
remote 1.2.3.4 1194
<cert>
</cert>
<key>
</key>
<ca>
</ca>
---
Most examples have the order different - ca - cert - key.
Could this have any impact? [Seems totally NUTS if it does - but I'm grasping
at straws a bit....
[I like them in this order because the ca doesn't change for each
client-machine, but obviously the cert/key do - and having them at the top is
just a bit easier.]
I'll see if I can dig up an iOS device to test with, but if anyone really wants
to kill some time and check it for me - I'd be eternally grateful. :)
-Greg
---
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
