----- Original Message ----- From: "Steffan Karger" <stef...@karger.me> To: "Debbie Tent" <debbie...@gmail.com>; <openvpn-users@lists.sourceforge.net> Sent: Friday, March 06, 2015 3:23 PM Subject: Re: [Openvpn-users] New OpenVPN 2.3.6 Windows installers released - FREAK
> Hi, > > On Fri, Mar 6, 2015 at 12:32 PM, <debbie...@gmail.com> wrote: >> Can somebody please explain this: >> >> Adding !EXP to the server side tls-cipher is enough to mitigate attacks. >> The >> suggested tls-cipher string is DEFAULT:!EXP:!LOW:!PSK:!SRP:!kRSA. This >> disallows export ciphers, weak ciphers (e.g. DES), and RSA key exchange >> (note: not RSA authentication), but allows any future, stronger cipher >> suites. >> Clients who wish to rule out this attack on clients prior to >> 2.3.6-I002/I603 >> can add !kRSA to their tls-cipher string >> ref: >> https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-FREAK >> >> This is what I get following these instructions: >> >> Server Config: >> tls-cipher >> TLS-DHE-RSA-WITH-AES-256-CBC-SHA:DEFAULT:!EXP:!LOW:!PSK:!SRP:!kRSA > > Just use "tls-cipher DEFAULT:!EXP:!LOW:!PSK:!SRP:!kRSA", > TLS-DHE-RSA-WITH-AES-256-CBC-SHA is ready part of DEFAULT. Specifying the actual cipher I want to use means that no other cipher can be selected. This is my desired configuration. I have full control of server and clients. As for determining which desgnation each cipher currently is assigned, IE: !LOW (not low):!PSK etc I presume I can search the source for a reasonably simple assignment list. Will try later .. However, for clarification, which item takes precedence ? IE: DES-CFB1 64 bit default key (fixed) ... Verses ... !LOW If a contradiction is itroduced is it reported and how is it resolved ? > >> Server log: >> Fri Mar 6 11:24:00 2015 us=862202 OpenVPN 2.3_git >> [git:master/669f898b8fcaf7a8+] i686-pc-linux-gnu [SSL (OpenSSL)] >> [LZO] [LZ4] [EPOLL] [MH] [IPv6] built on Mar 3 2015 >> Fri Mar 6 11:24:01 2015 us=427277 No valid translation found for TLS >> cipher >> '!EXP' >> Fri Mar 6 11:24:01 2015 us=427463 No valid translation found for TLS >> cipher >> '!LOW' >> Fri Mar 6 11:24:01 2015 us=427544 No valid translation found for TLS >> cipher >> '!PSK' >> Fri Mar 6 11:24:01 2015 us=427617 No valid translation found for TLS >> cipher >> '!SRP' >> Fri Mar 6 11:24:01 2015 us=427688 No valid translation found for TLS >> cipher >> '!kRSA' > > These warnings are harmless (but annoying and confusing). I'll work up > a patch to get rid of these. Or report them /more better/ tyvm-regs ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
