Hi, The contents of the following config file is provided by my VPN provider. I have redacted it to remove confidential information:
client dev tun proto tcp remote 1.2.3.4 443 cipher BF-CBC tun-ipv6 redirect-gateway ipv6 resolv-retry infinite nobind persist-key persist-tun comp-lzo verb 3 remote-cert-tls server ping-restart 60 script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf ping 10 <ca> Large chunks of alphanumeric text </ca> <cert> Large chunks of alphanumeric text </cert> <key> Large chunks of alphanumeric text </key> # Limit range of possible TLS cipher-suites tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-SEED-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA I use OpenVPN 2.3.13 on Ubuntu in a terminal to connect to the VPN server. During the process of connecting, a warning appeared: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). When queried by me, the technical support staff of my VPN provider answered as follows: We are aware of the SWEET32 attack, however we do mitigate it by setting the reneg to 64MB, which means after each 64MB of data or the minimum time for a key renegotiation, it will renegotiate the keys. You can read about it here: "https://sweet32.info"; We have plans to add a AES TCP port, however I can't say how long time that will take, currently we are in the process of adding another UDP AES port. Guys, if you look at the contents of the config file above, I do not see a reneg value of 64MB. Is the technical support person telling the truth or is he just bullsh**ing me? Thanks in advance for your feedback. Sebastian ------------------------------------------------------------------------------ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
