The contents of the following config file is provided by my VPN provider. I 
have redacted it to remove confidential information:

dev tun
proto tcp
remote 443
cipher BF-CBC
redirect-gateway ipv6
resolv-retry infinite
verb 3
remote-cert-tls server
ping-restart 60
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
ping 10

Large chunks of alphanumeric text

Large chunks of alphanumeric text

Large chunks of alphanumeric text

# Limit range of possible TLS cipher-suites

I use OpenVPN 2.3.13 on Ubuntu in a terminal to connect to the VPN server. 
During the process of connecting, a warning appeared:

WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This 
allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block 
size (e.g. AES-256-CBC).

When queried by me, the technical support staff of my VPN provider answered as 

We are aware of the SWEET32 attack, however we do mitigate it by setting the 
reneg to 64MB, which means after each 64MB of data or the minimum time for a 
key renegotiation, it will renegotiate the keys.

You can read about it here: "https://sweet32.info";

We have plans to add a AES TCP port, however I can't say how long time that 
will take, currently we are in the process of adding another UDP AES port.

Guys, if you look at the contents of the config file above, I do not see a 
reneg value of 64MB. Is the technical support person telling the truth or is he 
just bullsh**ing me?

Thanks in advance for your feedback.


Openvpn-users mailing list

Reply via email to