On 17/12/16 13:29, Gert Doering wrote: > Hi, > > On Sat, Dec 17, 2016 at 01:23:53PM +0100, David Sommerseth wrote: >> On 17/12/16 11:13, Gert Doering wrote: >>> (Main reason we can't stick to BF-CBC is that we use OTP passwords and >>> with "reneg-bytes 64M" it's asking way too often for user+password...) >> >> And to avoid any --reneg-bytes issues, there is the new >> --auth-gen-token in OpenVPN v2.4, which will help. The v2.4 man page >> carries the gory details too. > > I definitely need to test this, but I seem to remember that this > conflicted with --auth-nocache on the client side, which we have > rolled out (because we do want to see a new OTP every 8 hours)...
I have done some tests with --auth-nocache very lately, and noticed that it "kills" this feature on the client side. This will need a client update as well :/ We will need this fix into 2.3 as well. I have started to look at this and hope I'll have a patch ready next week. Solution is to unset --auth-nocache if a client receives a --token. This shouldn't be a real issue, as the password on the client side is replaced by a temporary session specific authentication token. Plus --auth-gen-token also provides a possibility for setting a token lifetime as well. > Anyway, the --auth-gen-token stuff is cool, and as usual, there is > more than one way to do it :-) Lets put it another way, --auth-gen-token should not be used as a primary solution to keep --cipher BF-CBC ... upgrading to a stronger cipher must be the primary plan, and even stronger ciphers do benefit from usage of --reneg-* options too. -- kind regards, David Sommerseth OpenVPN Technologies, Inc
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
