On 15/12/17 11:07, Walter H. via Openvpn-users wrote: > Hi folks, > > WinXP uses the latest package from here: > https://openvpn.net/index.php/download/community-downloads.html > ( OpenVPN 2.3.18 ) > > and the Linux box is a CentOS 6 that uses the RPM package from EPEL > ( OpenVPN 2.4.4 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL > (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep > 26 2017 ) > > the linux box is configured as a server > > every hour I get this in the logs on server side > > ... client/WINXP:2319 TLS: soft reset sec=0 bytes=19303/67108864 pkts=358/0 > ... client/WINXP:2319 VERIFY OK: depth=1, ### > ... client/WINXP:2319 VERIFY OK: depth=0, ### > ... client/WINXP:2319 peer info: IV_VER=2.3.18 > ... client/WINXP:2319 peer info: IV_PLAT=win > ... client/WINXP:2319 peer info: IV_PROTO=2 > ... client/WINXP:2319 peer info: IV_GUI_VER=OpenVPN_GUI_10 > ... client/WINXP:2319 Outgoing Data Channel: Cipher 'DES-EDE3-CBC' > initialized with 192 bit key > ... client/WINXP:2319 WARNING: INSECURE cipher with block size less than > 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a > --cipher with a larger block size (e.g. AES-256-CBC). > ... client/WINXP:2319 Outgoing Data Channel: Using 160 bit message hash > 'SHA1' for HMAC authentication > ... client/WINXP:2319 Incoming Data Channel: Cipher 'DES-EDE3-CBC' > initialized with 192 bit key > ... client/WINXP:2319 WARNING: INSECURE cipher with block size less than > 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a > --cipher with a larger block size (e.g. AES-256-CBC). > ... client/WINXP:2319 Incoming Data Channel: Using 160 bit message hash > 'SHA1' for HMAC authentication > ... client/WINXP:2319 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 > ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA > > the tunnel works, and both have in its config 'cipher=DES-EDE3-CBC' > > but when I change this cipher= entry to 'cipher=AES-256-CBC' as mentioned > in the warning on both sides, it fails to get a connection, why? > I tested with CAMELLIA, AES, ... -> no connection; this 3DES seems to be > the only cipher with a block size of more than 64(?) bit, that works, why?
-- kind regards, David Sommerseth OpenVPN, Inc
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users
