I know what I wrote, what's your answer? Thanks, Walter
On 15/12/17 11:01:14, David Sommerseth <[email protected]> wrote:
On 15/12/17 11:07, Walter H. via Openvpn-users wrote:Hi folks, WinXP uses the latest package from here: https://openvpn.net/index.php/download/community-downloads.html ( OpenVPN 2.3.18 ) and the Linux box is a CentOS 6 that uses the RPM package from EPEL ( OpenVPN 2.4.4 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 26 2017 ) the linux box is configured as a server every hour I get this in the logs on server side ... client/WINXP:2319 TLS: soft reset sec=0 bytes=19303/67108864 pkts=358/0 ... client/WINXP:2319 VERIFY OK: depth=1, ### ... client/WINXP:2319 VERIFY OK: depth=0, ### ... client/WINXP:2319 peer info: IV_VER=2.3.18 ... client/WINXP:2319 peer info: IV_PLAT=win ... client/WINXP:2319 peer info: IV_PROTO=2 ... client/WINXP:2319 peer info: IV_GUI_VER=OpenVPN_GUI_10 ... client/WINXP:2319 Outgoing Data Channel: Cipher 'DES-EDE3-CBC' initialized with 192 bit key ... client/WINXP:2319 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). ... client/WINXP:2319 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication ... client/WINXP:2319 Incoming Data Channel: Cipher 'DES-EDE3-CBC' initialized with 192 bit key ... client/WINXP:2319 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). ... client/WINXP:2319 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication ... client/WINXP:2319 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA the tunnel works, and both have in its config 'cipher=DES-EDE3-CBC' but when I change this cipher= entry to 'cipher=AES-256-CBC' as mentioned in the warning on both sides, it fails to get a connection, why? I tested with CAMELLIA, AES, ... -> no connection; this 3DES seems to be the only cipher with a block size of more than 64(?) bit, that works, why?
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users
