Hello,
I have to deploy an OpenVPN configuration to be used on an AWS
infrastructure that will involve AWS IoT.
Every "thing" will have its own dedicated x509 certificate for
identification and security as required by AWS IoT.
Every "thing" will also always be an OpenVPN client.
I would like to have an in-house managed CA (using easy-rsa) to create a
single certificate that every device ("thing") would be using for both
OpenVPN and AWS IoT communication. That would be a lot easier to
implement and maintain, if feasible.
It turns out that AWS IoT requires TLS 1.2[1] and supports the following
TLS ciphers[2]:
ECDHE-ECDSA-AES128-GCM-SHA256 (recommended)
ECDHE-RSA-AES128-GCM-SHA256 (recommended)
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES128-SHA
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
AES128-GCM-SHA256
AES128-SHA256
AES128-SHA
AES256-GCM-SHA384
AES256-SHA256
AES256-SHA
I will be in control of both server and client devices, and plan to run
Debian Stretch or upper on them, so it seems the recommended ciphers are
supported by the available version of OpenVPN and OpenSSL packages.
Would ECDHE-ECDSA-AES128-GCM-SHA256 be a good cipher for a routed VPN
with a central server and many independent nodes?
I have heard about ECDSA problems due to poor (P)RNG implementations
causing key leakage, but I guess I could just pick
ECDHE-RSA-AES128-GCM-SHA256 if that is of concern.
I would like to hear your thoughts about that approach.
Thank you.
[1]:
https://docs.aws.amazon.com/iot/latest/developerguide/x509-certs.html
[2]:
https://docs.aws.amazon.com/iot/latest/developerguide/iot-security-identity.html
--
Samuele Catusian
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
