Hi Jan Just, On 07-11-18 15:50, Jan Just Keijser wrote: > AES-256-GCM: > > crypto_adjust_frame_parameters: > packet_id_size= 4 bytes > cipher_kt_iv_size = 12 bytes > cipher_kt_tag_size = 16 bytes > cipher_kt_block_size = 16 bytes > hmac_length = 0 bytes > crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by > 48 bytes
Hm, this is indeed what OpenVPN does, but I think it's wrong. In AEAD mode we should not adjust for the IV size, because we only send the packet ID on the wire. It seems that nobody has noticed that before. So now we have to consider whether we can fix that without even more surprising side effects, like peers disagreeing on the correct link/tun mtu... -Steffan _______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users
