On 06.04.20 16:01, Jan Just Keijser wrote:
> As OpenVPN uses an SSL library like OpenSSL or mbedtls you can use all
> crypto features provided by that library. As far as I know, OpenSSL does
> not support chacha20 or blake2 yet, so neither does OpenVPN.
Of course OpenSSL supports ChaCha20, and it has for a while:
$ openssl version
OpenSSL 1.1.1d 10 Sep 2019
$ openssl ciphers -V | grep -i chacha
0x13,0x03 - TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any
Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
0xCC,0xA9 - ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH
Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
0xCC,0xA8 - ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH
Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
0xCC,0xAA - DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH
Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
0xCC,0xAE - RSA-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=RSAPSK
Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
0xCC,0xAD - DHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=DHEPSK
Au=PSK Enc=CHACHA20/POLY1305(256) Mac=AEAD
0xCC,0xAC - ECDHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=ECDHEPSK
Au=PSK Enc=CHACHA20/POLY1305(256) Mac=AEAD
0xCC,0xAB - PSK-CHACHA20-POLY1305 TLSv1.2 Kx=PSK Au=PSK
Enc=CHACHA20/POLY1305(256) Mac=AEAD
I also don't think you are correct about being able to use "all crypto
features provided by that library". As far as I recall, OpenSSL had EC
support for ages already when in OpenVPN there still was only the option
to use RSA certificates.
> Regarding the various comments I have seen about openvpn being big and
> bloated compared to wireguard: that's comparing apples and oranges.
> Wireguard is little more than a Linux kernel module that only does
> encryption using some form of preshared keys (TLS is a no-no).
Preshared *public* keys, correct. In contrast to the PSK setup that
OpenVPN offers, which is just symmetric keys. That's a world of a
difference, mind you.
> OpenVPN
> is a user-space application that does way more than that, all based on
> TLS.
Is it all based on TLS? As far as I recall, OpenVPN rolled their own
protocol, loosely based on some TLS parts, but their own thing
regardless. With different crypto settings for the comms and bulk data
channel, if I recall correctly. Am I misremembering or has this been
aligned by now? You're saying OpenVPN uses just plain old DTLS when run
over UDP?
> Someone asking you to use the same encryption settings in openvpn
> as in wireguard is similar to someone asking to use the same /proc
> pseudo filesystem settings in Windows as in Linux.
Agreed, the question doesn't make sense.
Best,
Johannes
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
