Hi, On Tue, Nov 07, 2023 at 05:32:08AM +0000, Jason Long wrote: > You said "Under normal conditions there is nothing you can do in your config > file which will *improve* security.", what are abnormal conditions?
Should people detect a critical attack against AES tomorrow, changing
--data-channel-ciphers to avoid AES ciphers would be a good thing.
As of today, there is no hole in any of the standard ciphers, so fumbling
with --data-channel-ciphers will not improve anything.
> Do you mean to use "tls-crypt" instead of "tls-auth"?
No. This is why I wrote "tls-auth *or* tls-crypt". Both are good, but
only one of them can be used at the same time (tls-crypt is newer, includes
tls-auth functionality, but requires 2.3 and up clients) - it depends on
the circumstances which one you can use.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany [email protected]
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users
