Hi, On Wed, Jan 03, 2024 at 04:04:02PM +0000, Peter Davis via Openvpn-users wrote: > I have two questions: > 1- Is it possible to transfer server and client keys from one server to > another or must the keys be generated on each server?
Ideally, you wouldn't create the keys "on the server" anyway - in a
secure world, the CA key never leaves a *secure* machine for key generation,
and you'd create server key(s) and client keys on this machine, copying
to the target machines as are needed.
In practice, it does not really matter how your copy your keys around - the
other end of the connection will have no insight on "what is the real
identity of the machine?", all it cares about is "is this a certificate
signed by a CA that I trust" (plus possible constraints if so configured,
like "the server must present a certificate with a CN 'alice'", but this
is client config specific).
> 2- I connected to an OpenVPN server with the OpenVPN Connect app on Android,
> I saw the following two lines in the logs:
>
> compress: NONE
> digest: NONE
>
> What do these mean and are they considered a security problem?
You omitted the part that said something about "cipher: AES-256-GCM", I'd
wager a guess...
So, compress: NONE is good, digest: NONE is good *only* if an AEAD cipher
is used (like AES-GCM) that does not need a separate digest pass.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
