>On Wednesday, January 3rd, 2024 at 7:53 PM, Gert Doering <g...@greenie.muc.de> >wrote:
> Hi, > > On Wed, Jan 03, 2024 at 04:04:02PM +0000, Peter Davis via Openvpn-users wrote: > > > I have two questions: > > 1- Is it possible to transfer server and client keys from one server to > > another or must the keys be generated on each server? > > > Ideally, you wouldn't create the keys "on the server" anyway - in a > secure world, the CA key never leaves a secure machine for key generation, > and you'd create server key(s) and client keys on this machine, copying > to the target machines as are needed. > > In practice, it does not really matter how your copy your keys around - the > other end of the connection will have no insight on "what is the real > identity of the machine?", all it cares about is "is this a certificate > signed by a CA that I trust" (plus possible constraints if so configured, > like "the server must present a certificate with a CN 'alice'", but this > is client config specific). > > > 2- I connected to an OpenVPN server with the OpenVPN Connect app on > > Android, I saw the following two lines in the logs: > > > > compress: NONE > > digest: NONE > > > > What do these mean and are they considered a security problem? > > > You omitted the part that said something about "cipher: AES-256-GCM", I'd > wager a guess... > > So, compress: NONE is good, digest: NONE is good only if an AEAD cipher > is used (like AES-GCM) that does not need a separate digest pass. > > gert > > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh Mistress > > Gert Doering - Munich, Germany g...@greenie.muc.de Hi. 1- But I need to put the server and client keys in /etc/openvpn/server and /etc/openvpn/client directories. Am I wrong? 2- I used these lines in the server and client configuration files: data-ciphers AES-256-GCM cipher AES-256-GCM Did something get omitted by mistake? _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
