Re: [Openvpn-devel] [Patch] ECDH support

2014-03-04 Thread Jan Just Keijser
On 04/03/14 23:48, Steffan Karger wrote: Hi, On Tue, Mar 4, 2014 at 10:49 PM, pietrek -- > wrote: [...] I think we could add option "--dh none" or "--no-dh". It may be specified, if user knows what he's doing. I like that idea. It offers a migration

Re: [Openvpn-devel] [Patch] ECDH support

2014-03-04 Thread Steffan Karger
Hi, On Tue, Mar 4, 2014 at 10:49 PM, pietrek -- wrote: > [...] I think we could add option "--dh none" or "--no-dh". It may be > specified, if user knows what he's doing. > I like that idea. It offers a migration path for users that really want to skip the DH-stuff. I'd vote for "--dh '[none]

Re: [Openvpn-devel] [Patch] ECDH support

2014-03-04 Thread pietrek --
Hi, I agree with you that admin may be confused if he won't specify --dh option and server will work but refusing some clients. He could just forget adding this option or don't know it's neccessary. I think we could add option "--dh none" or "--no-dh". It may be specified, if user knows what h

Re: [Openvpn-devel] [Patch] ECDH support

2014-02-26 Thread Steffan Karger
Hi, On 26-02-14 21:04, pietrek -- wrote: > I tested what would happen if any key exchange protocol will be specified. > It works as I expected: connection failed with error: 'no such cipher'. > So session cannot work without ECDH and DH. > Also, if OpenSSL would accept it, it would be an invitatat

Re: [Openvpn-devel] [Patch] ECDH support

2014-02-26 Thread pietrek --
Hi, I tested what would happen if any key exchange protocol will be specified. It works as I expected: connection failed with error: 'no such cipher'. So session cannot work without ECDH and DH. Also, if OpenSSL would accept it, it would be an invitatation for men in the middle ;) For clients

Re: [Openvpn-devel] [Patch] ECDH support

2014-02-25 Thread Steffan Karger
Hi, On 25-02-14 22:49, Jan Just Keijser wrote: > read up on the original ticket too: > https://forums.openvpn.net/topic8404-30.html > > there's some useful commands/description in there on how to generate > ECDSA certificates. Thanks. I've added support for ECDSA to EasyRSA 3 a little while ag

Re: [Openvpn-devel] [Patch] ECDH support

2014-02-25 Thread Jan Just Keijser
Hi Steffan, On 25/02/14 09:48, Steffan Karger wrote: Hi, On Tue, Feb 25, 2014 at 9:22 AM, Gert Doering > wrote: > Although there is apparently more work to do to get more cipher suites > working, this does give us a start on working with EC-crypto.

Re: [Openvpn-devel] [Patch] ECDH support

2014-02-25 Thread Steffan Karger
Hi, On Tue, Feb 25, 2014 at 9:22 AM, Gert Doering wrote: > > Although there is apparently more work to do to get more cipher suites > > working, this does give us a start on working with EC-crypto. Maybe this > > part can go in (once ACK'ed) as 'the start of EC-support', so more > > people can h

Re: [Openvpn-devel] [Patch] ECDH support

2014-02-25 Thread Gert Doering
Hi, On Tue, Feb 25, 2014 at 01:39:11AM +0100, Steffan Karger wrote: > > I added warning if DH isn't specified - old client may not support ECDH. > > Autodetecting ecdh is a good idea - I made option ecdh=auto. > > On the long run I agree that a warning should suffice, but for now I > would really

Re: [Openvpn-devel] [Patch] ECDH support

2014-02-25 Thread Steffan Karger
Hi Piotr, On 24-02-14 01:28, pietrek -- wrote: > Hi Steffan, > I modified my patch again. And thanks for your code - it helped me. Good to hear it helped you. But your new patch basically is my code now, except that it accepts a configuration without a DH-file. > 1) In such case server will set

Re: [Openvpn-devel] [Patch] ECDH support

2014-02-24 Thread pietrek --
Hi Steffan, I modified my patch again. And thanks for your code - it helped me. 1) In such case server will set ecdh=auto. 2)That's a good idea. I added initializing both ECDH and DH on server side if they're specified in config. 3)It works for me without specifying anything on client side. I

Re: [Openvpn-devel] [Patch] ECDH support

2014-02-23 Thread Steffan Karger
Hi Piotr, On 23-02-14 00:18, pietrek -- wrote: > I added such a comment to the readme. First of all, thank you for writing the patch and responding to questions on the mailinglist! I've found a bit of time to look at your patch. There are a couple things I would like to note: 1) This patch all

Re: [Openvpn-devel] [Patch] ECDH support

2014-02-22 Thread pietrek --
On 02/22/14 22:33, michael-...@fami-braun.de wrote: Hi, thanks for writing the patch. I'd like to propose to add a comment to the readme regarding the use of ECDH instead of DH without using an EC certificate, because that currently is not mentioned in it. Thanks, M. Braun Am 19.02.2014 14: