Auth digest algorithm doesn't matter
-
My TLS /30 Peer to Peer tunnel is able to connect with different Auth options on each end.
BLAKE2s256 on one end and SHAKE256 on the other.If I look at the client end log, I see...
May 30 15:36:26 openvpn 84533 Incoming dynamic tls-crypt: Using 256 bit message hash 'SHA256' for HMAC authentication May 30 15:36:26 openvpn 84533 Incoming dynamic tls-crypt: Cipher 'AES-256-CTR' initialized with 256 bit key May 30 15:36:26 openvpn 84533 Outgoing dynamic tls-crypt: Using 256 bit message hash 'SHA256' for HMAC authentication May 30 15:36:26 openvpn 84533 Outgoing dynamic tls-crypt: Cipher 'AES-256-CTR' initialized with 256 bit key ... May 30 15:36:24 openvpn 84390 authname = 'SHAKE256' May 30 15:36:24 openvpn 84390 ncp_ciphers = 'AES-128-GCM:AES-128-CBC' May 30 15:36:24 openvpn 84390 ciphername = 'AES-128-CBC' May 30 15:36:24 openvpn 84390 key_direction = not setIs that normal ?
-
What pfSEnse version ?
AFAIK, 'AES-128-CBC' has been said good bye a long time ago ... -
Did a little more research.
tls-auth will use the auth algorithm so both sides need to match.
tls-crypt is hard coded to use AES-256-CTR/SHA256 and the auth algorithm is not used
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.