Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    SHA1 for HMAC

    OpenVPN
    2
    4
    140
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      coreybrett last edited by

      I understand the defaults in 2.4.4 were updated to reflect modern crypto.
      I'm curious why SHA1 is considered weak for the hash.
      Is there a performance diff between SHA1 and SHA256?

      According to these articles, SHA1 is still ok for HMAC.
      But perhaps something has changed since they were written?

      https://vikingvpn.com/blogs/transparency/understanding-googles-sha-1-collision-and-openvpn-hmac-sha1

      https://blog.equinux.com/2017/03/sha-1-collision-and-what-it-means-for-your-vpn-security/

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        Though SHA1 may still be safe right now, if your goal is "secure by default" why pick something you know is a ticking time bomb?

        There may be a performance difference between SHA1 and SHA256 but it largely depends on your hardware and workload.

        If that bothers you, use AES-GCM which does the encryption and hashing in one (accelerated) step.

        1 Reply Last reply Reply Quote 0
        • C
          coreybrett last edited by

          Thanks for the feed back.
          Can I do GCM with a PSK S2S tunnel?

          1 Reply Last reply Reply Quote 0
          • jimp
            jimp Rebel Alliance Developer Netgate last edited by

            With IPsec, yes. With OpenVPN, no. OpenVPN shared key mode isn't compatible with GCM (IIRC it requires SSL/TLS)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post

            Products

            • Platform Overview
            • TNSR
            • pfSense
            • Appliances

            Services

            • Training
            • Professional Services

            Support

            • Subscription Plans
            • Contact Support
            • Product Lifecycle
            • Documentation

            News

            • Media Coverage
            • Press
            • Events

            Resources

            • Blog
            • FAQ
            • Find a Partner
            • Resource Library
            • Security Information

            Company

            • About Us
            • Careers
            • Partners
            • Contact Us
            • Legal
            Our Mission

            We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

            Subscribe to our Newsletter

            Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

            © 2021 Rubicon Communications, LLC | Privacy Policy