Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SHA1 for HMAC

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 2 Posters 641 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      coreybrett
      last edited by

      I understand the defaults in 2.4.4 were updated to reflect modern crypto.
      I'm curious why SHA1 is considered weak for the hash.
      Is there a performance diff between SHA1 and SHA256?

      According to these articles, SHA1 is still ok for HMAC.
      But perhaps something has changed since they were written?

      https://vikingvpn.com/blogs/transparency/understanding-googles-sha-1-collision-and-openvpn-hmac-sha1

      https://blog.equinux.com/2017/03/sha-1-collision-and-what-it-means-for-your-vpn-security/

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Though SHA1 may still be safe right now, if your goal is "secure by default" why pick something you know is a ticking time bomb?

        There may be a performance difference between SHA1 and SHA256 but it largely depends on your hardware and workload.

        If that bothers you, use AES-GCM which does the encryption and hashing in one (accelerated) step.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • C
          coreybrett
          last edited by

          Thanks for the feed back.
          Can I do GCM with a PSK S2S tunnel?

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            With IPsec, yes. With OpenVPN, no. OpenVPN shared key mode isn't compatible with GCM (IIRC it requires SSL/TLS)

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.