OpenVPN Suggestion: Auth and TLS-cipher drop-downs



  • While OpenVPN on the 2.1 snapshot appears to work just fine (much better than the 2.3.0 I004 Windows version!), and I'm delighted to see CAMELLIA show up in the ciphers list, I'd like to suggest three more drop-downs, one for the TLS shared key size, one for the AUTH (digest) option, and the other for the TLS-CIPHER option.

    While I appreciate the 2048 bit default tls shared key generation, I'd like the option to choose a larger keysize - my hardware's more than enough to handle it compared to my bandwidth and latency requirements.

    For AUTH and TLS-CIPHER, these are both setting I always change to increase my security as far as possible - again, I've got the hardware to do it.  On pfSense 2.1, for instance, I can use the new digest and tls cipher suite:
    auth RSA-SHA512;tls-cipher ECDHE-RSA-AES256-GCM-SHA384

    I'm a little fuzzy on RSA-SHA512 vs. SHA512's benefits, but I'm quite certain that elliptical curve with GCM (mode) and a SHA2 hash is far and away better than the previous best option of DHE-RSA-AES256-SHA.

    While I have no problems putting the advanced option in there, for new users, it'd be nice to see drop-downs to encourage them to choose a cipher suited to them.  You could add a hint, including zero or more of: If you don't know what these are, for best security, choose X, for best speed choose Y, for United States NIST SP800-52 regulatory compliance, choose Z, for United States Suite B compliance, choose C, for European Union compliance, choose Q.


Log in to reply