• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

OpenVPN Suggestion: Auth and TLS-cipher drop-downs

Scheduled Pinned Locked Moved 2.1 Snapshot Feedback and Problems - RETIRED
1 Posts 1 Posters 3.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • N
    Nadrek
    last edited by Feb 28, 2013, 6:31 AM

    While OpenVPN on the 2.1 snapshot appears to work just fine (much better than the 2.3.0 I004 Windows version!), and I'm delighted to see CAMELLIA show up in the ciphers list, I'd like to suggest three more drop-downs, one for the TLS shared key size, one for the AUTH (digest) option, and the other for the TLS-CIPHER option.

    While I appreciate the 2048 bit default tls shared key generation, I'd like the option to choose a larger keysize - my hardware's more than enough to handle it compared to my bandwidth and latency requirements.

    For AUTH and TLS-CIPHER, these are both setting I always change to increase my security as far as possible - again, I've got the hardware to do it.  On pfSense 2.1, for instance, I can use the new digest and tls cipher suite:
    auth RSA-SHA512;tls-cipher ECDHE-RSA-AES256-GCM-SHA384

    I'm a little fuzzy on RSA-SHA512 vs. SHA512's benefits, but I'm quite certain that elliptical curve with GCM (mode) and a SHA2 hash is far and away better than the previous best option of DHE-RSA-AES256-SHA.

    While I have no problems putting the advanced option in there, for new users, it'd be nice to see drop-downs to encourage them to choose a cipher suited to them.  You could add a hint, including zero or more of: If you don't know what these are, for best security, choose X, for best speed choose Y, for United States NIST SP800-52 regulatory compliance, choose Z, for United States Suite B compliance, choose C, for European Union compliance, choose Q.

    1 Reply Last reply Reply Quote 0
    1 out of 1
    • First post
      1/1
      Last post
    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
      This community forum collects and processes your personal information.
      consent.not_received