Page 1 of 1

tls-crypt, GCM ciphers, auth [alg] directive

Posted: Mon Apr 10, 2017 3:05 pm
by cr9c1
I just had a couple questions.

I noticed a new feature in 2.4, tls-crypt. I was previously using tls-auth, with key direction specified in server and client configurations. I checked out the notes for tls-crypt and it seemed like an improvement, so I switched over to it, and have had no issues. Previously, I had updated my ciphers from CBC to GCM ciphers. I also restrict TLS to 1.2, and only using the TLS cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.

Before switching to the GCM ciphers, I was using auth SHA512 and auth SHA256 in some cases, mostly experimenting. It appears as if either using tls-crypt, or switching to the GCM ciphers has caused the auth SHA256/512 to become not-needed, is this the case? It appears I have missed something, but removing the auth statement in both client and server results in no change on the server end and client end logfile, indicating encryption of the data and control channel are the same, with the same cipher and key length regardless of the auth statement.

Would this be correct? I figure it has to be either tls-crypt or the use of the GCM ciphers that have made the auth directive do nothing, but I only understand a little about this so your help is greatly appreciated. Thank you!

Re: tls-crypt, GCM ciphers, auth [alg] directive

Posted: Mon Apr 10, 2017 3:08 pm
by cr9c1
Okay, so I finally found what I was looking for in the man page.. using GCM ciphers ignores the auth directive for data channel. However because I am using tls-crypt vs tls-auth, I'm assuming the auth directive is also useless for the control channel as well, since that is predefined as using AES-256-CTR cipherwith a 256 bit key?

Re: tls-crypt, GCM ciphers, auth [alg] directive

Posted: Mon Apr 10, 2017 4:18 pm
by TinCanTech
Without seeing your configs and logs it is all a mystery ..

However,
--tls-crypt disables --tsl-auth, you can stop using --tls-crypt by commenting it out of your config,
you can also disable --ncp-ciphers with --ncp-disable