tls-crypt, GCM ciphers, auth [alg] directive
Posted: Mon Apr 10, 2017 3:05 pm
I just had a couple questions.
I noticed a new feature in 2.4, tls-crypt. I was previously using tls-auth, with key direction specified in server and client configurations. I checked out the notes for tls-crypt and it seemed like an improvement, so I switched over to it, and have had no issues. Previously, I had updated my ciphers from CBC to GCM ciphers. I also restrict TLS to 1.2, and only using the TLS cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.
Before switching to the GCM ciphers, I was using auth SHA512 and auth SHA256 in some cases, mostly experimenting. It appears as if either using tls-crypt, or switching to the GCM ciphers has caused the auth SHA256/512 to become not-needed, is this the case? It appears I have missed something, but removing the auth statement in both client and server results in no change on the server end and client end logfile, indicating encryption of the data and control channel are the same, with the same cipher and key length regardless of the auth statement.
Would this be correct? I figure it has to be either tls-crypt or the use of the GCM ciphers that have made the auth directive do nothing, but I only understand a little about this so your help is greatly appreciated. Thank you!
I noticed a new feature in 2.4, tls-crypt. I was previously using tls-auth, with key direction specified in server and client configurations. I checked out the notes for tls-crypt and it seemed like an improvement, so I switched over to it, and have had no issues. Previously, I had updated my ciphers from CBC to GCM ciphers. I also restrict TLS to 1.2, and only using the TLS cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.
Before switching to the GCM ciphers, I was using auth SHA512 and auth SHA256 in some cases, mostly experimenting. It appears as if either using tls-crypt, or switching to the GCM ciphers has caused the auth SHA256/512 to become not-needed, is this the case? It appears I have missed something, but removing the auth statement in both client and server results in no change on the server end and client end logfile, indicating encryption of the data and control channel are the same, with the same cipher and key length regardless of the auth statement.
Would this be correct? I figure it has to be either tls-crypt or the use of the GCM ciphers that have made the auth directive do nothing, but I only understand a little about this so your help is greatly appreciated. Thank you!