I just had a couple questions.
I noticed a new feature in 2.4, tls-crypt. I was previously using tls-auth, with key direction specified in server and client configurations. I checked out the notes for tls-crypt and it seemed like an improvement, so I switched over to it, and have had no issues. Previously, I had updated my ciphers from CBC to GCM ciphers. I also restrict TLS to 1.2, and only using the TLS cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.
Before switching to the GCM ciphers, I was using auth SHA512 and auth SHA256 in some cases, mostly experimenting. It appears as if either using tls-crypt, or switching to the GCM ciphers has caused the auth SHA256/512 to become not-needed, is this the case? It appears I have missed something, but removing the auth statement in both client and server results in no change on the server end and client end logfile, indicating encryption of the data and control channel are the same, with the same cipher and key length regardless of the auth statement.
Would this be correct? I figure it has to be either tls-crypt or the use of the GCM ciphers that have made the auth directive do nothing, but I only understand a little about this so your help is greatly appreciated. Thank you!
tls-crypt, GCM ciphers, auth [alg] directive
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVPN User
- Posts: 35
- Joined: Mon Mar 31, 2014 5:49 pm
-
- OpenVPN User
- Posts: 35
- Joined: Mon Mar 31, 2014 5:49 pm
Re: tls-crypt, GCM ciphers, auth [alg] directive
Okay, so I finally found what I was looking for in the man page.. using GCM ciphers ignores the auth directive for data channel. However because I am using tls-crypt vs tls-auth, I'm assuming the auth directive is also useless for the control channel as well, since that is predefined as using AES-256-CTR cipherwith a 256 bit key?
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: tls-crypt, GCM ciphers, auth [alg] directive
Without seeing your configs and logs it is all a mystery ..
However,
--tls-crypt disables --tsl-auth, you can stop using --tls-crypt by commenting it out of your config,
you can also disable --ncp-ciphers with --ncp-disable
However,
--tls-crypt disables --tsl-auth, you can stop using --tls-crypt by commenting it out of your config,
you can also disable --ncp-ciphers with --ncp-disable