Digital signature option in OpenVPN

Scripts to manage certificates or generate config files
Post Reply
Chizo
OpenVpn Newbie
Posts: 2
Joined: Tue Jun 05, 2012 11:16 am

Digital signature option in OpenVPN

Post by Chizo » Tue Jun 05, 2012 12:06 pm

Hi All, OpenVPN users!
One Q that interest me. Is there possibility or functionality of digital signature in OpenVPN?
I saw that there is HMAC but for authentification in the handshake proces of the TLS/SSL communication...
Maybe i missed something for Digital signature?

Please help

Chizo

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: Digital signature option in OpenVPN

Post by janjust » Tue Jun 05, 2012 1:11 pm

openvpn uses (extra) HMAC signing when you use the

Code: Select all

tls-auth <path-to-ta.key-file>
in the client and server setups.
Without this option OpenVPN still uses HMAC signing for the data transport , but not for the initial connection. The default HMAC signing algorithm is SHA1.

Chizo
OpenVpn Newbie
Posts: 2
Joined: Tue Jun 05, 2012 11:16 am

Re: Digital signature option in OpenVPN

Post by Chizo » Tue Jun 05, 2012 2:56 pm

Hi thx a lot for answer. I understand you well, but i do not know real function of HMAC without active option "tls-auth", you said that "uses HMAC signing for the data transport"?
You mean, if understand you well that HMAC is the message digest and is sending with message.
etc. message+digest (HMAC) without private-key encryption to reciever, and reciever need to have same HMAC algoritham to create digest and to compare with senders one?
A i right?

Thx

Chizo

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: Digital signature option in OpenVPN

Post by janjust » Wed Jun 06, 2012 8:15 am

read the security overview
http://openvpn.net/index.php/open-sourc ... rview.html
for the full story; openvpn uses a control channel and a data channel; the 'tls-auth' option is used to add extra HMAC signing to the control channel. The data channel is always protected using HMAC signing. The digest used for this is controlled using the 'auth' option. The default is SHA1.

Post Reply