I'm using a forked version of mbedTLS that introduces experimental new ciphersuites for TLS v1.2. I've created a basic client/server OpenVPN setup, roughly following the HOWTO guide, and this connects and works fine. However, my interesting new ciphersuites are ignored and the client and server agree on TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.
The preferred ciphersuites (on both client and server) are as follows:
Code: Select all
$ openvpn --show-tls | head
Available TLS Ciphers,
listed in order of preference:
TLS-NEWHOPE_ECDSA-WITH-AES-256-GCM-SHA384 <--- this is the one I'd like to use
TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-ECDSA-WITH-AES-256-CCM
TLS-DHE-RSA-WITH-AES-256-CCM
TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384
Code: Select all
TLS_ERROR: read tls_read_plaintext error: SSL - None of the common ciphersuites is usable (eg, no suitable certificate, see debug messages)