auth RSA-SHA256 verses auth SHA256

alvarosedano · Post by **alvarosedano** » Sat Jan 14, 2017 9:36 pm

On the server config file you must set
auth RSA-SHA256

On the client side you must set
auth SHA256

...and then the it works fine (tested on v2.4.0).

P.D.: You can use tls-auth if you want

alvarosedano · Post by **alvarosedano** » Sun Jan 15, 2017 6:42 pm

On the server config file you must set the RSA- equivalent used on the client.conf

server.conf

#Use only one of them
auth RSA-SHA256
;auth RSA-SHA384
;auth RSA-SHA512

On the client side you must set

client.conf

#Use only one of them
auth SHA256
;auth SHA384
;auth SHA512

...and it's working fine (tested on v2.4.0).

I don't know why SHAxxx doesn't work in the server side, if you check the digest availability in the server side, you can see both SHA256 and RSA-SHA256:

Code: Select all

openvpn --show-digests

The following message digests are available for use with
OpenVPN. A message digest is used in conjunction with
the HMAC function, to authenticate received packets.
You can specify a message digest as parameter to
the --auth option.

MD5 128 bit digest size
RSA-MD5 128 bit digest size
SHA 160 bit digest size
RSA-SHA 160 bit digest size
SHA1 160 bit digest size
RSA-SHA1 160 bit digest size
DSA-SHA 160 bit digest size
DSA-SHA1-old 160 bit digest size
MDC2 128 bit digest size
RSA-MDC2 128 bit digest size
DSA-SHA1 160 bit digest size
RSA-SHA1-2 160 bit digest size
DSA 160 bit digest size
RIPEMD160 160 bit digest size
RSA-RIPEMD160 160 bit digest size
MD4 128 bit digest size
RSA-MD4 128 bit digest size
ecdsa-with-SHA1 160 bit digest size
RSA-SHA256 256 bit digest size
RSA-SHA384 384 bit digest size
RSA-SHA512 512 bit digest size
RSA-SHA224 224 bit digest size
SHA256 256 bit digest size
SHA384 384 bit digest size
SHA512 512 bit digest size
SHA224 224 bit digest size
whirlpool 512 bit digest size

TinCanTech · Post by **TinCanTech** » Sun Jan 15, 2017 9:18 pm

alvarosedano wrote:On the server config file you must set
auth RSA-SHA256

On the client side you must set
auth SHA256

...and then the it works fine (tested on v2.4.0).

This is not true ..

The result of such a configuration is:

Code: Select all

TLS Error: cannot locate HMAC in incoming packet ..

alvarosedano · Post by **alvarosedano** » Tue Jan 17, 2017 8:35 pm

Can you please give us the full server config? The client side also must be apreciated.

TinCanTech · Post by **TinCanTech** » Tue Jan 17, 2017 9:08 pm

TinCanTech wrote:
alvarosedano wrote:On the server config file you must set
auth RSA-SHA256

On the client side you must set
auth SHA256

...and then the it works fine (tested on v2.4.0).

This is not true ..

The result of such a configuration is:
Code: Select all
TLS Error: cannot locate HMAC in incoming packet ..

alvarosedano wrote:Can you please give us the full server config? The client side also must be apreciated.

If you want to try to prove something which is not true then the onus is on you to submit your proof.

TinCanTech · Post by **TinCanTech** » Thu Jan 19, 2017 11:33 am

Infact, it turns out that I am wrong

When used for --auth the RSA element is not utilized,
only the SHA function is used as the HMAC for packets.

So, provided the bit lengths (256 / 512) are the same on server & client
then you can mix and match --auth RSA-SHAxxx with --auth SHAxxx.

eg:

Server
auth RSA-SHA512
will work with
Client
auth SHA512
etc.

OpenVPN Support Forum

auth RSA-SHA256 verses auth SHA256

auth RSA-SHA256 verses auth SHA256

Re: Unable to connect with Openvpn server (TLS Error)

Re: Unable to connect with Openvpn server (TLS Error)

Re: Unable to connect with Openvpn server (TLS Error)

Re: Unable to connect with Openvpn server (TLS Error)

Re: auth RSA-SHA256 verses auth SHA256