Page 1 of 1
Digital signature option in OpenVPN
Posted: Tue Jun 05, 2012 12:06 pm
by Chizo
Hi All, OpenVPN users!
One Q that interest me. Is there possibility or functionality of digital signature in OpenVPN?
I saw that there is HMAC but for authentification in the handshake proces of the TLS/SSL communication...
Maybe i missed something for Digital signature?
Please help
Chizo
Re: Digital signature option in OpenVPN
Posted: Tue Jun 05, 2012 1:11 pm
by janjust
openvpn uses (extra) HMAC signing when you use the
in the client and server setups.
Without this option OpenVPN still uses HMAC signing for the data transport , but not for the initial connection. The default HMAC signing algorithm is SHA1.
Re: Digital signature option in OpenVPN
Posted: Tue Jun 05, 2012 2:56 pm
by Chizo
Hi thx a lot for answer. I understand you well, but i do not know real function of HMAC without active option "tls-auth", you said that "uses HMAC signing for the data transport"?
You mean, if understand you well that HMAC is the message digest and is sending with message.
etc. message+digest (HMAC) without private-key encryption to reciever, and reciever need to have same HMAC algoritham to create digest and to compare with senders one?
A i right?
Thx
Chizo
Re: Digital signature option in OpenVPN
Posted: Wed Jun 06, 2012 8:15 am
by janjust
read the security overview
http://openvpn.net/index.php/open-sourc ... rview.html
for the full story; openvpn uses a control channel and a data channel; the 'tls-auth' option is used to add extra HMAC signing to the control channel. The data channel is always protected using HMAC signing. The digest used for this is controlled using the 'auth' option. The default is SHA1.