OpenVPN Support Forum

Hello everyone, hope you are keeping well and can advise on the following:
I'd like to know the answer to the following: Does OpenVPN utilise robust cryptography as per the NIST SP800-57 guidance?
On the OpenVPN website the following answer is provided to the question "What security practices/framework is the program based on? (NIST, ISO, etc)"
The OpenVPN program is a publicly audited open source project with a track record of many years of excellent security.
The above Q&A can be found at https://openvpn.net/openvpn-compliance/
The fact there is neither a straightforward Yes/No to be taken from the above leads me to believe the answer is No - beacuse if it was based on NIST guidance then surely they would say so? Happy to be corrected should I be wrong with this assumption.
Any guidance you can offer would be much appreciated.
All my best
Johnny

Hello,

I would say that in order to make OpenVPN completely compliant with those requirements, that you would need to actually disable parts of OpenVPN that allow other cryptographic options. Probably have to do something about your environment that OpenVPN runs in too. This document reads similar to FIPS-140 and also references it. Usually such documents say something along the lines of "you have to use these ciphers and if your solution supports anything else then it's not compliant".

Our commercial products use ciphers and methods generally recommended in those documents like AES-256 for example. But at best you can make it compliant to the degree that if you use the correct (usually default) settings then you should be (mostly) compliant. But if you are getting audited on this, then I figure the only real option is to compile your own version of OpenVPN where you neuter everything that doesn't meet what's in that document.

Kind regards,
Johan

Hello Johan,
Thank you very much indeed for your message - it is most helpful.
All my very best
Johnny