Skip to content
This repository has been archived by the owner on Aug 24, 2018. It is now read-only.

Disable compression #1

Merged
merged 6 commits into from
Mar 21, 2016
Merged

Disable compression #1

merged 6 commits into from
Mar 21, 2016

Conversation

Harvester57
Copy link

Hi everyone :)

For a hardened OpenVPN configuration, compression should be disabled (as stated by an OpenVPN current developper) : BetterCrypto/Applied-Crypto-Hardening#91 (comment)

@Harvester57
Disable compression
8b89b17 
For a hardened OpenVPN configuration, compression should be disabled : BetterCrypto/Applied-Crypto-Hardening#91 (comment)
@Harvester57
Add more than one cipogers to tls-cipher
b15cd6c 
Just in case we need to fallback or downgrade
@Harvester57 Harvester57 changed the title Disable compression Disable compression and enhance ciphers Mar 21, 2016
@Harvester57
Copy link
Author

Sorry for the typo in the second commit title... ^^

@Harvester57
Also change tls-cipher for clients
1a73a20
@Harvester57
Typo
064c5bf 
OpenVPN doesn't really like the way it was written
@Harvester57
Copy link
Author

For more informations : https://bettercrypto.org/static/applied-crypto-hardening.pdf

@angristan
Copy link
Owner

I'm okay with disabling comp-lzo, but the commtt is not complete : you forgot the client conf (/~https://github.com/Angristan/OpenVPN-install/blob/master/openvpn-install.sh#L427)

For the ciphers : I don't see why this is an improvement ^^ This is made to force the use of this unique cipher I put on each mode

@Harvester57
Copy link
Author

Nailed it for client-side compression, thanks :)

Concerning the cipher list, It is only to prevent any otential downgrade or loss of connection in case of whatever could happen with only one cipher available :)

@angristan
Copy link
Owner

Concerning the cipher list, It is only to prevent any otential downgrade or loss of connection in case of whatever could happen with only one cipher available :)

Are you sure about that ? The cipher is included in the client and in the server conf !
Or we can do that : AES-GCM/AES-CBC/CAMELLIA 256 bits for "slow" and AES-GCM/AES-CBC/CAMELLIA 128 bits for "fast"

Note you're using depreciated cipher (OpenVPN < 2.3.3)

@angristan
Copy link
Owner

i.e. :
TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA for "fast" and

TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA for "slow"

@Harvester57
Revert ciphers
bf97d67 
My bad !
@Harvester57
Copy link
Author

After re-reading the hardening OpenVPN Wiki page, I think my reasoning was wrong : https://community.openvpn.net/openvpn/wiki/Hardening#Useof--tls-cipher

"It's wise to use as small of a list as possible for your --tls-cipher option. Exceptions could include if you wish to provide the client their choice of several acceptable options."

My bad.

Also, do you want me to work on adding tls-auth ? (https://community.openvpn.net/openvpn/wiki/Hardening#Useof--tls-auth)

@Harvester57 Harvester57 changed the title Disable compression and enhance ciphers Disable compression Mar 21, 2016
angristan pushed a commit that referenced this pull request Mar 21, 2016
Merge pull request #1 from Harvester57/patch-1
651b7c2 
Disable compression
@angristan angristan merged commit 651b7c2 into angristan:master Mar 21, 2016
@angristan
Copy link
Owner

Okay, no problem !

Why not, but I don't really understand what it adds :/

@Harvester57 Harvester57 deleted the patch-1 branch March 21, 2016 16:45
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Harvester57 @angristan