summaryrefslogtreecommitdiff
path: root/app/openvpn/README.ec
diff options
context:
space:
mode:
authorParménides GV <parmegv@sdf.org>2014-06-11 11:56:59 +0200
committerParménides GV <parmegv@sdf.org>2014-06-11 19:50:54 +0200
commit3e121542d8b7ab5201c47bbd3ba5611a23c54759 (patch)
treea6035639e7baa88dd122d0d4e85791726606389a /app/openvpn/README.ec
parentac69881af1b7bfcdd185989f3e434556b1d62fed (diff)
Correctly connects to millipede.
Location keyword on android.cfg isn't supported, EIP corresponding code has been commented out. I think we should support it in ics-openvpn, so that we can show the location instead of the server name. I've updated all opensssl, openvpn, etc. subprojects from rev 813 of ics-openvpn, and jni too.
Diffstat (limited to 'app/openvpn/README.ec')
-rw-r--r--app/openvpn/README.ec35
1 files changed, 35 insertions, 0 deletions
diff --git a/app/openvpn/README.ec b/app/openvpn/README.ec
new file mode 100644
index 00000000..32938017
--- /dev/null
+++ b/app/openvpn/README.ec
@@ -0,0 +1,35 @@
+Since 2.4.0, OpenVPN has official support for elliptic curve crypto. Elliptic
+curves are an alternative to RSA for asymmetric encryption.
+
+Elliptic curve crypto ('ECC') can be used for the ('TLS') control channel only
+in OpenVPN; the data channel (encrypting the actual network traffic) uses
+symmetric encryption. ECC can be used in TLS for authentication (ECDSA) and key
+exchange (ECDH).
+
+Key exchange (ECDH)
+-------------------
+OpenVPN 2.4.0 and newer automatically initialize ECDH parameters. When ECDSA is
+used for authentication, the curve used for the server certificate will be used
+for ECDH too. When autodetection fails (e.g. when using RSA certificates)
+OpenVPN lets the crypto library decide if possible, or falls back to the
+secp384r1 curve.
+
+An administrator can force an OpenVPN/OpenSSL server to use a specific curve
+using the --ecdh-curve <curvename> option with one of the curves listed as
+available by the --show-curves option. Clients will use the same curve as
+selected by the server.
+
+Note that not all curves listed by --show-curves are available for use with TLS;
+in that case connecting will fail with a 'no shared cipher' TLS error.
+
+Authentication (ECDSA)
+----------------------
+Since OpenVPN 2.4.0, using ECDSA certificates works 'out of the box'. Which
+specific curves and cipher suites are available depends on your version and
+configuration of the crypto library. The crypto library will automatically
+select a cipher suite for the TLS control channel.
+
+Support for generating an ECDSA certificate chain is available in EasyRSA (in
+spite of it's name) since EasyRSA 3.0. The parameters you're looking for are
+'--use-algo=ec' and '--curve=<curve_name>'. See the EasyRSA documentation for
+more details on generating ECDSA certificates.