diff options
| author | Parménides GV <parmegv@sdf.org> | 2014-08-18 18:22:54 +0200 |
|---|---|---|
| committer | Parménides GV <parmegv@sdf.org> | 2014-08-18 18:22:54 +0200 |
| commit | 31f6eab32a26a658cbfb2db0d457cc1f87d23f0f (patch) | |
| tree | 75f372ff22a94102ef2f9bd163febf54ac45e9d6 /ics-openvpn-stripped/main/openvpn/README.ec | |
| parent | 6057466bc8b4475bf4564b9143c60753c90f9aaa (diff) | |
| parent | 7d8cde4f7ae769a3b6a25483d8bd0bb6c1551af9 (diff) | |
Merge branch 'develop'
Diffstat (limited to 'ics-openvpn-stripped/main/openvpn/README.ec')
| -rw-r--r-- | ics-openvpn-stripped/main/openvpn/README.ec | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/ics-openvpn-stripped/main/openvpn/README.ec b/ics-openvpn-stripped/main/openvpn/README.ec new file mode 100644 index 00000000..32938017 --- /dev/null +++ b/ics-openvpn-stripped/main/openvpn/README.ec @@ -0,0 +1,35 @@ +Since 2.4.0, OpenVPN has official support for elliptic curve crypto. Elliptic +curves are an alternative to RSA for asymmetric encryption. + +Elliptic curve crypto ('ECC') can be used for the ('TLS') control channel only +in OpenVPN; the data channel (encrypting the actual network traffic) uses +symmetric encryption. ECC can be used in TLS for authentication (ECDSA) and key +exchange (ECDH). + +Key exchange (ECDH) +------------------- +OpenVPN 2.4.0 and newer automatically initialize ECDH parameters. When ECDSA is +used for authentication, the curve used for the server certificate will be used +for ECDH too. When autodetection fails (e.g. when using RSA certificates) +OpenVPN lets the crypto library decide if possible, or falls back to the +secp384r1 curve. + +An administrator can force an OpenVPN/OpenSSL server to use a specific curve +using the --ecdh-curve <curvename> option with one of the curves listed as +available by the --show-curves option. Clients will use the same curve as +selected by the server. + +Note that not all curves listed by --show-curves are available for use with TLS; +in that case connecting will fail with a 'no shared cipher' TLS error. + +Authentication (ECDSA) +---------------------- +Since OpenVPN 2.4.0, using ECDSA certificates works 'out of the box'. Which +specific curves and cipher suites are available depends on your version and +configuration of the crypto library. The crypto library will automatically +select a cipher suite for the TLS control channel. + +Support for generating an ECDSA certificate chain is available in EasyRSA (in +spite of it's name) since EasyRSA 3.0. The parameters you're looking for are +'--use-algo=ec' and '--curve=<curve_name>'. See the EasyRSA documentation for +more details on generating ECDSA certificates. |