From 27594eeae6f40a402bc3110f06d57975168e74e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Parm=C3=A9nides=20GV?= Date: Thu, 4 Jun 2015 19:20:15 +0200 Subject: ics-openvpn as a submodule! beautiful ics-openvpn is now officially on GitHub, and they track openssl and openvpn as submodules, so it's easier to update everything. Just a git submodule update --recursive. I've also set up soft links to native modules from ics-openvpn in app, so that we don't copy files in Gradle (which was causing problems with the submodules .git* files, not being copied). That makes the repo cleaner. --- app/openvpn/README.ec | 35 ----------------------------------- 1 file changed, 35 deletions(-) delete mode 100644 app/openvpn/README.ec (limited to 'app/openvpn/README.ec') diff --git a/app/openvpn/README.ec b/app/openvpn/README.ec deleted file mode 100644 index 32938017..00000000 --- a/app/openvpn/README.ec +++ /dev/null @@ -1,35 +0,0 @@ -Since 2.4.0, OpenVPN has official support for elliptic curve crypto. Elliptic -curves are an alternative to RSA for asymmetric encryption. - -Elliptic curve crypto ('ECC') can be used for the ('TLS') control channel only -in OpenVPN; the data channel (encrypting the actual network traffic) uses -symmetric encryption. ECC can be used in TLS for authentication (ECDSA) and key -exchange (ECDH). - -Key exchange (ECDH) -------------------- -OpenVPN 2.4.0 and newer automatically initialize ECDH parameters. When ECDSA is -used for authentication, the curve used for the server certificate will be used -for ECDH too. When autodetection fails (e.g. when using RSA certificates) -OpenVPN lets the crypto library decide if possible, or falls back to the -secp384r1 curve. - -An administrator can force an OpenVPN/OpenSSL server to use a specific curve -using the --ecdh-curve option with one of the curves listed as -available by the --show-curves option. Clients will use the same curve as -selected by the server. - -Note that not all curves listed by --show-curves are available for use with TLS; -in that case connecting will fail with a 'no shared cipher' TLS error. - -Authentication (ECDSA) ----------------------- -Since OpenVPN 2.4.0, using ECDSA certificates works 'out of the box'. Which -specific curves and cipher suites are available depends on your version and -configuration of the crypto library. The crypto library will automatically -select a cipher suite for the TLS control channel. - -Support for generating an ECDSA certificate chain is available in EasyRSA (in -spite of it's name) since EasyRSA 3.0. The parameters you're looking for are -'--use-algo=ec' and '--curve='. See the EasyRSA documentation for -more details on generating ECDSA certificates. -- cgit v1.2.3