summaryrefslogtreecommitdiff
path: root/main/openvpn/README.ec
diff options
context:
space:
mode:
authorArne Schwabe <arne@rfc2549.org>2014-06-03 23:23:30 +0200
committerArne Schwabe <arne@rfc2549.org>2014-06-03 23:23:30 +0200
commit91ec580beceb3d6c723d2ade85436374992526f7 (patch)
tree345aff00a82a66a2d7690f6bc0aec6e17f0d4f88 /main/openvpn/README.ec
parentfc4b150994a4b14ba745f259de870781918fe8b9 (diff)
Import new openvpn -master version
Diffstat (limited to 'main/openvpn/README.ec')
-rw-r--r--main/openvpn/README.ec14
1 files changed, 6 insertions, 8 deletions
diff --git a/main/openvpn/README.ec b/main/openvpn/README.ec
index bea3ce19..32938017 100644
--- a/main/openvpn/README.ec
+++ b/main/openvpn/README.ec
@@ -6,20 +6,18 @@ in OpenVPN; the data channel (encrypting the actual network traffic) uses
symmetric encryption. ECC can be used in TLS for authentication (ECDSA) and key
exchange (ECDH).
-Note: ECC is available in OpenSSL builds of OpenVPN only. ECC for PolarSSL
-builds will follow soon.
-
Key exchange (ECDH)
-------------------
OpenVPN 2.4.0 and newer automatically initialize ECDH parameters. When ECDSA is
used for authentication, the curve used for the server certificate will be used
for ECDH too. When autodetection fails (e.g. when using RSA certificates)
-OpenVPN falls back to the secp384r1 curve.
+OpenVPN lets the crypto library decide if possible, or falls back to the
+secp384r1 curve.
-An administrator can force an OpenVPN server to use a specific curve using the
---ecdh-curve <curvename> option with one of the curves listed as available by
-the --show-curves option. Clients will use the same curve as selected by the
-server.
+An administrator can force an OpenVPN/OpenSSL server to use a specific curve
+using the --ecdh-curve <curvename> option with one of the curves listed as
+available by the --show-curves option. Clients will use the same curve as
+selected by the server.
Note that not all curves listed by --show-curves are available for use with TLS;
in that case connecting will fail with a 'no shared cipher' TLS error.