summaryrefslogtreecommitdiff
path: root/main/openvpn/README.ec
diff options
context:
space:
mode:
Diffstat (limited to 'main/openvpn/README.ec')
m---------main/openvpn0
-rw-r--r--main/openvpn/README.ec35
2 files changed, 0 insertions, 35 deletions
diff --git a/main/openvpn b/main/openvpn
new file mode 160000
+Subproject 7aaf01766f9718375986600216607aeb6397200
diff --git a/main/openvpn/README.ec b/main/openvpn/README.ec
deleted file mode 100644
index 32938017..00000000
--- a/main/openvpn/README.ec
+++ /dev/null
@@ -1,35 +0,0 @@
-Since 2.4.0, OpenVPN has official support for elliptic curve crypto. Elliptic
-curves are an alternative to RSA for asymmetric encryption.
-
-Elliptic curve crypto ('ECC') can be used for the ('TLS') control channel only
-in OpenVPN; the data channel (encrypting the actual network traffic) uses
-symmetric encryption. ECC can be used in TLS for authentication (ECDSA) and key
-exchange (ECDH).
-
-Key exchange (ECDH)
--------------------
-OpenVPN 2.4.0 and newer automatically initialize ECDH parameters. When ECDSA is
-used for authentication, the curve used for the server certificate will be used
-for ECDH too. When autodetection fails (e.g. when using RSA certificates)
-OpenVPN lets the crypto library decide if possible, or falls back to the
-secp384r1 curve.
-
-An administrator can force an OpenVPN/OpenSSL server to use a specific curve
-using the --ecdh-curve <curvename> option with one of the curves listed as
-available by the --show-curves option. Clients will use the same curve as
-selected by the server.
-
-Note that not all curves listed by --show-curves are available for use with TLS;
-in that case connecting will fail with a 'no shared cipher' TLS error.
-
-Authentication (ECDSA)
-----------------------
-Since OpenVPN 2.4.0, using ECDSA certificates works 'out of the box'. Which
-specific curves and cipher suites are available depends on your version and
-configuration of the crypto library. The crypto library will automatically
-select a cipher suite for the TLS control channel.
-
-Support for generating an ECDSA certificate chain is available in EasyRSA (in
-spite of it's name) since EasyRSA 3.0. The parameters you're looking for are
-'--use-algo=ec' and '--curve=<curve_name>'. See the EasyRSA documentation for
-more details on generating ECDSA certificates.