diff options
author | Bernhard Schmidt <berni@debian.org> | 2020-09-01 16:53:32 +0200 |
---|---|---|
committer | Bernhard Schmidt <berni@debian.org> | 2020-09-01 16:53:32 +0200 |
commit | 886dccf631de661ea1b4c8017de98b88b93d7f1c (patch) | |
tree | 2f74f9b3f93a35591ffdb305e3e2876cbb9a0c1d /README.ec | |
parent | 9ce71e1c58a83737b045861173254911fda9a76a (diff) | |
parent | 57f0b7b331088e489e93ae89ee0aed98381d8806 (diff) |
Update upstream source from tag 'upstream/2.5_beta3'
Update to upstream version '2.5~beta3'
with Debian dir 08bf4b8b33e73a97458e7fd53ec989aa541745cd
Diffstat (limited to 'README.ec')
-rw-r--r-- | README.ec | 36 |
1 files changed, 0 insertions, 36 deletions
diff --git a/README.ec b/README.ec deleted file mode 100644 index 61f23b2..0000000 --- a/README.ec +++ /dev/null @@ -1,36 +0,0 @@ -Since 2.4.0, OpenVPN has official support for elliptic curve crypto. Elliptic -curves are an alternative to RSA for asymmetric encryption. - -Elliptic curve crypto ('ECC') can be used for the ('TLS') control channel only -in OpenVPN; the data channel (encrypting the actual network traffic) uses -symmetric encryption. ECC can be used in TLS for authentication (ECDSA) and key -exchange (ECDH). - -Key exchange (ECDH) -------------------- -OpenVPN 2.4.0 and newer automatically initialize ECDH parameters. When ECDSA is -used for authentication, the curve used for the server certificate will be used -for ECDH too. When autodetection fails (e.g. when using RSA certificates) -OpenVPN lets the crypto library decide if possible, or falls back to the -secp384r1 curve. The list of groups/curves that the crypto library will choose -from can be set with the --tls-groups <grouplist> option. - -An administrator can force an OpenVPN/OpenSSL server to use a specific curve -using the --ecdh-curve <curvename> option with one of the curves listed as -available by the --show-groups option. Clients will use the same curve as -selected by the server. - -Note that not all curves listed by --show-groups are available for use with TLS; -in that case connecting will fail with a 'no shared cipher' TLS error. - -Authentication (ECDSA) ----------------------- -Since OpenVPN 2.4.0, using ECDSA certificates works 'out of the box'. Which -specific curves and cipher suites are available depends on your version and -configuration of the crypto library. The crypto library will automatically -select a cipher suite for the TLS control channel. - -Support for generating an ECDSA certificate chain is available in EasyRSA (in -spite of it's name) since EasyRSA 3.0. The parameters you're looking for are -'--use-algo=ec' and '--curve=<curve_name>'. See the EasyRSA documentation for -more details on generating ECDSA certificates. |