On Thu, Oct 10, 2013 at 1:19 PM, Jim Thompson <j...@netgate.com> wrote:
> > Is there any mechanism to insert ciphers into Pfsense that are not > currently supported? > > You have the source code. > > I, for one, am uninterested in non standards-compliant (and thus > interoperable) implementations. > I personally choose the ciphers that are "hardware" optimized, since my low-end home router (ALIX) gets me faster vpn performance when I do, and I transfer files to/from office all the time. So if the GUI recommends XYZ because it is hardware accelerated, I choose it. That said, a lot of the panic-driven-secure-your-web-sites-against-the-NSA instructions recommend enabling ciphers that use ephemeral session keys. The OpenSSL included in pfSense 2.1 supports many of these. Type this "/usr/local/bin/openssl ciphers" to see them all. The ones that end with "E" in the first component are the ones with the ephemeral key-. Now, how to convince the GUI to make use of these for IPsec or OpenVPN I do not know. I'm sure you can do it via direct config file tweakage, though. I think IPsec renegotiates keys every 60 minutes anyway, so they'd have to do a lot of key breaking to snoop your data, unless they could predict your keys or sneak a MitM attack on you. To list the "strong" ciphers only, use this: /usr/local/bin/openssl ciphers "TLSv1.2:-MD5:-RC4:-aNULL:-MED:-LOW:-EXP:-NULL"
_______________________________________________ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list