Am 06.12.20 um 17:09 schrieb Antonio Quartulli: > Hi all, > > Some people have expressed interest in ovpn-dco supporting AES-CBC. > > However, since ovpn-dco is currently using the AEAD kernel crypto API > only, introducing support for CBC mode would require quite some > refactoring and we do not really want to do that (the community believes > that as of now AEAD ciphers should always be preferred moving forward). > > In a previous discussion on this mailing list, it was highlighted that > AES-CCM is nothing else than AES-CBC in disguise as AEAD cipher. > > (for the curious: it is AES "Counter with CBC-MAC", known as CCM and > described in RFC3610). > > For this reason I decided to give AES-CCM a try and I implemented in it > the "aes-ccm" branch of the ovpn-dco repo. > > I am not sure if we're going to merge it to master yet, but for now it > would be interesting to gather feedback from those interested in this > cipher. > > Please note that OpenVPN3 does not yet support this cipher, therefore > the only way to test AES-CCM in ovpn-dco is to use the ovpn-cli tool > provided in the tests/ folder. > > > To do so, just specify "aes-ccm" as algorithm when setting a new key. >
And here is a variant for OpenVPN 2.x that works with both mbed TLS and OpenSSL: https://github.com/schwabe/openvpn/tree/schwabe/aes-ccm While it is not as fast as the ovpn-dco variant, it might be easier to use than the doc variant as you only need to add data-ciphers AES-128-CCM on both sides to test. Arne _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
