Hi, On 31 July 2017 at 11:00, Yevgeny Kosarzhevsky <phao...@gmail.com> wrote: > On 31 July 2017 at 15:49, Gert Doering <g...@greenie.muc.de> wrote: >> >> Using crypto with --no-iv is only marginally better than using "--cipher >> none" >> - so, if you want no encryption, make it explicit with "cipher none", >> instead of pretending to have strong crypto which it isn't. >> >> Why are you using --no-iv? > > I use it to reduce packet size on tunnels with --secret option together with > --auth none. > I am aware of the fact that this less secure option however I believe it's > still provides encryption and is safe enough unless the key is revealed to > 3rd party. > Please correct me if I am mistaken.
You are mistaken. CBC requires an unpredictable IV, so --no-iv breaks the CBC security. Using --auth none is plainly insecure against any man-in-the-middle attacker. Don't use either of those if you want a secure connection. If you want to understand why, I can recommend https://www.coursera.org/learn/crypto. -Steffan ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users