On 02/22/14 22:33, michael-...@fami-braun.de wrote:
Hi,
thanks for writing the patch.
I'd like to propose to add a comment to the readme regarding the use of
ECDH instead of DH without using an EC certificate, because that
currently is not mentioned in it.
Thanks,
M. Braun
Am 19.02.2014 14:21, schrieb pietrek --:
On 02/18/14 12:50, Gert Doering wrote:
Hi,
On Tue, Feb 18, 2014 at 12:15:16PM +0100, pietrek -- wrote:
Which parts of the key handshake does it cover?
Signature/Certificates,
or *only* DH?
Handshake only, EC certificates worked for me without doing anything.
Also, DH didn't work with EC certificates( no such cipher ).
I see.
Seems what we need as well is a README file that explains about EC
crypto,
as in
- how do I generate and use an EC certificate?
- how do I use an EC curve for DH?
- how do I use EC for session keying?
because otherwise our users will be even more confused than I am.
gert
Hi,
I added README.ec to my patch
Piotr Jarosz
--
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
--
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Hi,
I added such a comment to the readme.
Piotr Jarosz
diff --git a/README.ec b/README.ec
index e69de29..1ad16be 100644
--- a/README.ec
+++ b/README.ec
@@ -0,0 +1,24 @@
+Now OpenVPN supports eliptic curves cryptography.
+It's advetages:
+ -very fast key generation
+ -smaller keys than using RSA
+ -wide range of curves you can use
+
+To support EC crypto OpenVPN uses openssl.
+You can get list of available curves typing:
+openssl ecparam -list_curves
+
+EC key generation is very easy:
+openssl ecparam -out ec.key -name curve_name -genkey
+You can also extract public key:
+openssl ec -in ec.key -pubout -out ec.pubkey
+You can use such key as well as RSA one in certificates generation.
+
+EC certificates don't work with DH.
+You have to use ECDH.
+Add to your OpenVPN server option:
+--ecdh curve_name
+
+You can also use ECDH with other types of certs.
+It's convenient because you don't have to generate any Diffie-Hellman file.
+
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 9e21d5a..c8581e3 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -578,6 +578,7 @@ static const char usage_message[] =
"--dh file : File containing Diffie Hellman parameters\n"
" in .pem format (for --tls-server only).\n"
" Use \"openssl dhparam -out dh1024.pem 1024\" to generate.\n"
+ "--ecdh curve: Eliptic curve ECDH parameters\n"
"--cert file : Local certificate in .pem format -- must be signed\n"
" by a Certificate Authority in --ca file.\n"
"--extra-certs file : one or more PEM certs that complete the cert chain.\n"
@@ -1607,6 +1608,7 @@ show_settings (const struct options *o)
SHOW_STR (ca_file);
SHOW_STR (ca_path);
SHOW_STR (dh_file);
+ SHOW_STR (ecdh_curve);
SHOW_STR (cert_file);
#ifdef MANAGMENT_EXTERNAL_KEY
@@ -2176,7 +2178,8 @@ options_postprocess_verify_ce (const struct options *options, const struct conne
if (options->tls_server)
{
- notnull (options->dh_file, "DH file (--dh)");
+ if ( !options->dh_file && !options->ecdh_curve )
+ msg(M_USAGE, "You must specify DH file (--dh) or ECDH curve name( --ecdh )");
}
if (options->tls_server || options->tls_client)
{
@@ -2308,6 +2311,7 @@ options_postprocess_verify_ce (const struct options *options, const struct conne
MUST_BE_UNDEF (ca_file);
MUST_BE_UNDEF (ca_path);
MUST_BE_UNDEF (dh_file);
+ MUST_BE_UNDEF (ecdh_curve);
MUST_BE_UNDEF (cert_file);
MUST_BE_UNDEF (priv_key_file);
#ifndef ENABLE_CRYPTO_POLARSSL
@@ -2702,7 +2706,8 @@ options_postprocess_filechecks (struct options *options)
/* ** SSL/TLS/crypto related files ** */
#ifdef ENABLE_SSL
- errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->dh_file, R_OK, "--dh");
+ if ( options->dh_file )
+ errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->dh_file, R_OK, "--dh");
errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->ca_file, R_OK, "--ca");
errs |= ch
