1
1
mirror of https://github.com/namibia/openvpn-install.git synced 2024-12-23 15:28:55 +00:00

Undo TLS-CIPHER changes in f376ce91 in deference to harvester57's pull request

This commit is contained in:
jtbr 2016-04-29 20:00:09 +00:00
parent d87e87036f
commit 4baf845e36
2 changed files with 5 additions and 7 deletions

View File

@ -12,7 +12,6 @@ This fork includes :
- AES-256-CBC and SHA-512 for HMAC (instead of BF-128-CBC and SHA1) - AES-256-CBC and SHA-512 for HMAC (instead of BF-128-CBC and SHA1)
- Run server in unprivileged mode, reducing risks to the system - Run server in unprivileged mode, reducing risks to the system
- TLS-auth to help [thwart DoS attacks](https://openvpn.net/index.php/open-source/documentation/howto.html#security) and provide a 2nd line of defense to the TLS channel. - TLS-auth to help [thwart DoS attacks](https://openvpn.net/index.php/open-source/documentation/howto.html#security) and provide a 2nd line of defense to the TLS channel.
- [Perfect forward secrecy](http://en.wikipedia.org/wiki/Forward_secrecy)
- [FDN's DNS Servers](http://www.fdn.fr/actions/dns/) - [FDN's DNS Servers](http://www.fdn.fr/actions/dns/)
- Nearest [OpenNIC DNS Servers](https://www.opennicproject.org/) - Nearest [OpenNIC DNS Servers](https://www.opennicproject.org/)
- Up-to-date OpenVPN (2.3.10) thanks to [EPEL](http://fedoraproject.org/wiki/EPEL) and [swupdate.openvpn.net](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos) - Up-to-date OpenVPN (2.3.10) thanks to [EPEL](http://fedoraproject.org/wiki/EPEL) and [swupdate.openvpn.net](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos)
@ -34,12 +33,12 @@ Features :
- 256 bits AES-GCM - 256 bits AES-GCM
- SHA-384 RSA certificate - SHA-384 RSA certificate
### Fast (lower encryption, supports openvpn connect [ios/android] clients) ### Fast (lower encryption)
Features : Features :
- 2048 bits RSA private key - 2048 bits RSA private key
- 2048 bits Diffie-Hellman key - 2048 bits Diffie-Hellman key
- 128 bits AES-CBC - 128 bits AES-GCM
- SHA-128 RSA certificate - SHA-256 RSA certificate
## Compatibility ## Compatibility

View File

@ -309,8 +309,7 @@ auth SHA512
tls-version-min 1.2" > /etc/openvpn/server.conf tls-version-min 1.2" > /etc/openvpn/server.conf
if [[ "$VARIANT" = '1' ]]; then if [[ "$VARIANT" = '1' ]]; then
# If the user selected the fast, less hardened version # If the user selected the fast, less hardened version
# iOS OpenVPN connect doesn't support GCM or SHA256; use next best echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/server.conf
echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA" >> /etc/openvpn/server.conf
elif [[ "$VARIANT" = '2' ]]; then elif [[ "$VARIANT" = '2' ]]; then
# If the user selected the relatively slow, ultra hardened version # If the user selected the relatively slow, ultra hardened version
echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> /etc/openvpn/server.conf echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> /etc/openvpn/server.conf
@ -448,7 +447,7 @@ tls-version-min 1.2
tls-client" > /etc/openvpn/client-common.txt tls-client" > /etc/openvpn/client-common.txt
if [[ "$VARIANT" = '1' ]]; then if [[ "$VARIANT" = '1' ]]; then
# If the user selected the fast, less hardened version # If the user selected the fast, less hardened version
echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA" >> /etc/openvpn/client-common.txt echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/client-common.txt
elif [[ "$VARIANT" = '2' ]]; then elif [[ "$VARIANT" = '2' ]]; then
# If the user selected the relatively slow, ultra hardened version # If the user selected the relatively slow, ultra hardened version
echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> /etc/openvpn/client-common.txt echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> /etc/openvpn/client-common.txt