From 439a26585288409c143158e21ec020c290ca2fe2 Mon Sep 17 00:00:00 2001 From: Jan Philipp Timme Date: Mon, 8 Oct 2018 14:04:20 +0200 Subject: [PATCH] Revert to non-ECDHE-cipher due to openvpn issue #963 --- openvpn-config/client.conf | 5 +---- openvpn-config/server.conf | 7 ++----- 2 files changed, 3 insertions(+), 9 deletions(-) diff --git a/openvpn-config/client.conf b/openvpn-config/client.conf index 0828569..4b9744f 100644 --- a/openvpn-config/client.conf +++ b/openvpn-config/client.conf @@ -44,13 +44,10 @@ cipher AES-256-GCM auth SHA256 # Use this specific cipher to secure the control channel -tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 +tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 # Only allow TLS version 1.2 and higher tls-version-min "1.2" - -# Use this elliptic curve for ECDHE within chosen tls-cipher -ecdh-curve brainpoolP512r1 ### END BLOCK CRYPTOGRAPHY # Reduce connection timeout so connection problems are visible sooner diff --git a/openvpn-config/server.conf b/openvpn-config/server.conf index 224ec06..9430dba 100644 --- a/openvpn-config/server.conf +++ b/openvpn-config/server.conf @@ -20,7 +20,7 @@ tls-server # Diffie-Hellman parameter file # (not needed for TLS cipher with ECDHE instead of DHE) -dh none +dh inform/dh.pem # Certificate revocation list location # Make sure this file is always valid, otherwise OpenVPN refuses to (re)start! @@ -99,13 +99,10 @@ cipher AES-256-GCM auth SHA256 # Use this specific cipher to secure the control channel -tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 +tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 # Only allow TLS version 1.2 and higher tls-version-min "1.2" - -# Use this elliptic curve for ECDHE within chosen tls-cipher -ecdh-curve brainpoolP512r1 ### END BLOCK CRYPTOGRAPHY # Disable cipher negotiation on server side