Merge branch 'master' of https://git.bettercrypto.org/ach-master

[ach-master.git] / src / practical_settings / vpn.tex

diff --git a/src/practical_settings/vpn.tex b/src/practical_settings/vpn.tex
index 77cf103..b449c94 100644 (file)
--- a/src/practical_settings/vpn.tex
+++ b/src/practical_settings/vpn.tex
@@ -253,16 +253,10 @@ and \verb|auth| options both take a single argument that must match on
 client and server.
 
 \paragraph{Server Configuration}\mbox{}\\
-% this is only a DoS-protection, out of scope:
-% # TLS Authentication
-% tls-auth ta.key
-\todo{FIXME: we should use the CIPHERSTRINGB  macro here}
-% previous:
-% tls-cipher
-% ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-CAMELLIA256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:AES256-SHA
+
 % the cipherlist here is config B without the ECDHE strings, because
 % it must fit in 256 bytes...
-\begin{lstlisting}
+% DO NOT CHANGE TO THE CIPHERSTRING MACRO!
 tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
 cipher AES-256-CBC
 auth SHA384
@@ -272,8 +266,11 @@ auth SHA384
 Client and server have to use compatible configurations, otherwise they can't communicate.
 The \verb|cipher| and \verb|auth| directives have to be identical.
 
+% the cipherlist here is config B without the ECDHE strings, because
+% it must fit in 256 bytes...
+% DO NOT CHANGE TO THE CIPHERSTRING MACRO!
 \begin{lstlisting}
-tls-cipher %*CIPHERSTRINGB*)
+tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
 cipher AES-256-CBC
 auth SHA384