Revert "use cipherstring b in openvpn", because it breaks it, and put
[ach-master.git] / src / practical_settings / vpn.tex
index eeeb154..503b607 100644 (file)
@@ -269,15 +269,9 @@ client and server.
 
 \paragraph{Server Configuration}\mbox{}
 
-% this is only a DoS-protection, out of scope:
-% # TLS Authentication
-% tls-auth ta.key
-\todo{FIXME: we should use the CIPHERSTRINGB  macro here}
-% previous:
-% tls-cipher
-% ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-CAMELLIA256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:AES256-SHA
 % the cipherlist here is config B without the ECDHE strings, because
 % it must fit in 256 bytes...
+% DO NOT CHANGE TO THE CIPHERSTRING MACRO!
 \begin{lstlisting}[breaklines]
 tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
 cipher AES-256-CBC
@@ -289,8 +283,11 @@ auth SHA384
 Client and server have to use compatible configurations, otherwise they can't communicate.
 The \verb|cipher| and \verb|auth| directives have to be identical.
 
+% the cipherlist here is config B without the ECDHE strings, because
+% it must fit in 256 bytes...
+% DO NOT CHANGE TO THE CIPHERSTRING MACRO!
 \begin{lstlisting}[breaklines]
-tls-cipher @@@CIPHERSTRINGB@@@
+tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
 cipher AES-256-CBC
 auth SHA384