\subsubsection{OpenVPN}
+
+\begin{description}
+
+\item[Tested with Version:] OpenVPN 2.3.2 from Debian backports linked against openssl (libssl.so.1.0.0)
+
\todo{cm: please write this subsubsection}
\todo{We suppose user uses easy-rsa which is roughly used in all HOWTO\footnote{\url{http://openvpn.net/index.php/open-source/documentation/howto.html}}}
+
+\item[Additional settings:] \mbox{}
+
\paragraph{Fine tuning at installation level}
When installing an OpenVPN server instance, you are probably using {\it easy-rsa} tools to generate the crypto stuff needed.
\todo{cm: explain how openvpn crypto works; make configA/B sections/tables}
+\item[Settings:] \mbox{}
+
% openvpn --show-ciphers
% --show-tls
SEED-CBC
\end{lstlisting}
+
\paragraph{Client Configuration}
Client and server have to use identical configuration otherwise they can't communicate.
\todo{what about tls-auth keys/ta.key? }.
\todo{what about auth sha512 ?}
+\item[Justification for special settings (if needed):]
+
+\item[References:] \url{http://openvpn.net/index.php/open-source/documentation/security-overview.html}
+
+\item[How to test:]
+\todo{write me please}
+
+
+\end{description}
+
+
\subsubsection{PPTP}
- PPTP is broken, Microsoft recommends to ``use a more secure VPN
+ PPTP is considered insecure, Microsoft recommends to ``use a more secure VPN
tunnel''\footnote{\url{http://technet.microsoft.com/en-us/security/advisory/2743314}}.
There is a cloud service that cracks the underlying MS-CHAPv2
authentication protocol for the price of USD~200\footnote{\url{https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/}},
- and given the resulting MD4 hash, all PPTP traffic for that user can
+ and given the resulting MD4 hash, all PPTP traffic for a user can
be decrypted.
\subsubsection{Cisco IPSec}
git.bettercrypto.org / ach-master.git / commitdiff