From 4ec6e24e8153b76ec44ded55644efe41ce30f495 Mon Sep 17 00:00:00 2001 From: Angristan Date: Sun, 17 Sep 2017 11:11:08 +0200 Subject: [PATCH] More precision concerning the use of "auth" From the OpenVPN wiki: >Authenticate data channel packets and (if enabled) tls-auth control channel packets with HMAC using message digest algorithm alg. (The default is SHA1 ). HMAC is a commonly used message authentication algorithm (MAC) that uses a data string, a secure hash algorithm, and a key, to produce a digital signature. >If an AEAD cipher mode (e.g. GCM) is chosen, the specified --auth algorithm is ignored for the data channel, and the authentication method of the AEAD cipher is used instead. Note that alg still specifies the digest used for tls-auth. Tl;DR: if we're using an AEAD cipher (AES GCM), `auth alg` won't have inpact on the impact channel, but only on the control channel if tls-auth/tls-crypt is enabled. --- openvpn-install.sh | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 924685d..0d92834 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -424,7 +424,13 @@ else ;; esac fi - echo "Choose which HMAC authentication algorithm you want to use" + if [[ $CIPHER != "1" && $CIPHER != "2" && $CIPHER != "3" ]]; then + echo "Choose which message digest algorithm you want to use for the tls-auth/tls-crypt control channel packets:" + fi + if [[ $CIPHER != "4" && $CIPHER != "5" && $CIPHER != "6" ]]; then + echo "Choose which message digest algorithm you want to use for the data channel packets" + echo "and the tls-auth/tls-crypt control channel packets:" + fi echo " 1) SHA-256" echo " 2) SHA-384 (recommended)" echo " 3) SHA-512"