puppet-openvpn icon indicating copy to clipboard operation
puppet-openvpn copied to clipboard

Published 20 hours ago verified publisher icon voxpupuli

Make ecdh-curve optional

Open jkroepke opened this issue 3 years ago • 1 comments

Pull Request (PR) description

Make ecdh-curve optional, if no dh key is defined.

In OpenVPN 2.5 (I initially test the EC keys with OpenVPN 2.4), define ecdh-curve will throw an warning

Consider setting groups/curves preference with tls-groups instead of forcing a specific curve with ecdh-curve.

This Pull Request (PR) fixes the following issues

jkroepke avatar May 07 '22 09:05 jkroepke

@bastelfreak BC change cloud be discussable, it would not break an existing OVPN setup.

jkroepke avatar May 07 '22 10:05 jkroepke

Can I help here to move forward here?

jkroepke avatar Aug 23 '22 22:08 jkroepke

This will purge ecdh-curve from the config. doesn't that effect existing configurations? Or is secp384r1 the default value?

bastelfreak avatar Aug 24 '22 06:08 bastelfreak

If ecdh-curve is purged from config, the defaults will be inherit from tls-groups option. The default is X25519:secp256r1:X448:secp521r1:secp384r1

If you do not force the ecdh curve by using --ecdh-curve, the groups for ecdh will also be picked from this list.

https://build.openvpn.net/man/openvpn-2.5/openvpn.8.html

jkroepke avatar Aug 24 '22 09:08 jkroepke