Crypto features of OpenSSL and PolarSSL

As stated in the previous recipe, it has been possible to build OpenVPN using either the OpenSSL cryptographic library or the PolarSSL library since version 2.3. In this recipe, we will show what some of the key differences between the two cryptographic libraries are.

Getting ready

Set up the server certificate using the first recipe from Chapter 2Client-server IP-only Networks. Use the client certificate and the intermediary CA certificate from the previous recipe. For this recipe, the computer was running Fedora 22 Linux and OpenVPN 2.3.10, built both for OpenSSL and for PolarSSL.

How to do it...

  1. Start the regular version of OpenVPN with the --show-ciphers option:
            [root@server]# openvpn --show-ciphers
    
  2. OpenVPN will now list all available ciphers, which can easily exceed 50 ciphers for OpenSSL 1.0+. The most common ciphers are:
            BF-CBC 128 bit default key (variable) 
            BF-CFB 128 bit default key (variable) (TLS client/server...)  
            BF-OFB 128 bit default key (variable) (TLS client/server...)  
            AES-128-CBC 128 bit default key (fixed) 
            AES-128-OFB 128 bit default key (fixed) (TLS client...)  
            AES-128-CFB 128 bit default key (fixed) (TLS client...) 
            AES-256-CBC 256 bit default key (fixed) 
            AES-256-OFB 256 bit default key (fixed) (TLS client...) 
            AES-256-CFB 256 bit default key (fixed) (TLS client...) 
            AES-128-CFB1 128 bit default key (fixed) (TLS client...) 
            AES-192-CFB1 192 bit default key (fixed) (TLS client...) 
            AES-256-CFB1 256 bit default key (fixed) (TLS client...) 
            AES-128-CFB8 128 bit default key (fixed) (TLS client...) 
            AES-192-CFB8 192 bit default key (fixed) (TLS client...) 
            AES-256-CFB8 256 bit default key (fixed) (TLS client...) 
    
  3. Next, switch to the PolarSSL-built version of OpenVPN and re-run the same command:
            [root@server]# .../openvpn-2.3.10polarssl/openvpn --show-
            ciphers
    
  4. The list of ciphers now is:
            AES-128-CBC 128 bit default key 
            AES-192-CBC 192 bit default key 
            AES-256-CBC 256 bit default key 
            BF-CBC 128 bit default key 
            CAMELLIA-128-CBC 128 bit default key 
            CAMELLIA-192-CBC 192 bit default key 
            CAMELLIA-256-CBC 256 bit default key 
            DES-CBC 64 bit default key 
            DES-EDE-CBC 128 bit default key 
            DES-EDE3-CBC 192 bit default key 
    
  5. Start the regular version of OpenVPN with the --show-digests option:
            [root@server]# openvpn --show-digests
    
  6. OpenVPN will now list all available HMAC algorithms, which can be specified using the --auth option. This list can easily exceed 25 entries, therefore only the most commonly used are printed:
            MD5 128 bit digest size 
            SHA 160 bit digest size 
            RIPEMD160 160 bit digest size 
            ecdsa-with-SHA1 160 bit digest size 
            SHA224 224 bit digest size 
            SHA256 256 bit digest size 
            SHA384 384 bit digest size 
            SHA512 512 bit digest size 
    
  7. Next, switch to the PolarSSL-built version of OpenVPN and re-run the same command:
            [root@server]# .../openvpn-2.3.10polarssl/openvpn --show-
            digests
    
  8. The list of HMAC algorithms now is:
            SHA512 512 bit default key 
            SHA384 384 bit default key 
            SHA256 256 bit default key 
            SHA224 224 bit default key 
            SHA1 160 bit default key 
            RIPEMD160 160 bit default key 
            MD5 128 bit default key 
    

How it works...

When OpenVPN starts the cryptographics libraries are loaded and initialized. Only at that point are the available encryption algorithms and HMAC algorithms known. Both OpenSSL and PolarSSL provide a mechanism for retrieving the list of available algorithms, which OpenVPN uses for both the --show-ciphers and the --show-digests options.

This recipe shows that the PolarSSL/mbed-TLS library does not support all of the algorithms that OpenSSL does. When you need to support a PolarSSL-built version of OpenVPN (like the OpenVPN Connect clients for Android and iOS) then you can use only ciphers or digests (--auth parameter) which are supported by both crypto libraries.

There's more...

Apart from the data channel cipher and HMAC algorithms, there is one more set of available algorithms that can be listed. This is the set of TLS algorithms that can be used for encrypting and authenticating the control channel. In order to list the set of TLS parameters, use the following command:

openvpn --show-tls

AEAD Ciphers

Starting with OpenVPN 2.4, a new set of ciphers is supported. These ciphers are known as AEAD ciphers, which stands for Authenticated Encryption with Associated Data. These ciphers combine encryption with authentication, thereby removing the need for a separate HMAC algorithm and thus providing increased performance. Both OpenSSL 1.0+ and mbed-TLS 1.3+ support these ciphers. With OpenVPN 2.4+, the list of ciphers will include:

  • AES-128-GCM
  • AES-192-GCM
  • AES-256-GCM

Encryption speed

Another major difference between OpenSSL and PolarSSL is the encryption/decryption speed of the algorithms. OpenSSL included hand-tuned assembly routines for maximum encryption speed, especially for the AES algorithms on newer Intel CPUs. However, the encryption speed is not the most important factor when determining the throughput of an OpenVPN network, as we will see in Chapter 8Performance Tuning.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.216.245.99