As stated in the previous recipe, it has been possible to build OpenVPN using either the OpenSSL cryptographic library or the PolarSSL library since version 2.3. In this recipe, we will show what some of the key differences between the two cryptographic libraries are.
Set up the server certificate using the first recipe from Chapter 2, Client-server IP-only Networks. Use the client certificate and the intermediary CA certificate from the previous recipe. For this recipe, the computer was running Fedora 22 Linux and OpenVPN 2.3.10, built both for OpenSSL and for PolarSSL.
--show-ciphers
option: [root@server]# openvpn --show-ciphers
BF-CBC 128 bit default key (variable) BF-CFB 128 bit default key (variable) (TLS client/server...) BF-OFB 128 bit default key (variable) (TLS client/server...) AES-128-CBC 128 bit default key (fixed) AES-128-OFB 128 bit default key (fixed) (TLS client...) AES-128-CFB 128 bit default key (fixed) (TLS client...) AES-256-CBC 256 bit default key (fixed) AES-256-OFB 256 bit default key (fixed) (TLS client...) AES-256-CFB 256 bit default key (fixed) (TLS client...) AES-128-CFB1 128 bit default key (fixed) (TLS client...) AES-192-CFB1 192 bit default key (fixed) (TLS client...) AES-256-CFB1 256 bit default key (fixed) (TLS client...) AES-128-CFB8 128 bit default key (fixed) (TLS client...) AES-192-CFB8 192 bit default key (fixed) (TLS client...) AES-256-CFB8 256 bit default key (fixed) (TLS client...)
[root@server]# .../openvpn-2.3.10polarssl/openvpn --show-
ciphers
AES-128-CBC 128 bit default key AES-192-CBC 192 bit default key AES-256-CBC 256 bit default key BF-CBC 128 bit default key CAMELLIA-128-CBC 128 bit default key CAMELLIA-192-CBC 192 bit default key CAMELLIA-256-CBC 256 bit default key DES-CBC 64 bit default key DES-EDE-CBC 128 bit default key DES-EDE3-CBC 192 bit default key
--show-digests
option: [root@server]# openvpn --show-digests
--auth
option. This list can easily exceed 25 entries, therefore only the most commonly used are printed:MD5 128 bit digest size SHA 160 bit digest size RIPEMD160 160 bit digest size ecdsa-with-SHA1 160 bit digest size SHA224 224 bit digest size SHA256 256 bit digest size SHA384 384 bit digest size SHA512 512 bit digest size
[root@server]# .../openvpn-2.3.10polarssl/openvpn --show-
digests
SHA512 512 bit default key SHA384 384 bit default key SHA256 256 bit default key SHA224 224 bit default key SHA1 160 bit default key RIPEMD160 160 bit default key MD5 128 bit default key
When OpenVPN starts the cryptographics libraries are loaded and initialized. Only at that point are the available encryption algorithms and HMAC algorithms known. Both OpenSSL and PolarSSL provide a mechanism for retrieving the list of available algorithms, which OpenVPN uses for both the --show-ciphers
and the --show-digests
options.
This recipe shows that the PolarSSL/mbed-TLS library does not support all of the algorithms that OpenSSL does. When you need to support a PolarSSL-built version of OpenVPN (like the OpenVPN Connect clients for Android and iOS) then you can use only ciphers or digests (--auth
parameter) which are supported by both crypto libraries.
Apart from the data channel cipher and HMAC algorithms, there is one more set of available algorithms that can be listed. This is the set of TLS algorithms that can be used for encrypting and authenticating the control channel. In order to list the set of TLS parameters, use the following command:
openvpn --show-tls
Starting with OpenVPN 2.4, a new set of ciphers is supported. These ciphers are known as AEAD ciphers, which stands for Authenticated Encryption with Associated Data. These ciphers combine encryption with authentication, thereby removing the need for a separate HMAC algorithm and thus providing increased performance. Both OpenSSL 1.0+ and mbed-TLS 1.3+ support these ciphers. With OpenVPN 2.4+, the list of ciphers will include:
Another major difference between OpenSSL and PolarSSL is the encryption/decryption speed of the algorithms. OpenSSL included hand-tuned assembly routines for maximum encryption speed, especially for the AES algorithms on newer Intel CPUs. However, the encryption speed is not the most important factor when determining the throughput of an OpenVPN network, as we will see in Chapter 8, Performance Tuning.
18.119.130.185