EKM requires the OpenSSL library or mbed TLS 2.18+. In the key negotiation process, the EKM (Exported Keying Material, RFC 5705) mechanism is now a higher priority method for obtaining key generation material, rather than the specific OpenVPN PRF mechanism. In addition to this, it is also noted that the UDP server implements a cookie-based connection negotiation mode that uses an HMAC-based cookie as a session identifier, which allows the server to perform stateless verification. By using the module only on the server side, performance increased 4 times for incoming traffic and 35% for outgoing.Īnother change that stands out from the new version is that the ability to use TLS mode is provided with self-signed certificates (by using the “–peer-fingerprint” option, you can omit the “–ca” and “–capath” parameters and avoid starting a PKI server based on Easy-RSA or similar software). By using the module only on the client side, performance increased three times for outgoing traffic and did not change for incoming traffic. In the tests carried out, in comparison with the configuration based on the tun interface, the use of the module on the client and server side using AES-256-GCM encryption allowed to achieve an increase in performance of 8 times (from 370 Mbit /s to 2950 Mbit/s).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |