What's new

Github snapshot test builds (Updated 30-May-2015)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Status
Not open for further replies.
Question.. Would it be possible to add some sort of page that shows how the QOS engine is sorting and prioritizing the traffic? Similar to what you get with Tomato with the pie charts and ports being used and all that?
 
Question.. Would it be possible to add some sort of page that shows how the QOS engine is sorting and prioritizing the traffic? Similar to what you get with Tomato with the pie charts and ports being used and all that?

Lots of work involved, that would have a very low priority for me.
 
The webui itself was already hardened a few release ago. It will only accept the following ciphers (with a few explicit rejections at the end of that list):

Code:
"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-G
CM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-EC
DSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-
SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:
!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"

OpenVPN allowed TLS are currently a bit wider, because of the need to inter operate with a variety of clients (for the server) and providers (for the client). I haven't decided yet on a good way to harden it without sacrificing compatibility. One solution I'm currently leaning toward is to have a specific suite of secure ciphers defined, and these would be allowed by default. There would probably be a webui option to enable support for weaker ciphers (which would be disabled by default).

I'm also tempted to make that a generic "Harden security" setting instead, which once enabled, would limit the available ciphers in addition to enforcing the use of TLS 1.0 or higher (currently it defaults to TLS 1.0 only for compatibility reasons - something that OpenVPN 2.3.7+ will be addressing in the future).

I'm still considering the available options there.
Thanks for your extensive replies :)
 
Locking this thread as the final release is now available - thanks everyone who tested these alpha builds and provided some feedback.
 
Status
Not open for further replies.

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top