Sorry if this is the wrong forum but I am using Merlin 384.18 alpha on an ax88u so there’s that 
I’ve recently updated the iOS openvpn client which switched to OpenSSL, enabling TLS 1.3. I’ve been playing with my tls versions and settings and my certain/keys. In the client log on my iPhone I’m seeing the 1.3 is being used with the cipher suite I specified but also auth [null digest] and digest: none. Is this anything to worry about or are the digests not coming into play since I’m using tls-crypt and tls 1.3?
also I know my security is overkill and I’m sacrificing performance. But since I’m only enabling vpn to occasionally connect to remote manage my home network or encrypt traffic over open Wi-Fi, I’m fine with it.
Client/server settings
Tls-crypt instead of tls-auth
Auth SHA512
Ncp-disable
Cipher aes-256-gcm
Server config
Dh none
tls-version-min 1.3
tls-ciphersuites TLS_AES_256_GCM_SHA384
ecdh-curve secp521r1
I’m setting dh none since I generated certs 4096 bit ec keys using scep521r1 in my EasyRSA vars file.
Client logs
Tunnel Options:V4,dev-type tun,link-mtu 1521,tun-mtu 1500,proto UDPv4,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client
SSL Handshake: CN=Redacted, TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384
PROTOCOL OPTIONS:
cipher: AES-256-GCM
digest: NONE
compress: NONE
peer ID: 0
Ax88u System log
Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 521 bit EC, curve: secp521r1
I’ve recently updated the iOS openvpn client which switched to OpenSSL, enabling TLS 1.3. I’ve been playing with my tls versions and settings and my certain/keys. In the client log on my iPhone I’m seeing the 1.3 is being used with the cipher suite I specified but also auth [null digest] and digest: none. Is this anything to worry about or are the digests not coming into play since I’m using tls-crypt and tls 1.3?
also I know my security is overkill and I’m sacrificing performance. But since I’m only enabling vpn to occasionally connect to remote manage my home network or encrypt traffic over open Wi-Fi, I’m fine with it.
Client/server settings
Tls-crypt instead of tls-auth
Auth SHA512
Ncp-disable
Cipher aes-256-gcm
Server config
Dh none
tls-version-min 1.3
tls-ciphersuites TLS_AES_256_GCM_SHA384
ecdh-curve secp521r1
I’m setting dh none since I generated certs 4096 bit ec keys using scep521r1 in my EasyRSA vars file.
Client logs
Tunnel Options:V4,dev-type tun,link-mtu 1521,tun-mtu 1500,proto UDPv4,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client
SSL Handshake: CN=Redacted, TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384
PROTOCOL OPTIONS:
cipher: AES-256-GCM
digest: NONE
compress: NONE
peer ID: 0
Ax88u System log
Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 521 bit EC, curve: secp521r1
