From eugen@leitl.org Fri Oct 11 04:13:48 2013 From: Eugen Leitl To: cypherpunks@lists.cpunks.org Subject: Re: [pfSense] Can pfSense be considered trusted? What implementations of VPNs can now be trusted? Date: Fri, 11 Oct 2013 10:13:45 +0200 Message-ID: <20131011081345.GW10405@leitl.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3238759952833813094==" --===============3238759952833813094== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable ----- Forwarded message from Vick Khera ----- Date: Thu, 10 Oct 2013 15:23:06 -0400 From: Vick Khera To: pfSense support and discussion Subject: Re: [pfSense] Can pfSense be considered trusted? What implementation= s of VPNs can now be trusted? Message-ID: Reply-To: pfSense support and discussion On Thu, Oct 10, 2013 at 1:19 PM, Jim Thompson wrote: > > Is there any mechanism to insert ciphers into Pfsense that are not > currently supported? > > You have the source code. > > I, for one, am uninterested in non standards-compliant (and thus > interoperable) implementations. > I personally choose the ciphers that are "hardware" optimized, since my low-end home router (ALIX) gets me faster vpn performance when I do, and I transfer files to/from office all the time. So if the GUI recommends XYZ because it is hardware accelerated, I choose it. That said, a lot of the panic-driven-secure-your-web-sites-against-the-NSA instructions recommend enabling ciphers that use ephemeral session keys. The OpenSSL included in pfSense 2.1 supports many of these. Type this "/usr/local/bin/openssl ciphers" to see them all. The ones that end with "E" in the first component are the ones with the ephemeral key-. Now, how to convince the GUI to make use of these for IPsec or OpenVPN I do not know. I'm sure you can do it via direct config file tweakage, though. I think IPsec renegotiates keys every 60 minutes anyway, so they'd have to do a lot of key breaking to snoop your data, unless they could predict your keys or sneak a MitM attack on you. To list the "strong" ciphers only, use this: /usr/local/bin/openssl ciphers "TLSv1.2:-MD5:-RC4:-aNULL:-MED:-LOW:-EXP:-NULL" _______________________________________________ List mailing list List(a)lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ----- End forwarded message ----- --=20 Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 --===============3238759952833813094==--