[pfSense] Can pfSense be considered trusted? What implementations of VPNs can now be trusted?
Eugen Leitl
eugen at leitl.org
Fri Oct 11 01:13:45 PDT 2013
----- Forwarded message from Vick Khera <vivek at khera.org> -----
Date: Thu, 10 Oct 2013 15:23:06 -0400
From: Vick Khera <vivek at khera.org>
To: pfSense support and discussion <list at lists.pfsense.org>
Subject: Re: [pfSense] Can pfSense be considered trusted? What implementations of VPNs can now be trusted?
Message-ID: <CALd+dcctKmfLxK+nnyCYGkc0Z6JCYJi3e3wUuOHc=+ObaOhZeQ at mail.gmail.com>
Reply-To: pfSense support and discussion <list at lists.pfsense.org>
On Thu, Oct 10, 2013 at 1:19 PM, Jim Thompson <jim at netgate.com> wrote:
> > Is there any mechanism to insert ciphers into Pfsense that are not
> currently supported?
>
> You have the source code.
>
> I, for one, am uninterested in non standards-compliant (and thus
> interoperable) implementations.
>
I personally choose the ciphers that are "hardware" optimized, since my
low-end home router (ALIX) gets me faster vpn performance when I do, and I
transfer files to/from office all the time. So if the GUI recommends XYZ
because it is hardware accelerated, I choose it.
That said, a lot of the panic-driven-secure-your-web-sites-against-the-NSA
instructions recommend enabling ciphers that use ephemeral session keys.
The OpenSSL included in pfSense 2.1 supports many of these. Type this
"/usr/local/bin/openssl ciphers" to see them all. The ones that end with
"E" in the first component are the ones with the ephemeral key-. Now, how
to convince the GUI to make use of these for IPsec or OpenVPN I do not
know. I'm sure you can do it via direct config file tweakage, though. I
think IPsec renegotiates keys every 60 minutes anyway, so they'd have to do
a lot of key breaking to snoop your data, unless they could predict your
keys or sneak a MitM attack on you.
To list the "strong" ciphers only, use this: /usr/local/bin/openssl ciphers
"TLSv1.2:-MD5:-RC4:-aNULL:-MED:-LOW:-EXP:-NULL"
_______________________________________________
List mailing list
List at lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5
More information about the cypherpunks
mailing list