I found that after an upgrade, my openvpn setup no longer worked with my client. The message in the log file was:
OpenSSL: error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small
Long story short, you need to use dh2048 keys now. Run the command in the sample server.conf file in the sample-config-files of your OpenVPN distribution to generate a dh2048.pem, put it in the same directory where you have dh1024.pem and edit the config file for the parameter dh.
Other changes which I needed to make which you might or might not were:
I turned off comp-lzo compression as suggested. This change also needs to be made in the client config files.
I had the parameter: cipher AES-256-CBC Just let it autonegotiate to AES-256-GCM now. If you wish, turn that paramter to data-ciphers-fallback if you wish AES-256-CBC to be still considered.
Fortunately, aside from disabling comp-lzo, I didn't need to regenerate the client keys or change the rest of the config.
No comments:
Post a Comment