A true 256-bit AES connection via OpenVPN?

Discussion in 'privacy problems' started by Red Dawn, May 10, 2013.

Thread Status:
Not open for further replies.
  1. Red Dawn

    Red Dawn Registered Member

    Joined:
    Jun 28, 2004
    Posts:
    116
    Just a quick question for any OpenVPN users that can help. I'm trying to verify if this vpn connection I'm making is truly 256-bit AES. In the log I find that entry, but with many others, and trying to google which each stands for hasn't truly helped me in determining if this connection being made, is a true 256bit AES setup. Can any openvpn experts help on this quick question? Many thanks!

    Code:
     Thu May 09 11:38:13 2013 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
    > Thu May 09 11:38:13 2013 MANAGEMENT: TCP Socket listening on 127.0.0.1:9000
    > Thu May 09 11:38:14 2013 Need password(s) from management interface, waiting...
    > Thu May 09 11:38:14 2013 MANAGEMENT: Client connected from 127.0.0.1:9000
    > Thu May 09 11:38:14 2013 MANAGEMENT: CMD 'username Auth '
    > Thu May 09 11:38:14 2013 MANAGEMENT: CMD 'password [...]'
    > Thu May 09 11:38:14 2013 MANAGEMENT: Client disconnected
    > Thu May 09 11:38:14 2013 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
    > Thu May 09 11:38:14 2013 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    > Thu May 09 11:38:14 2013 NOTE: --script-security method='system' is deprecated due to the fact that passed parameters will be subject to shell expansion
    > Thu May 09 11:38:14 2013 LZO compression initialized
    > Thu May 09 11:38:14 2013 Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]
    > Thu May 09 11:38:14 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
    > Thu May 09 11:38:14 2013 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
    > Thu May 09 11:38:14 2013 Local Options hash (VER=V4): '2547efd2'
    > Thu May 09 11:38:14 2013 Expected Remote Options hash (VER=V4): '77cf0943'
    > Thu May 09 11:38:14 2013 Attempting to establish TCP connection with *.*.*.*:80
    > Thu May 09 11:38:14 2013 TCP connection established with *.*.*.*:80
    > Thu May 09 11:38:14 2013 TCPv4_CLIENT link local: [undef]
    > Thu May 09 11:38:14 2013 TCPv4_CLIENT link remote: *.*.*.*:80
    > Thu May 09 11:38:14 2013 TLS: Initial packet from *.*.*.*:80, sid=9* f3366032
    > Thu May 09 11:38:14 2013 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    > Thu May 09 11:38:14 2013 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=changeme/CN=*.*.*.*/name=changeme/emailAddress=mail@host.domain
    > Thu May 09 11:38:14 2013 VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=changeme/CN=*.*.*.*/name=changeme/emailAddress=mail@host.domain
    > Thu May 09 11:38:15 2013 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    > Thu May 09 11:38:15 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    > Thu May 09 11:38:15 2013 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    > Thu May 09 11:38:15 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    > Thu May 09 11:38:15 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    > Thu May 09 11:38:15 2013 [*.*.*.*] Peer Connection Initiated with *.*.*.*:80
    > Thu May 09 11:38:17 2013 SENT CONTROL [*.*.*.*]: 'PUSH_REQUEST' (status=1)
    > Thu May 09 11:38:17 2013 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.9.0.1,topology net30,ping 5,ping-restart 30,ifconfig *.*.0.18 *.*.0.17'
    > Thu May 09 11:38:17 2013 OPTIONS IMPORT: timers and/or timeouts modified
    > Thu May 09 11:38:17 2013 OPTIONS IMPORT: --ifconfig/up options modified
    > Thu May 09 11:38:17 2013 OPTIONS IMPORT: route options modified
    > Thu May 09 11:38:17 2013 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    > Thu May 09 11:38:17 2013 ROUTE default_gateway=192.168.0.1
    > Thu May 09 11:38:17 2013 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{*-F7EB-4D1E-9F8A-F9B03464A662}.tap
    > Thu May 09 11:38:17 2013 TAP-Win32 Driver Version 9.9 
    > Thu May 09 11:38:17 2013 TAP-Win32 MTU=1500
    > Thu May 09 11:38:17 2013 Notified TAP-Win32 driver to set a DHCP IP/netmask of *.9.*.18/255.255.255.252 on interface {*-F7EB-4D1E-9F8A-F9B03464A662} [DHCP-serv: *.*.0.17, lease-time: 31536000]
    > Thu May 09 11:38:17 2013 Successful ARP Flush on interface [24] {*-F7EB-4D1E-9F8A-F9B03464A662}
    > Thu May 09 11:38:17 2013 up.exe Local Area Connection 2 1500 1576 *.*.0.18 *.*.0.17 init
    > Thu May 09 11:38:24 2013 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
    > Thu May 09 11:38:24 2013 C:\WINDOWS\system32\route.exe ADD *.*.*.* MASK 255.255.255.255 192.168.0.1
    > Thu May 09 11:38:24 2013 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
    > Thu May 09 11:38:24 2013 Route addition via IPAPI succeeded [adaptive]
    > Thu May 09 11:38:24 2013 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 *.9.*.17
    > Thu May 09 11:38:24 2013 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
    > Thu May 09 11:38:24 2013 Route addition via IPAPI succeeded [adaptive]
    > Thu May 09 11:38:24 2013 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 *.*.*.17
    > Thu May 09 11:38:24 2013 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
    > Thu May 09 11:38:24 2013 Route addition via IPAPI succeeded [adaptive]
    > Thu May 09 11:38:24 2013 C:\WINDOWS\system32\route.exe ADD *.*.*.1 MASK 255.255.255.255 *.*.*.17
    > Thu May 09 11:38:24 2013 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
    > Thu May 09 11:38:24 2013 Route addition via IPAPI succeeded [adaptive]
    > Thu May 09 11:38:24 2013 Initialization Sequence Completed
    > Thu May 09 12:38:15 2013 TLS: soft reset sec=0 bytes=21255372/0 pkts=37022/0
    > Thu May 09 12:38:16 2013 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=changeme/CN=*.*.*.*/name=changeme/emailAddress=mail@host.domain
    > Thu May 09 12:38:16 2013 VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=changeme/CN=*.*.*.*/name=changeme/emailAddress=mail@host.domain
    > Thu May 09 12:38:16 2013 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    > Thu May 09 12:38:16 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    > Thu May 09 12:38:16 2013 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    > Thu May 09 12:38:16 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    > Thu May 09 12:38:16 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    > Thu May 09 13:38:15 2013 TLS: tls_process: killed expiring key
    > Thu May 09 13:38:16 2013 TLS: soft reset sec=0 bytes=35180485/0 pkts=65203/0
    > Thu May 09 13:38:16 2013 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=changeme/CN=*.*.*.*/name=changeme/emailAddress=mail@host.domain
    > Thu May 09 13:38:16 2013 VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=changeme/CN=*.*.*.*/name=changeme/emailAddress=mail@host.domain
    > Thu May 09 13:38:17 2013 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    > Thu May 09 13:38:17 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    > Thu May 09 13:38:17 2013 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    > Thu May 09 13:38:17 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    > Thu May 09 13:38:17 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    > Thu May 09 14:38:16 2013 TLS: tls_process: killed expiring key
    
     
  2. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    No. Well...

    Your Data Channel looks to be 128bit Blowfish. This is your YouTube cat videos, etc...

    Your Control Channel is 256bit AES. This is authentication of who you are (account log in, etc...).


    Here is 256bit Data:

    It's also using 1024bit RSA .vs 2048 that others use.

    PD
     
  3. Red Dawn

    Red Dawn Registered Member

    Joined:
    Jun 28, 2004
    Posts:
    116
    many thanks for the response!
     
Loading...
Thread Status:
Not open for further replies.