ANSWERED SSL only 128-bit encryption, why not 256 like openvpn?

[In*the*AIR 1]

Hello,

 

I usually connect with OpenVPN over SSL, using AirVPN with SSL Tunnel.

I noticed in the logs that the SSL connection is done with only 128-bit encryption while it is capable to do 256-bit encryption.

 

 

 

SSL > Negotiated TLSv1/SSLv3 ciphersuite: RC4-SHA (128-bit encryption)
OpenVPN > Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA

 

 

Do you think it might be a issue with the stunnel version?

 

Thanks
 

[Strongduck 1]

128-bit suites have no practical decrease in security over 256-bit ones, but a slight performance improvement.

 

Just google it, you will get a bunch of very detailed explanations why 128 is enough.

[Staff 9771]

Hello!

 

We don't want to add security to the SSL layer. The SSL layer has the only purpose to encrypt the OpenVPN headers to prevent OpenVPN usage detection, it must not be thought as an additional security layer: the real security lies on the OpenVPN tunnel inside the SSL tunnel. Anyway, AES-128 is robust, even too much for our purposes. Remember that you should use OpenVPN over SSL only when absolutely unavoidable (for example from China, or whenever an ISP tries to block OpenVPN), because with OpenVPN over SSL you add a significant overhead and on top of that you force OpenVPN to work in TCP, while OpenVPN gives out its best performance in UDP.

 

Kind regards

[In*the*AIR 1]

I understand better now, thank you for the explanation.