aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--pages/about.md8
-rw-r--r--pages/projects.md62
-rw-r--r--posts/openvpn_modern_crypto_part_ii.md73
3 files changed, 95 insertions, 48 deletions
diff --git a/pages/about.md b/pages/about.md
index 3ee0dd3..bfff315 100644
--- a/pages/about.md
+++ b/pages/about.md
@@ -4,16 +4,14 @@ title: About
![fkooman](img/fkooman.jpg)
-I am François, a freelance software developer spending quite some time in
-Berlin, Germany. Working mostly on security software in the field of
-authentication (SAML, OIDC) and authorization (OAuth) and some VPN stuff.
+I am François, software developer, living in Berlin. Working mostly on security
+software related to VPNs, authentication and authorization (SAML, OIDC, OAuth).
Mostly working with [PHP](https://www.php.net/), but interested in, and
learning, [Go](https://golang.org/).
### Mail
-You can reach me by email at [fkooman@tuxed.net](mailto:fkooman@tuxed.net). My
-PGP public key can be found [here](files/fkooman.pgp.txt).
+You can reach me by email at [fkooman@tuxed.net](mailto:fkooman@tuxed.net).
### "Social"
diff --git a/pages/projects.md b/pages/projects.md
index f6a40a8..43cd4f4 100644
--- a/pages/projects.md
+++ b/pages/projects.md
@@ -2,52 +2,28 @@
title: Projects
---
-This is an incomplete list of projects and software I'm currently working on.
-
-### Projects
-
-#### eduVPN / Let's Connect!
-
-[eduVPN](https://www.eduvpn.org/) and
-[Let's Connect!](https://letsconnect-vpn.org/) are fully managed VPN solution
-initially developed for use in education and research context (eduVPN), but
+I'm working on [eduVPN](https://www.eduvpn.org/) and
+[Let's Connect!](https://www.letsconnect-vpn.org/). They are fully managed VPN
+solution, initially developed for education and research as eduVPN, but
currently capable of handling many different VPN scenarios and able to replace
-many (commercial) VPN solutions to provide a fast, flexible and secure
-alternative (Let's Connect!).
-
-### Libraries
-
-* [php-yubitwee](https://software.tuxed.net/php-yubitwee/) - YubiKey OTP Validator library
-* [php-secookie](https://software.tuxed.net/php-secookie/) - Secure cookie and session library
-* [php-oauth2-client](https://software.tuxed.net/php-oauth2-client/) - Very simple OAuth 2.0 client
-* [php-oauth2-server](https://software.tuxed.net/php-oauth2-server/) - Very simple OAuth 2.0 server
-* [php-sqlite-migrate](https://software.tuxed.net/php-sqlite-migrate/) - Simple SQLite Migrations
-* [php-openvpn-connection-manager](https://software.tuxed.net/php-openvpn-connection-manager/) - Manage client connections to OpenVPN processes
-* [php-otp-verifier](https://software.tuxed.net/php-otp-verifier/) - OTP Validation Library
-* [php-jwt](https://software.tuxed.net/php-jwt/) - Simple JWT Signer/Verifier written in PHP
-* [php-saml-sp](https://software.tuxed.net/php-saml-sp/) - SAML Service Provider library written in PHP (**Experimental**)
-
-### Apps
-
-* [php-remote-storage](https://github.com/fkooman/php-remote-storage) - [remoteStorage](https://remotestorage.io/) server written in PHP (**Unmaintained**).
-* [php-json-signer](https://software.tuxed.net/php-json-signer/) - JSON Signer
-* [php-saml-ds](https://software.tuxed.net/php-saml-ds/) - SAML Discovery Service
-* [php-voot2-provider](https://software.tuxed.net/php-voot2-provider/) - VOOT Provider (**Unmaintained**)
-* [php-saml-idp](https://software.tuxed.net/php-saml-idp/) - SAML Identity Provider written in PHP (**Experimental**)
-
-### Source
+many (commercial) VPN solutions to provide a fast, flexible, secure and not
+to mention, fully free software VPN service for any organization.
-See also [git.tuxed.net](https://git.tuxed.net/) for source code repositories,
-or [GitHub](https://github.com/fkooman/) for mirrors of (most of) those source
-repositories.
+Next, and as part of the work on eduVPN / Let's Connect! I wrote and maintain a
+number of libraries and applications written in PHP and Go. All of them are
+available both as Git repositories and as signed source archives.
-### Source Verification
+* [Git](https://git.tuxed.net/)
+* [Source Archives](https://src.tuxed.net/)
-[Minisign](https://jedisct1.github.io/minisign/) is used to sign the software
-release packages (tarballs). The following public key can be used to verify
-the signatures:
+The source archives are signed with [PGP](https://gnupg.org/) and
+[minisign](https://jedisct1.github.io/minisign/).
- untrusted comment: minisign public key 8466FFE127BCDC82
- RWSC3Lwn4f9mhG3XIwRUTEIqf7Ucu9+7/Rq+scUMxrjg5/kjskXKOJY/
+You can download my public minisign key
+[here](files/fkooman-20190721.minisign.pub) and my public PGP key
+[here](files/fkooman.pgp.txt).
-Download the public key [here](files/fkooman-20190721.minisign.pub).
+**NOTE**: I do not offer (free) support for this software, nor commit to
+maintaining them indefinitely. Feel free to use them, according to the license,
+ask questions, offer suggestions, or talk to me about contributing changes, but
+at all times be ready to take over maintenance of your local copy.
diff --git a/posts/openvpn_modern_crypto_part_ii.md b/posts/openvpn_modern_crypto_part_ii.md
new file mode 100644
index 0000000..367aca7
--- /dev/null
+++ b/posts/openvpn_modern_crypto_part_ii.md
@@ -0,0 +1,73 @@
+---
+title: OpenVPN and Modern Crypto (Part II)
+published: 2020-09-11
+---
+
+_This blog post is a copy of a blog post I wrote for the eduVPN blog..._
+
+Last year we decided to
+[investigate](https://www.eduvpn.org/blog/openvpn_modern_crypto.html) the
+OpenVPN client support of TLSv1.3 and EdDSA (Ed25519). One reason for doing
+this is, to stay
+[current](https://latacora.micro.blog/2018/04/03/cryptographic-right-answers.html)
+with algorithm recommendations by experts and
+[move away from RSA](https://blog.trailofbits.com/2019/07/08/fuck-rsa/). As
+EdDSA is easier to implement [securely](https://safecurves.cr.yp.to/) and has
+built-in protections against attacks that other curves, most notably, the NIST
+curves, do not have, there are fewer things that can go wrong. This can make
+the VPN more secure.
+
+The other reason is performance. Generating RSA keys is slow, very slow. As we
+currently generate the keys on the server, this potentially results in high CPU
+load when many clients want to obtain a (new) certificate at around the same
+time, for example at the start of the work day. For a service with hundreds or
+thousands of users, this can create problems. Also, on a Raspberry Pi, yes
+eduVPN / Let's Connect!
+[supports](https://github.com/eduvpn/documentation/blob/v2/RASPBERRY_PI.md) the
+Raspberry Pi, it is slow to generate RSA keys, which can take many seconds. No
+fun!
+
+A simple
+[benchmark](https://github.com/letsconnectvpn/vpn-ca/blob/main/benchmark.sh)
+running on a laptop from 2012, and Raspberry Pi 3 Model B+ shows the clear
+difference. The benchmark generates a self signed CA then generates 50 keys and
+signs each of them using the CA. The time varies per execution, but they show a
+clear, very big difference. The time between brackets is key generation and
+signing per certificate, on average.
+
+Key Type | Laptop | Raspberry Pi
+-------- | ----------- | ------------
+RSA | 63s (1.26s) | 368s (7.36s)
+ECDSA | 1s | 4s
+EdDSA | 0s | 1s
+
+We decided to check the status of the clients again to investigate whether it
+is possible to upgrade to TLSv1.3 and EdDSA in the next version of eduVPN /
+Let's Connect!. Luckily, much has changed since last year and support for EdDSA
+and TLSv1.3 looks a lot better now!
+
+The eduVPN / Let's Connect! 2.x server meanwhile supports EdDSA (and ECDSA) out
+of the box, but will keep RSA as the default. However the server can easily be
+configured to use ECDSA or EdDSA.
+
+We'll again go over the list of clients that were tested last year. The updated
+results can be found in the table.
+
+Application | Works? | Version
+----------------------------------------------------------------------- | ------ | --------------------------------------
+[OpenVPN Community](https://openvpn.net/community-downloads/) (Windows) | Yes | 2.4.9 on Windows 10
+[Passepartout](https://passepartoutvpn.app/) | Yes | 1.12.0 (2390) on iOS
+[Viscosity](https://www.sparklabs.com/viscosity/) (Windows, macOS) | Yes | 1.8.6 (Windows, macOS)
+[Tunnelblick](https://tunnelblick.net/) (macOS) | Yes | 3.8.3a (build 5521)
+[OpenVPN for Android](https://github.com/schwabe/ics-openvpn) | Yes | 0.7.16
+OpenVPN Connect (iOS) | Yes | 3.2.0 (3253)
+OpenVPN Connect (Android) | Yes | 3.2.2 (5027)
+Linux | Yes | _Modern Distributions_
+
+This looks good! With modern Linux distributions we mean Fedora, Debian 10,
+Ubuntu 20.04, and any other distribution or OS with OpenSSL >= 1.1.1.
+
+It seems we should be able to update to TLSv1.3 and EdDSA in the next major
+version of eduVPN / Let's Connect!. The eduVPN / Let's Connect! apps are based
+on OpenVPN (Community) and the TunnelKit library used by Passepartout. We'll
+even keep supporting the standard OpenVPN clients!