"Cipher = none" doesn't seem to be working properly

Brian Prodoehl bprodoehl at gmail.com
Sun Aug 7 21:29:21 CEST 2011 

Thanks for the quick reply.  You were right, that my traffic was going
over TCP, and I wasn't aware of how the cipher setting only applied to
UDP traffic.

Is cipher "none" being removed from 1.1?  With OpenSSL, you get this:

tincd 1.1pre2 (Aug  7 2011 14:59:40) starting, debug level 0
Unknown cipher name 'none'!
Unrecognized cipher type!
Terminating

My understanding is that using gcrypt does not yet work for other
reasons (although it would appear to support cipher "none", from
inspecting the code).

Fixing the behavior to initialize incipher as NULL is easy, but that
doesn't work with code like cipher_close(&n->incipher), which is just
a wrapper for EVP_CIPHER_CTX_cleanup().  Is the expectation that I
build OpenSSL with the eNULL cipher, and use that?


On Sun, Aug 7, 2011 at 12:02 PM, Guus Sliepen <guus at tinc-vpn.org> wrote:
> On Sun, Aug 07, 2011 at 10:57:31AM -0400, Brian Prodoehl wrote:
>
>> I have a simple pair of nodes set up, connected wirelessly, with tincd
>> 1.0.16 running in switch mode.  Setting Cipher and Digest to "none",
>> and Compression to 0, the bridge is still CPU-bound, with most of
>> tincd's CPU time spent in libcrypto.  I narrowed it down to this line
>> in net_setup.c:
>>
>>       myself->connection->outcipher = EVP_bf_ofb();
>>
>> It looks as though all outgoing data is encrypted with blowfish,
>> regardless of the Cipher setting.  I pulled that assignment of
>> outcipher up to match what happens with incipher, and then my bridge
>> throughput doubled and tincd is no longer spending all that time in
>> libcrypto.  I didn't have a chance to test other Cipher settings, so
>> what I did may completely break encryption.  How should outcipher be
>> set?
>
> The Cipher option only affects the algorithm for UDP packets. Apparently, most
> of your traffic is tunneled via TCP. The protocol does allow a configurable
> algorithm for the TCP connection however, but it specifically requires a stream
> cipher, whereas UDP packets can use any cipher mode.
>
> I might add another option to set a different algorithm for the meta
> connections, but I don't think I want to change the behaviour of the Cipher
> option in the 1.0 branch of tinc.
>
> --
> Met vriendelijke groet / with kind regards,
>     Guus Sliepen <guus at tinc-vpn.org>

More information about the tinc mailing list