Gert Doering wrote:
Hi,
On Tue, Jul 30, 2013 at 04:57:31PM +0200, Ralf Hildebrandt wrote:
I was wondering about this as well. This makes it extremely hard to
every change the cipher (i.e. if it's not considered "safe" anymore)
It needs to be implemented, tested, etc. - and I'm not sure right now
whether it can be done at all without changing the openvpn protocol in
an incompatible way. It might work, it might not.
JJK might know more whether it can be done at all...
I'm CC'ing in the openvpn-devel list as I hope that some on that list
can comment :)
It should be possible to add negotiation without completely breaking
backwards compatibility; right now, when a server pushes an option to
the client that is unrecognized the client will print a warning but it
will not abort. This could be used to push a 'negotation request' - if
the client responds then a negotation phase can start , during which the
encryption key, hashing cipher, MTU settings etc can be negotiated. If
the client does not respond the server would need to assume that it's a
2.3 or older client.
This is quite an extensive change however, especially as the client
needs to send back information (similar to the PUSH_PEER_INFO stuff).
If someone knows of a better way to add a negotiation phase (esp BEFORE
the push/pull phase has started) without breaking older clients then I'd
be happy to hear about it.
cheers,
JJK
