Am 05.05.15 um 17:47 schrieb Steffan Karger: > As reported in trac tickets #304, #358 and #359 (and possibly more), the > usage and interpretation of --tls-cipher (and --show-tls) is tricky. This > patch extends the man page to explain those a bit better and point out > that --tls-cipher is an expert feature (i.e. easy to get wrong). Also add > a notice to the --show-tls output, referring to the man page explanation. > ACK. Also note that even my app has a FAQ related to tls-cipher:
Newer OpenVPN for Android versions (0.6.29/March 2015) use a more secure default for the allowed cipher suites (tls-cipher \"DEFAULT:!EXP:!PSK:!SRP:!kRSA\"). Unfortunately, omitting the less secure cipher suites and export cipher suites, especially the omission of cipher suites that do not support Perfect Forward Secrecy (Diffie-Hellman) causes some problems. This usually caused by an well-intentioned but poorly executed attempts to strengthen TLS security by setting tls-cipher on the server or some embedded OSes with stripped down SSL (e.g. MikroTik). To solve this problem the problem, set the tls-cipher settings on the server to reasonable default like tls-cipher \"DEFAULT:!EXP:!PSK:!SRP:!kRSA\". To work around the problem on the client add the custom option tls-cipher DEFAULT on the Android client.
