> > Second thing, more of a comment: 127 feels really low. 'AES-256-GCM' is > 11 characters, so 127 / 12 (11 chars and a separator) says you're > limiting to about 10 ciphers. If I do `openvpn --show-ciphers` there's > a LOT of data there. I'd think, for future-proofing, you'd want to > allow for a lot more possibilities. Just an opinion though. >
The main problem is the wire protocol at the moment. The whole packet with IVs has to fit into one control channel packet with 1280 bytes. So I want to be conservative here. And limiting to 10 ciphers should be more than enough. I don't think any reasonable setup should have that many allowed ciphers. At the moment we have AES-GCM-256 or AES-GCM-128 and ChaCha20-Poly1305. Maybe 2 others. For your VPN setup you probably pick one of those, maybe 2. Then there is still more than enough room for the future expansions. And if I look at show-ciphers of my OpenSSL 1.1.1 compiled OpenVPN and ignore duplicate/weak ciphers and limit myself to one block size, the list is not very long: ARIA-256-CBC, ChaCha20-Poly1305, AES-256-GCM, CAMELLIA-256-CBC, SEED-CBC, SM4-CBC. Arne
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
