HI,
On Wed, Aug 05, 2020 at 12:20:54AM +0200, Arne Schwabe wrote:
> > Is that intentional?
>
> Yes. That is intentional. If you do not have any cipher option in the
> config, there is nowadays a very high change that you allow BF-CBC by
> "accident". I encountered this first-hand ("I do want to put as few
> option in a config as possible").
OK, I can see that line of reasoning. This needs to be put very
prominently into the release notes.
Updating on server test success - with the core dump fix, but still
*no* "--cipher" in the server configs, I get
22...
Test sets succeeded: 8.
Test sets failed: 1 2 3 4 6.
23.small...
Test sets succeeded: none.
Test sets failed: 1 2 3 4.
23...
Test sets succeeded: 8 8a 9.
Test sets failed: 1 1a 1b 1d 2 2a 2b 2c 2d 3 4 5 6.
24...
Test sets succeeded: 1 1a 1b 1c 1d 1e 2 2b 2d 2e 3 5 6 8 8a 9.
Test sets failed: 2a 2c 4 4a.
master...
Test sets succeeded: 1 1a 1b 1c 1d 1e 2 2b 2c 2d 2e 3 5 5a 5b 5c 5d 5v1 5v2 5v3
5w1 5w2 5w3 5w4 5x1 5x2 5x3 5x4 6 7 7x 8 8a 9 2f.
Test sets failed: 2a 4 4b.
so the 2.2/2.3-small/2.3 failures are expected.
2a and 2c (for 2.4) is expected, because that's "--ncp-disable"
4 got broken somewhat accidently - this is tap tests, relying on a
secondary client to be connected to ping "across the tap". That client
is using pushed ccd ciphers, which fails in interesting ways
Aug 5 08:39:33 gentoo tap-udp-p2mp[2418]:
freebsd-74-amd64/2001:608:0:814::f000:3 PUSH: No common cipher between server
and client. Server data-ciphers: 'CAMELLIA-128-CBC', client supported ciphers
'AES-256-GCM:AES-128-GCM'
but this error message is misleading - the client has
ncp-ciphers CAMELLIA-128-CBC:AES-256-GCM:AES-128-GCM
in its config, but it's a 2.4 client so cannot signal this to the master.
So we *will* break pushed ciphers to 2.4 client swith non-AEAD ciphers
here. Any idea how to tackle this?
Test run with "cipher bf-cbc" in all server configs next...
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany [email protected]
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
