Hi, On 04-10-14 13:22, Gert Doering wrote: > On Thu, Oct 02, 2014 at 11:39:29AM -0400, Joe Patterson wrote: >> I was considering the possibility of changing my cipher, and was trying to >> figure out the logistics of it, and it seems like I'm probably stuck with >> "change everything all at once across all clients and servers", which is >> kind of painful. > > Yes, this is how it is today.
A possible 'transition plan' is to run a second OpenVPN server on a different port or ip with a new cipher setting, and then migrate clients one by one to the new server. Far from perfect, but at least a bit better than 'change everything all at once'. > We've started talking about pushable cipher settings, and potentially > full client-server cipher negotiations inside the TLS handshake, but > this did not result in any code yet. Also, the current code assumes on quite some places that the same cipher mode is used for all data channel connections. It needs to be decoupled before we can start with cipher negotiation. -Steffan ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
