On Mon, Nov 7, 2016 at 10:46 PM, Gert Doering <g...@greenie.muc.de> wrote:
> - 2.4 client talking to 2.4 server will send a special handshake
> (IV_NCP=2)
> which signals "I can do pushable cipher, and I can do AES-GCM", so the
> server will (usually) send back "cipher AES-256-GCM" and move itself
> to AES-256-GCM as well.
>
All right, let's get this clear for me and for others :-)
If I have a 2.4 server, I can set it to "cipher BF-CBC" and keep all the
2.3 clients happy. Then I can migrate the clients to 2.4 (even with "cipher
BF-CBC" too), and as they come in, they negotiate before "cipher" matters
and go AES-256-GCM: basically "--cipher" is ignored in 2.4+ transactions?
Or I can migrate the clients to 2.4 with "cipher BF-CBC", and when they
fail to negotiate with the 2.3 server, they'll still be happy, and then
when I migrate the server to 2.4, they all auto-update to AES
Is that correct? That would be perfect as then no dual infrastructure would
be required
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
