24.01.2017 16:31, Gert Doering пишет: > Hi, > > On Tue, Jan 24, 2017 at 04:09:29PM +0400, Dmitry Melekhov wrote: >>>> and found that servers successfully uses blowfish for some old clients, >>>> but for others not: >>> It depends on whether the client sends OCC info about its config - if it >>> doesn't send that (like "because it was compiled with --disable-occ") >>> the server will have to use what is configured. >> I see, it's very pity :-( >> Because, it means that there is no cipher info on server on such >> clients, server will use default, >> i.e. I can't run some of this old clients with blowfish and others with aes. > Well. If you *know* which of the old clients have been upgraded to AES, > you should be able to put "cipher AES..." into a ccd/ file for that client > (I haven't tested it with 2.4.0-final - it worked for a hacked-together > variant I did that later become the much more cleaned-up official version of > poor man's NCP by Steffan). Technically it should work...
Thank you for idea, I'll try this asap. > >>>> But, according to man servers has to choose blowfish: >>> Default is blowfish, so that's OK. Just do configure the same "cipher" >>> on both old-clients-without-OCC and new-server. >>> >> This ruins my plans to change ciphers on clients one by one, i.e. >> we need to change it on clients and the same time and on server, >> this is almost impossible :-( >> >> Well, I just need another plan .... ;-) > Try ccd/ :-) - if that doesn't work, the plan will have to be "upgrade > the clients to something that sends OCC info, and bug the router vendor > in question not to use --enable-small and/or upgrade to 2.4.0"... > I guess router vendor will ignore us, because we are not their main customer, anyway, we have several (namely two) servers, so we can just tell clients use one of them and have different default ciphers on them for some time.... ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users
