Re: [Openvpn-users] OpenVPN cipher

Sat, 16 Jun 2018 15:09:02 -0700 

On Sat, Jun 16, 2018 at 12:58 PM, Gert Doering <g...@greenie.muc.de> wrote:

> Hi,
>
> On Sat, Jun 16, 2018 at 12:29:27AM +0300, Alex K wrote:
> > Hi all,
> >
> > I have a server/client setup where I have set the following directive at
> > server and client:
> >
> > cipher AES-128-CBC
> >
> > When establishing VPN at client logs I see:
> >
> > Fri Jun 15 17:25:22 2018 Data Channel Encrypt: *Cipher 'AES-256-GCM'
> > *initialized
> > with 256 bit key
> [..]
> > The log indicates that Cipher AES-256-GCM is used. Am i missing sth? Is
> > this expected?
>
> cipher-negotiation decided that something "better" is available :-)
>

Is it AES-128-CBC insecure? I was thinking to use it to reduce the
encapsulation overhead and perhaps the CPU utilization that AES-256-GCM
might incur.
I am running VPN clients on small devices.


> The manpage mentions this in the --cipher section:
>
>        --cipher alg
>               Encrypt data channel packets with cipher algorithm alg.
>
>               The default is BF-CBC, an abbreviation for  Blowfish  in
> Cipher
>               Block  Chaining mode.  When cipher negotiation (NCP) is
> allowed,
>               OpenVPN 2.4 and newer on both client and server side will
> auto-
>               matically   upgrade   to  AES-256-GCM.   See  --ncp-ciphers
> and
>               --ncp-disable for more details on NCP.
>
> So, if you do not want that, configure --ncp-disable on either end.
>
> Thanx, it is now clear.

gert
>
> --
> "If was one thing all people took for granted, was conviction that if you
>  feed honest figures into a computer, honest figures come out. Never
> doubted
>  it myself till I met a computer with a sense of humor."
>                              Robert A. Heinlein, The Moon is a Harsh
> Mistress
>
> Gert Doering - Munich, Germany
> g...@greenie.muc.de
>

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to