On Sat, Jun 16, 2018 at 12:58 PM, Gert Doering <g...@greenie.muc.de> wrote:
> Hi,
>
> On Sat, Jun 16, 2018 at 12:29:27AM +0300, Alex K wrote:
> > Hi all,
> >
> > I have a server/client setup where I have set the following directive at
> > server and client:
> >
> > cipher AES-128-CBC
> >
> > When establishing VPN at client logs I see:
> >
> > Fri Jun 15 17:25:22 2018 Data Channel Encrypt: *Cipher 'AES-256-GCM'
> > *initialized
> > with 256 bit key
> [..]
> > The log indicates that Cipher AES-256-GCM is used. Am i missing sth? Is
> > this expected?
>
> cipher-negotiation decided that something "better" is available :-)
>
Is it AES-128-CBC insecure? I was thinking to use it to reduce the
encapsulation overhead and perhaps the CPU utilization that AES-256-GCM
might incur.
I am running VPN clients on small devices.
> The manpage mentions this in the --cipher section:
>
> --cipher alg
> Encrypt data channel packets with cipher algorithm alg.
>
> The default is BF-CBC, an abbreviation for Blowfish in
> Cipher
> Block Chaining mode. When cipher negotiation (NCP) is
> allowed,
> OpenVPN 2.4 and newer on both client and server side will
> auto-
> matically upgrade to AES-256-GCM. See --ncp-ciphers
> and
> --ncp-disable for more details on NCP.
>
> So, if you do not want that, configure --ncp-disable on either end.
>
> Thanx, it is now clear.
gert
>
> --
> "If was one thing all people took for granted, was conviction that if you
> feed honest figures into a computer, honest figures come out. Never
> doubted
> it myself till I met a computer with a sense of humor."
> Robert A. Heinlein, The Moon is a Harsh
> Mistress
>
> Gert Doering - Munich, Germany
> g...@greenie.muc.de
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users