Old 3DES: TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA
openssl 1.0.2l does not support it anymore. openssl ciphers -v 'ALL:eNULL'|grep DES -> nothing but openssl ciphers -v 'ALL:eNULL'|grep DSS -> DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 and it should be IANA"TLS-DHE-DSS-WITH-AES-256-CBC-SHA" If I set this with tls-cipher in server and client, it fails with: server side: Aug 7 12:27:14 rfip-ovpnbb-3.mdex.de ovpn-fixedip[14340]: 172.17.35.10:32844 TLS error: The server has no TLS ciphersuites in common with the client. Your --tls-cipher setting might be too restrictive. Client side: nothing after "Tue Aug 7 12:27:06 2018 TLS: Initial packet from..." Am 07.08.2018 um 11:22 schrieb Eike Lohmann: > Hi, > > I want so use weak tls-ciphers with > > OpenVPN 2.4.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] > [MH/PKTINFO] [AEAD] built on Jul 18 2017 > library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.08 > > so I defined them with: > > tls-cipher > "TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-DSS-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA:TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA" > > but If I try to use the 2nd,3rd and 4th I always get, only the first is > working: > TLS-DHE-RSA-WITH-AES-256-CBC-SHA > > TLS error: The server has no TLS ciphersuites in common with the client. Your > --tls-cipher setting might be too restrictive. > > > 3 of 4 are not in the --show-tls list: > > Available TLS Ciphers, > listed in order of preference: > > TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 > TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 > TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384 > TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384 > TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA > TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA > TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 > TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 > TLS-DHE-RSA-WITH-AES-256-CBC-SHA > TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA > TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 > TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 > TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256 > TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 > TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA > TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA > TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 > TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 > TLS-DHE-RSA-WITH-AES-128-CBC-SHA > TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA > > > This patch describes, that I can use weak chipers: > > http://article.gmane.org/gmane.network.openvpn.devel/11455 > > > What are my options right now, if I try to support old hardware routers? > > > Thanks for any help! > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
