Re: [Openvpn-users] cipher selection

Tue, 28 Apr 2020 22:51:57 -0700 

Hi,

On Tue, Apr 28, 2020 at 10:23:10PM +0000, Leroy Tennison via Openvpn-users 
wrote:
> Server is 2.3.10, clients are "various" (but not older than 2.3.10).  A few 
> questions:
> Is there a way to tell what cipher an active connection is using?

There's "TLS cipher" (which it will log) and "data channel cipher".

Data channel cipher is always the same in 2.3, so "cipher foo", or if
not explicitly configured, bf-cbc (blowfish).

> If i want to set a cipher on the server, do all clients have to be explicitly 
> configured the same way?

Yes, because for 2.3 clients, cipher settings can not be pushed.

> Put another way, is there a way to migrate an existing situation to a 
> stronger cipher?
> I noticed that 2.4+ has a negotiation option, is that on by default? The 
> documentation is rather terse about this feature.

What you can and should do:

 - upgrade the server to something less antique (2.4.9).  This should
   "just work", with no config changes

 - all 2.4 clients (or later) will automatically use AES-GCM
   (see "man openvpn", "--cipher", "--ncp-ciphers" and "--ncp-disable"
   for more discussion)

 - older clients will stick to "what they have" - their cipher setting is
   sent in the OCC handshake to the server, and the server can handle
   different ciphers to different clients

 - if one of the 2.3 clients can not be upgraded, you can still put
   "cipher <foo>" into its config, and the server will auto-adjust.  *BUT*
   this <foo> cipher needs to be appended to the server's "--ncp-ciphers"
   config - default is
 
      ncp-ciphers AES-256-GCM:AES-128-GCM

   so this would need to become

      ncp-ciphers AES-256-GCM:AES-128-GCM:foo

   so that "cipher foo" is acceptable to the server.  (You could just use
   "cipher AES-256-GCM" on the client, but a 2.3.x client might be SO old
   that it has no AES-GCM support yet)


There's more material on "NCP" (negotiable cipher protocol) and how
to migrate in the openvpn-users list archive.

gert 

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             g...@greenie.muc.de

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users






















					Reply via email to