Well, this is unfortunate, reading your "their cipher setting is sent in the
OCC handshake to the server, and the server can handle different ciphers to
different clients" I thought I'd try setting a cipher in my 2.4.4 client's
configuration (one that the 2.3.10 server said it supported) and then trying to
connect to the 2.3.10 server. The connection appeared to work without issue,
then I tried to connect to a remote resource (the 2.3.10 server itself) - no
response (same for a few other remote systems). Tried a different cipher (and
neither was only for TLS mode) - same result. Looks like i need to get to
2.4.something on the server. This is a sad commentary on long term support
distributions, 2.3.10 came with Ubuntu 16.04. Red Hat/CentOS tends to be
further behind than Ubuntu, I can only imagine what version they're on.
-----Original Message-----
From: Gert Doering <g...@greenie.muc.de>
To: Leroy Tennison <leroy.tenni...@verizon.net>
Cc: openvpn-users <openvpn-users@lists.sourceforge.net>
Sent: Wed, Apr 29, 2020 12:50 am
Subject: Re: [Openvpn-users] cipher selection
Hi,
On Tue, Apr 28, 2020 at 10:23:10PM +0000, Leroy Tennison via Openvpn-users
wrote:
> Server is 2.3.10, clients are "various" (but not older than 2.3.10). A few
> questions:
> Is there a way to tell what cipher an active connection is using?
There's "TLS cipher" (which it will log) and "data channel cipher".
Data channel cipher is always the same in 2.3, so "cipher foo", or if
not explicitly configured, bf-cbc (blowfish).
> If i want to set a cipher on the server, do all clients have to be explicitly
> configured the same way?
Yes, because for 2.3 clients, cipher settings can not be pushed.
> Put another way, is there a way to migrate an existing situation to a
> stronger cipher?
> I noticed that 2.4+ has a negotiation option, is that on by default? The
> documentation is rather terse about this feature.
What you can and should do:
- upgrade the server to something less antique (2.4.9). This should
"just work", with no config changes
- all 2.4 clients (or later) will automatically use AES-GCM
(see "man openvpn", "--cipher", "--ncp-ciphers" and "--ncp-disable"
for more discussion)
- older clients will stick to "what they have" - their cipher setting is
sent in the OCC handshake to the server, and the server can handle
different ciphers to different clients
- if one of the 2.3 clients can not be upgraded, you can still put
"cipher <foo>" into its config, and the server will auto-adjust. *BUT*
this <foo> cipher needs to be appended to the server's "--ncp-ciphers"
config - default is
ncp-ciphers AES-256-GCM:AES-128-GCM
so this would need to become
ncp-ciphers AES-256-GCM:AES-128-GCM:foo
so that "cipher foo" is acceptable to the server. (You could just use
"cipher AES-256-GCM" on the client, but a 2.3.x client might be SO old
that it has no AES-GCM support yet)
There's more material on "NCP" (negotiable cipher protocol) and how
to migrate in the openvpn-users list archive.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
