Hi,
On 17/06/2023 14:06, Giulio wrote:
This package
https://download.copr.fedorainfracloud.org/results/dsommers/openvpn-release-2.6/epel-7-x86_64/06080865-openvpn/openvpn-2.6.5-1.el7.src.rpm
contains
0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch
which contains
This change makes the server use AES-256-GCM instead of BF-CBC as
the default
cipher for the VPN tunnel.
--- a/distro/systemd/openvpn-ser...@.service.in
+++ b/distro/systemd/openvpn-ser...@.service.in
@@ -10,7 +10,7 @@
Type=notify
PrivateTmp=true
WorkingDirectory=/etc/openvpn/server
-ExecStart=@sbindir@/openvpn --status
%t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps
--config %i.conf
+ExecStart=@sbindir@/openvpn --status
%t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps
--cipher AES-256-GCM --data-ciphers
AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC --config %i.conf
Is this actually still necessary in openvpn 2.6.x?
Besides, changelog for 2.6 contains
...
CHACHA20-POLY1305 is included in the default of |--data-ciphers|
when available.
...
will this patch disable CHACHA-20?
I think so, because the patch is explicitly setting --data-ciphers and
it is not including CHACHA20POLY1305.
Do you have clients advertising chachapoly only?
Cheers,
--
Antonio Quartulli
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
