Hi, On Tue, Jun 18, 2024 at 12:52:58PM +0200, Eike Lohmann wrote: > on a flavor we have > > - clients with comp-lzo in their local config and we have no access to this > clients. (can't change it) > > - very old clients below 2.3 (no peer info)
These really should be upgraded to 2.4+
> - also "modern" clients of all versions 2.3.2 - 3.8.5
2.3.x is not "modern" by any definition of modern...
> Our minimum Cipher is AES-256-CBC as fallback, when does AES-256-CBC is
> supported by openvpn? It could reveal the minimum client version.
CBC might work with those ancient versions, but the client will not
signal what it supports - and I think 2.3.x might not accept pushed
ciphers anyway. Versions before 2.3.0 will definitely not support
pushed carriers - and if you touch them to add "cipher AES-256-CBC",
upgrading is a better strategy.
> --allow-compression asym
>
> can be set, but clients will still compress. Clients without, can't connect.
Yep. This is basically not configuring compression, but allowing other
compression options (2.6 will refuse configs with "compress <anything>" by
default). "asym" will allow compression options, to accept incoming
compressed packets, but still not use it for outgoing packets.
This is not what you want :-)
> --compress migrate
>
> clients > 2.3 get pushed "stub-v2" all other "comp-lzo no".
>
> What happens to clients wich does not support it? e.g. 2.2.x
As far as I remember, "comp-lzo no" has always been there.
> This parameter is not documented in the reference manual, it is still
> supported in 2.6 and how long it may be supported?
Which one? "compress migrate"? That is brand new and has only been
introduced into 2.6 :-) - so this will stay for a long time.
"comp-lzo no" might go away, but for 2.6+ clients, it's not needed anyway.
> What could be the best way to operate it with a little attack surface
> (voracle) but remaining compatibility for old clients?
"--compress migrate" on the server was made specifically for this.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany [email protected]
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users
