Upstream here:
- Dropping of --cipher is not a sudden change in 2.6. OpenVPN 2.5 was
already warning about this. Furthermore unless you have a OpenVPN 2.3
peer (quite old 2.4.0 come out 2016) or deliberately configured 2.4+ in
a wacky way, server and client will negotiate AES-256-GCM. So proper VPN
configurations should not be affected.
More details about the cipher negotiation can be read here:
https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/cipher-negotiation.rst
- OpenVPN master is a development branch, so even our branch should be
stable at all time, it is not as well tested. The version that is in
Debian *additionally* uses an experimental patch set on top of that.
From my understand as well, this version was never intended to make
into any stable distribution but was more for testing/getting it stable.
For the deprecations and changes. OpenVPN 2.5 already drops --ciphers if
not set to avoid using/allowing BF-CBC. OpenSSL 3.0 just accelerated the
process and I backported a number of patches from master to the 2.5 to
address the most pressing issues with OpenSSL 3.0.
Just reverting 65f6da8ee in master is a really bad idea as other parts
of OpenVPN (especially with the DCO patches on top) already make
assumptions that --cipher no longer specifies a valid cipher.
Furthermore, the configs are broken that rely on this. You should rather
advise users to use compat-mode instead
(https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/generic-options.rst)
Arne