On Thu, Jul 28, 2016 at 11:28 PM, Yevgeny Kosarzhevsky <phao...@gmail.com> wrote: > On 25 July 2016 at 12:18, Steffan Karger <stef...@karger.me> wrote: >> This is likely due to the ECDHE part - this is not supported for >> OpenVPN 2.3 with OpenSSL (it is for PolarSSL). Use DHE instead, or >> switch to the OpenVPN master branch. The master branch does have >> ECDH(E) support for OpenSSL too. > > I am getting this cipher in the list of supported showed by --show-tls > option on both sides. So I consider there is something wrong. May be it > makes sense not to show unsupported ciphers?
Yes, that would make sense, but we can't. Primarily because OpenSSL does not provide an interface to do so, but also because we don't know up front what kind of certificates will be used, and whether OpenVPN will be run as a client or server (client-side support for ECDH should work with ovpn-2.3 + openssl too, but I didn't test). -Steffan