Re: [Openvpn-users] Is there a reason that ciphers can't be specified within connection stanzas?
Hi, On Thu, Oct 02, 2014 at 11:39:29AM -0400, Joe Patterson wrote: First off, just to make sure I'm reading things correctly, tls-cipher is an ordered list of acceptable tls control channel ciphers, while cipher is a single acceptable data channel cipher, correct? Yes. I was considering the possibility of changing my cipher, and was trying to figure out the logistics of it, and it seems like I'm probably stuck with change everything all at once across all clients and servers, which is kind of painful. Yes, this is how it is today. We've started talking about pushable cipher settings, and potentially full client-server cipher negotiations inside the TLS handshake, but this did not result in any code yet. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpULTRMYOlYN.pgp Description: PGP signature -- Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Is there a reason that ciphers can't be specified within connection stanzas?
Hi, On 04-10-14 13:22, Gert Doering wrote: On Thu, Oct 02, 2014 at 11:39:29AM -0400, Joe Patterson wrote: I was considering the possibility of changing my cipher, and was trying to figure out the logistics of it, and it seems like I'm probably stuck with change everything all at once across all clients and servers, which is kind of painful. Yes, this is how it is today. A possible 'transition plan' is to run a second OpenVPN server on a different port or ip with a new cipher setting, and then migrate clients one by one to the new server. Far from perfect, but at least a bit better than 'change everything all at once'. We've started talking about pushable cipher settings, and potentially full client-server cipher negotiations inside the TLS handshake, but this did not result in any code yet. Also, the current code assumes on quite some places that the same cipher mode is used for all data channel connections. It needs to be decoupled before we can start with cipher negotiation. -Steffan -- Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
