On 07/18/2017 03:55 PM, Jaroslav Reznik wrote: > This will result in the following: > * OpenVPN 2.4 based clients will automatically upgrade to AES-256-GCM, > regardless if they have --cipher in their configuration file or not. > For OpenVPN v2.4 configurations not wanting this cipher upgrade, the > client configuration needs to deploy --ncp-disable. > * OpenVPN 2.3 based clients and older (and v2.4 clients using > --ncp-disable in the client configuration) can connect to the server > using any of the --ncp-ciphers list; this is what is called "poor > man's cipher negotiation" by the upstream OpenVPN developers. > * Any client not providing --cipher defaults to BF-CBC. These clients > should still be able to connect to the server as the server allows > BF-CBC through --ncp-ciphers. unfortunately it's not working:-( it takes me long time to debug it on my own server and a long discussion in this ticket: https://community.openvpn.net/openvpn/ticket/886 it's not possible to set cipher AES-256-GCM since in this case old clients eg android client which not updated to 2.4.x are not able to connect. -- Levente "Si vis pacem para bellum!" _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
