On 18/07/17 17:50, Farkas Levente wrote: > On 07/18/2017 03:55 PM, Jaroslav Reznik wrote: >> This will result in the following: >> * OpenVPN 2.4 based clients will automatically upgrade to AES-256-GCM, >> regardless if they have --cipher in their configuration file or not. >> For OpenVPN v2.4 configurations not wanting this cipher upgrade, the >> client configuration needs to deploy --ncp-disable. >> * OpenVPN 2.3 based clients and older (and v2.4 clients using >> --ncp-disable in the client configuration) can connect to the server >> using any of the --ncp-ciphers list; this is what is called "poor >> man's cipher negotiation" by the upstream OpenVPN developers. >> * Any client not providing --cipher defaults to BF-CBC. These clients >> should still be able to connect to the server as the server allows >> BF-CBC through --ncp-ciphers. > > unfortunately it's not working:-( > it takes me long time to debug it on my own server and a long discussion > in this ticket: > https://community.openvpn.net/openvpn/ticket/886 > it's not possible to set > cipher AES-256-GCM > since in this case old clients eg android client which not updated to > 2.4.x are not able to connect. The issue I believe you refer to ("unreliable NCP") should be fixed in OpenVPN v2.4.3. <https://community.openvpn.net/openvpn/ticket/887#comment:13> I just ran a few tests manually now. ---- server.conf -------------- dev tun persist-tun server 10.35.8.32 255.255.255.224 topology subnet user openvpn group openvpn chroot /var/lib/openvpn client-config-dir clients proto udp port 1194 verb 4 keepalive 20 45 persist-key remote-cert-tls client dh dh2048.pem pkcs12 server-ec.p12 ecdh-curve secp521r1 cipher AES-256-GCM auth SHA256 ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC key-direction 1 tls-auth vpn.ta -------------------------------- ---- client.conf --------------- dev tun pkcs12 client-ec.p12 remote testserver.example.com 65441 udp tls-auth vpn.ta key-direction 0 verb 4 client auth SHA256 explicit-exit-notify 2 -------------------------------- I tested this client config on both OpenVPN v2.3.12 and v2.4.3. All connects with BF-CBC, AES-256-CBC, AES-128-CBC and for v2.4.3 I also tested AES-256-GCM (I didn't test AES-128-GCM). So I would recommend to re-test your own setup with the latest v2.4.3 on the server side; which is what we ship in F25 and newer. -- kind regards, David Sommerseth _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
