On 07/18/2017 10:03 PM, David Sommerseth wrote: > On 18/07/17 17:50, Farkas Levente wrote: >> On 07/18/2017 03:55 PM, Jaroslav Reznik wrote: >>> This will result in the following: >>> * OpenVPN 2.4 based clients will automatically upgrade to AES-256-GCM, >>> regardless if they have --cipher in their configuration file or not. >>> For OpenVPN v2.4 configurations not wanting this cipher upgrade, the >>> client configuration needs to deploy --ncp-disable. >>> * OpenVPN 2.3 based clients and older (and v2.4 clients using >>> --ncp-disable in the client configuration) can connect to the server >>> using any of the --ncp-ciphers list; this is what is called "poor >>> man's cipher negotiation" by the upstream OpenVPN developers. >>> * Any client not providing --cipher defaults to BF-CBC. These clients >>> should still be able to connect to the server as the server allows >>> BF-CBC through --ncp-ciphers. >> >> unfortunately it's not working:-( >> it takes me long time to debug it on my own server and a long discussion >> in this ticket: >> https://community.openvpn.net/openvpn/ticket/886 >> it's not possible to set >> cipher AES-256-GCM >> since in this case old clients eg android client which not updated to >> 2.4.x are not able to connect. > > The issue I believe you refer to ("unreliable NCP") should be fixed in > OpenVPN v2.4.3. > <https://community.openvpn.net/openvpn/ticket/887#comment:13> this means only a few weeks ago... imho openvpn is _very_ widely used and if it's break anything it's break a lots of thing... i'd rather postpone it to f28 when it's fully tested and stabilized. -- Levente "Si vis pacem para bellum!" _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
