On 18/07/17 22:55, Farkas Levente wrote: > On 07/18/2017 10:03 PM, David Sommerseth wrote: >> On 18/07/17 17:50, Farkas Levente wrote: >>> On 07/18/2017 03:55 PM, Jaroslav Reznik wrote: >>>> This will result in the following: >>>> * OpenVPN 2.4 based clients will automatically upgrade to AES-256-GCM, >>>> regardless if they have --cipher in their configuration file or not. >>>> For OpenVPN v2.4 configurations not wanting this cipher upgrade, the >>>> client configuration needs to deploy --ncp-disable. >>>> * OpenVPN 2.3 based clients and older (and v2.4 clients using >>>> --ncp-disable in the client configuration) can connect to the server >>>> using any of the --ncp-ciphers list; this is what is called "poor >>>> man's cipher negotiation" by the upstream OpenVPN developers. >>>> * Any client not providing --cipher defaults to BF-CBC. These clients >>>> should still be able to connect to the server as the server allows >>>> BF-CBC through --ncp-ciphers. >>> >>> unfortunately it's not working:-( >>> it takes me long time to debug it on my own server and a long discussion >>> in this ticket: >>> https://community.openvpn.net/openvpn/ticket/886 >>> it's not possible to set >>> cipher AES-256-GCM >>> since in this case old clients eg android client which not updated to >>> 2.4.x are not able to connect. >> >> The issue I believe you refer to ("unreliable NCP") should be fixed in >> OpenVPN v2.4.3. >> <https://community.openvpn.net/openvpn/ticket/887#comment:13> > > this means only a few weeks ago... > imho openvpn is _very_ widely used and if it's break anything it's break > a lots of thing... > i'd rather postpone it to f28 when it's fully tested and stabilized. What is the benefit of postponing based on a bug which have been fixed? And have been tested? And where the test process should reasonably thoroughly documented and can be verified by others? Also considering that we're just in the very early planning phase of F-27 and F-26 have just been released. So F-27 is at least 6 months ahead of us. Which means the NCP feature will be at least 1 year old, with the last fix making this work will be 6 months - which should be plenty of time to test this out. Plus considering that OpenVPN is deployed elsewhere in much grander scales than Fedora alone where also NCP is getting more and more used and rolled out in similar ways as this proposal. So this is also being tested outside the Fedora universe as well. In addition, the scope of this proposal *only* targets the server side configurations. I would expect the vast majority of Fedora users run OpenVPN as a client, and then I'd expect it to be more likely used via the NetworkManager plug-in for OpenVPN. In both these scenarios, nothing will change. I know I am somewhat blinded to other potential issues, as I am also an upstream OpenVPN developer. But if others see flaws in the proposed test script [1], feel free to help improve it! And do report back unexpected results ASAP. [1] <https://fedoraproject.org/wiki/Changes/New_default_cipher_in_OpenVPN#How_To_Test> Bottom line is, from my perspective: This feature currently works as expected - at least to my knowledge. If there are issues we do have time to fix them before the final F-27 release. And if not, then we'll roll it back - which is more than fair enough. The change itself isn't big, but the security improvements are considerably much more important for end users and system administrators to help them easily move away from BF-CBC. -- kind regards, David Sommerseth _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
