id summary reporter owner description type status priority milestone component version severity resolution keywords cc 673 weak cipher suites sarnold Steffan Karger "Ubuntu's Xenial packaged 2.3.10-1ubuntu2 reports the following ciphersuites: $ openvpn --show-tls Available TLS Ciphers, listed in order of preference: TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384 TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384 TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA TLS-SRP-SHA-RSA-WITH-AES-256-CBC-SHA SRP-AES-256-CBC-SHA (No IANA name known to OpenVPN, use OpenSSL name.) DH-DSS-AES256-GCM-SHA384 (No IANA name known to OpenVPN, use OpenSSL name.) TLS-DHE-DSS-WITH-AES-256-GCM-SHA384 DH-RSA-AES256-GCM-SHA384 (No IANA name known to OpenVPN, use OpenSSL name.) TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 TLS-DHE-DSS-WITH-AES-256-CBC-SHA256 DH-RSA-AES256-SHA256 (No IANA name known to OpenVPN, use OpenSSL name.) DH-DSS-AES256-SHA256 (No IANA name known to OpenVPN, use OpenSSL name.) TLS-DHE-RSA-WITH-AES-256-CBC-SHA TLS-DHE-DSS-WITH-AES-256-CBC-SHA DH-RSA-AES256-SHA (No IANA name known to OpenVPN, use OpenSSL name.) DH-DSS-AES256-SHA (No IANA name known to OpenVPN, use OpenSSL name.) TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA DH-RSA-CAMELLIA256-SHA (No IANA name known to OpenVPN, use OpenSSL name.) DH-DSS-CAMELLIA256-SHA (No IANA name known to OpenVPN, use OpenSSL name.) TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384 TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384 TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384 TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384 TLS-ECDH-RSA-WITH-AES-256-CBC-SHA TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA TLS-RSA-WITH-AES-256-GCM-SHA384 TLS-RSA-WITH-AES-256-CBC-SHA256 TLS-RSA-WITH-AES-256-CBC-SHA TLS-RSA-WITH-CAMELLIA-256-CBC-SHA TLS-PSK-WITH-AES-256-CBC-SHA TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256 TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA TLS-SRP-SHA-DSS-WITH-AES-128-CBC-SHA TLS-SRP-SHA-RSA-WITH-AES-128-CBC-SHA SRP-AES-128-CBC-SHA (No IANA name known to OpenVPN, use OpenSSL name.) DH-DSS-AES128-GCM-SHA256 (No IANA name known to OpenVPN, use OpenSSL name.) TLS-DHE-DSS-WITH-AES-128-GCM-SHA256 DH-RSA-AES128-GCM-SHA256 (No IANA name known to OpenVPN, use OpenSSL name.) TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 TLS-DHE-DSS-WITH-AES-128-CBC-SHA256 DH-RSA-AES128-SHA256 (No IANA name known to OpenVPN, use OpenSSL name.) DH-DSS-AES128-SHA256 (No IANA name known to OpenVPN, use OpenSSL name.) TLS-DHE-RSA-WITH-AES-128-CBC-SHA TLS-DHE-DSS-WITH-AES-128-CBC-SHA DH-RSA-AES128-SHA (No IANA name known to OpenVPN, use OpenSSL name.) DH-DSS-AES128-SHA (No IANA name known to OpenVPN, use OpenSSL name.) TLS-DHE-RSA-WITH-SEED-CBC-SHA TLS-DHE-DSS-WITH-SEED-CBC-SHA TLS-DH-RSA-WITH-SEED-CBC-SHA TLS-DH-DSS-WITH-SEED-CBC-SHA TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA DH-RSA-CAMELLIA128-SHA (No IANA name known to OpenVPN, use OpenSSL name.) DH-DSS-CAMELLIA128-SHA (No IANA name known to OpenVPN, use OpenSSL name.) TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256 TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256 TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256 TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256 TLS-ECDH-RSA-WITH-AES-128-CBC-SHA TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA TLS-RSA-WITH-AES-128-GCM-SHA256 TLS-RSA-WITH-AES-128-CBC-SHA256 TLS-RSA-WITH-AES-128-CBC-SHA TLS-RSA-WITH-SEED-CBC-SHA TLS-RSA-WITH-CAMELLIA-128-CBC-SHA TLS-PSK-WITH-AES-128-CBC-SHA TLS-ECDHE-RSA-WITH-RC4-128-SHA TLS-ECDHE-ECDSA-WITH-RC4-128-SHA TLS-ECDH-RSA-WITH-RC4-128-SHA TLS-ECDH-ECDSA-WITH-RC4-128-SHA TLS-RSA-WITH-RC4-128-SHA TLS-RSA-WITH-RC4-128-MD5 TLS-PSK-WITH-RC4-128-SHA TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA TLS-SRP-SHA-DSS-WITH-3DES-EDE-CBC-SHA TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA SRP-3DES-EDE-CBC-SHA (No IANA name known to OpenVPN, use OpenSSL name.) TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA DH-RSA-DES-CBC3-SHA (No IANA name known to OpenVPN, use OpenSSL name.) DH-DSS-DES-CBC3-SHA (No IANA name known to OpenVPN, use OpenSSL name.) TLS-ECDH-RSA-WITH-3DES-EDE-CBC-SHA TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA TLS-RSA-WITH-3DES-EDE-CBC-SHA TLS-PSK-WITH-3DES-EDE-CBC-SHA I suspect everything after the first mention of RC4 should be removed (inclusive of rc4, of course). It's also getting close to time to plan on removing SHA-1 support, too. Google and Mozilla are already taking steps to remove SHA-1 support from their TLS-based products. Thanks" Bug / Defect closed major release 2.3.11 Crypto OpenVPN 2.3.10 (Community Ed) Not set (select this one, unless your'e a OpenVPN developer) fixed