Opened 20 months ago

Closed 5 months ago

#814 closed Feature Wish (fixed)

Display cipher negotiated in NCP in status output

Reported by: jwischka Owned by: Steffan Karger
Priority: minor Milestone: release 2.5
Component: Crypto Version: OpenVPN 2.4.0 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc: Steffan Karger

Description

NCP in 2.4 is an excellent addition, but it is sometimes important to know *which* cipher the client / server negotiated. This information is not currently (I believe) displayed in the status output.

Is it possible to echo this information to console or log?

Thanks

Change History (7)

comment:1 Changed 20 months ago by tincantech

Set --verb 4 in your config and then see your log file.

comment:2 Changed 20 months ago by jwischka

That works, but it seems like this is important enough information that it shouldn't require setting that high of a verbosity level to see it.

Moreover, a better solution would be to include the information in the OpenVPN management status port (e.g. status 2).

Last edited 20 months ago by jwischka (previous) (diff)

comment:3 Changed 20 months ago by Gert Döring

Cc: Steffan Karger added
Priority: majorminor

status 2 or 3 are indeed extensible enough to just add a column for the cipher and auth used for this particular client.

I'm not sure if the code has access to that information, but I guess it should have.

comment:4 Changed 20 months ago by Steffan Karger

Owner: set to Steffan Karger
Status: newaccepted

This is even printed with --verb 2, e.g.

Test-Client/10.1.1.2:49956 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key

But I guess this might be useful in the status file too. The status printing code has access to the required information, so a patch shouldn't be too difficult.

I'll assign it to myself so I don't forget, but there's other stuff I want to do first. So if anyone else wants to take a stab at it, please do so.

comment:5 Changed 9 months ago by Gilbert0

I'm running pfSense 2.4.1, would really like to see this feature in OpenVPN.

Nice to see what has been negotiated through NCP, if possible.

comment:6 Changed 9 months ago by Gert van Dijk

I've uploaded a patch to implement this in the status file, for --status-version 2 and 3:

https://sourceforge.net/p/openvpn/mailman/message/36111887/

comment:7 Changed 5 months ago by Gert Döring

Milestone: release 2.4.1release 2.5
Resolution: fixed
Status: acceptedclosed

Took a bit... sorry.

commit 8acc40b6a64451d9a17cf4fa12fac2450ca26095
Author: Gert van Dijk
Date: Sat Nov 11 17:11:22 2017 +0100

Add negotiated cipher to status file format 2 and 3

Signed-off-by: Gert van Dijk <gert@…>
Acked-by: Arne Schwabe <arne@…>
Message-Id: <20171111161122.30087-2-gert@…>

so I'll close this now :-)

(As a side note: while the patch applies cleanly to 2.4 - so pfsense could pick it up - our "new features that are not needed for long-term compatibility do not go into the maintenance branch" policy has this in master only, so it will show up in 2.5 but not in 2.4.x)

Note: See TracTickets for help on using tickets.