Opened 7 years ago
Closed 6 years ago
#814 closed Feature Wish (fixed)
Display cipher negotiated in NCP in status output
| Reported by: | jwischka | Owned by: | Steffan Karger |
|---|---|---|---|
| Priority: | minor | Milestone: | release 2.5 |
| Component: | Crypto | Version: | OpenVPN 2.4.0 (Community Ed) |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
| Cc: | Steffan Karger |
Description
NCP in 2.4 is an excellent addition, but it is sometimes important to know *which* cipher the client / server negotiated. This information is not currently (I believe) displayed in the status output.
Is it possible to echo this information to console or log?
Thanks
Change History (7)
comment:1 Changed 7 years ago by
comment:2 Changed 7 years ago by
That works, but it seems like this is important enough information that it shouldn't require setting that high of a verbosity level to see it.
Moreover, a better solution would be to include the information in the OpenVPN management status port (e.g. status 2).
comment:3 Changed 7 years ago by
| Cc: | Steffan Karger added |
|---|---|
| Priority: | major → minor |
status 2 or 3 are indeed extensible enough to just add a column for the cipher and auth used for this particular client.
I'm not sure if the code has access to that information, but I guess it should have.
comment:4 Changed 7 years ago by
| Owner: | set to Steffan Karger |
|---|---|
| Status: | new → accepted |
This is even printed with --verb 2, e.g.
Test-Client/10.1.1.2:49956 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
But I guess this might be useful in the status file too. The status printing code has access to the required information, so a patch shouldn't be too difficult.
I'll assign it to myself so I don't forget, but there's other stuff I want to do first. So if anyone else wants to take a stab at it, please do so.
comment:5 Changed 6 years ago by
I'm running pfSense 2.4.1, would really like to see this feature in OpenVPN.
Nice to see what has been negotiated through NCP, if possible.
comment:6 Changed 6 years ago by
I've uploaded a patch to implement this in the status file, for --status-version 2 and 3:
https://sourceforge.net/p/openvpn/mailman/message/36111887/
comment:7 Changed 6 years ago by
| Milestone: | release 2.4.1 → release 2.5 |
|---|---|
| Resolution: | → fixed |
| Status: | accepted → closed |
Took a bit... sorry.
commit 8acc40b6a64451d9a17cf4fa12fac2450ca26095
Author: Gert van Dijk
Date: Sat Nov 11 17:11:22 2017 +0100
Add negotiated cipher to status file format 2 and 3
Signed-off-by: Gert van Dijk <gert@…>
Acked-by: Arne Schwabe <arne@…>
Message-Id: <20171111161122.30087-2-gert@…>
so I'll close this now :-)
(As a side note: while the patch applies cleanly to 2.4 - so pfsense could pick it up - our "new features that are not needed for long-term compatibility do not go into the maintenance branch" policy has this in master only, so it will show up in 2.5 but not in 2.4.x)
Set --verb 4 in your config and then see your log file.