Opened 22 months ago

Closed 7 months ago

#814 closed Feature Wish (fixed)

Display cipher negotiated in NCP in status output

Reported by: jwischka Owned by: Steffan Karger
Priority: minor Milestone: release 2.5
Component: Crypto Version: OpenVPN 2.4.0 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc: Steffan Karger

Description

NCP in 2.4 is an excellent addition, but it is sometimes important to know *which* cipher the client / server negotiated. This information is not currently (I believe) displayed in the status output.

Is it possible to echo this information to console or log?

Thanks

Change History (7)

comment:1 Changed 22 months ago by tincantech

Set --verb 4 in your config and then see your log file.

comment:2 Changed 22 months ago by jwischka

That works, but it seems like this is important enough information that it shouldn't require setting that high of a verbosity level to see it.

Moreover, a better solution would be to include the information in the OpenVPN management status port (e.g. status 2).

Last edited 22 months ago by jwischka (previous) (diff)

comment:3 Changed 22 months ago by Gert Döring

Cc: Steffan Karger added
Priority: majorminor

status 2 or 3 are indeed extensible enough to just add a column for the cipher and auth used for this particular client.

I'm not sure if the code has access to that information, but I guess it should have.

comment:4 Changed 22 months ago by Steffan Karger

Owner: set to Steffan Karger
Status: newaccepted

This is even printed with --verb 2, e.g.

Test-Client/10.1.1.2:49956 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key

But I guess this might be useful in the status file too. The status printing code has access to the required information, so a patch shouldn't be too difficult.

I'll assign it to myself so I don't forget, but there's other stuff I want to do first. So if anyone else wants to take a stab at it, please do so.

comment:5 Changed 11 months ago by Gilbert0

I'm running pfSense 2.4.1, would really like to see this feature in OpenVPN.

Nice to see what has been negotiated through NCP, if possible.

comment:6 Changed 11 months ago by Gert van Dijk

I've uploaded a patch to implement this in the status file, for --status-version 2 and 3:

https://sourceforge.net/p/openvpn/mailman/message/36111887/

comment:7 Changed 7 months ago by Gert Döring

Milestone: release 2.4.1release 2.5
Resolution: fixed
Status: acceptedclosed

Took a bit... sorry.

commit 8acc40b6a64451d9a17cf4fa12fac2450ca26095
Author: Gert van Dijk
Date: Sat Nov 11 17:11:22 2017 +0100

Add negotiated cipher to status file format 2 and 3

Signed-off-by: Gert van Dijk <gert@…>
Acked-by: Arne Schwabe <arne@…>
Message-Id: <20171111161122.30087-2-gert@…>

so I'll close this now :-)

(As a side note: while the patch applies cleanly to 2.4 - so pfsense could pick it up - our "new features that are not needed for long-term compatibility do not go into the maintenance branch" policy has this in master only, so it will show up in 2.5 but not in 2.4.x)

Note: See TracTickets for help on using tickets.