Opened 3 years ago

Last modified 2 years ago

#845 accepted Feature Wish

set cipher for client in ccd

Reported by: slesru Owned by: Steffan Karger
Priority: major Milestone:
Component: Generic / unclassified Version: OpenVPN 2.4.0 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:



This was discussed in user's mail list, and there was info that such fetaure was already planned , but we really need it, so I decided to create feature wish.

In 2.4 it is possible for server to get cipher info from pre-2.4 client , but some clients (let's say in home routers) can't send info about cipher to server, because they are compiled without support for this feature,
so server will always use default cipher.
This makes migration from one default cipher to another , at least, very hard task, because we need to change default cipher on all such clients and on server at the same time.
This is major issue for us, because we are using OpenVPN for long time and aour default cipher is blowfish :-(

I'd like to have an ability to set default cipher on per-client basis in ccd.

Thank you!

Attachments (1)

0001-Allow-changing-cipher-from-a-ccd-file.patch (4.2 KB) - added by Steffan Karger 3 years ago.

Download all attachments as: .zip

Change History (11)

comment:1 Changed 3 years ago by Steffan Karger

Owner: set to Steffan Karger
Status: newaccepted

Thanks for creating the trac ticket, that helps keeping track of the issue.

I've created a patch that should allow you to set 'cipher' directives in ccd files, and attached it to this ticket. It would be great if you could test the patch to verify whether this works for you.

Changed 3 years ago by Steffan Karger

comment:2 Changed 3 years ago by slesru


Sorry for extremely late reply, I somehow missed this patch.
Just applied this on 2.4.1.
And trying to connect using 2.3.11, unfortunately, this is full version, i.e. it can tell to server which cipher it wants.

I have in server config:
cipher AES-256-CBC
ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC

And client has default BF-CBC.

I wrote in ccd:
cipher BF-CBC

But I see during connect:
Thu Mar 23 10:58:07 2017 WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-CBC'

I.e. looks like server doesn't use cipher BF-CBC for me :-(

Although server does not complain about cipher directive in ccd, looks like server does not use
cipher from ccd.

Thank you!

Or, may be, I'm wrong and it works only if client can inform server about cipher?

Last edited 3 years ago by slesru (previous) (diff)

comment:3 Changed 3 years ago by slesru

Sorry for previous message, it was too early - looks like disabling ncp helps to test and looks like it works, I need to test it on real hardware router.
Thank you!

comment:4 Changed 3 years ago by slesru

We just tested patched 2.4.1 with openvpn in soho router, we use, and
it works just fine with cipher from ccd, i.e. not default per server.


btw, looks like building 2.4.1 with --enable-small doesn't turn off occ and/or ncp - this is why I wrote firts comment here without any useful info.
So I built 2.3 for tests on my desktop...

Thank you very much! Going to patch my production servers in next several days.

Hope to have this in 2.4.2.. :-)

comment:5 Changed 3 years ago by slesru


We are in production now, tested on two soho routers, everything looks just fine.

Thank you!

comment:6 Changed 3 years ago by Steffan Karger

Thanks for reporting back! The patch is awaiting review on the development mailing list:

comment:7 Changed 3 years ago by tincantech

CC: tincantech

comment:8 Changed 3 years ago by slesru


Very pity it is not included in release 2.4.2.
Patch can be applied to 2.4.2 without problems, though:
+ echo 'Patch #0 (0001-Allow-changing-cipher-from-a-ccd-file.patch):'
Patch #0 (0001-Allow-changing-cipher-from-a-ccd-file.patch):
+ /usr/bin/patch -p1 --fuzz=0
+ /bin/cat /root/rpmbuild/SOURCES/0001-Allow-changing-cipher-from-a-ccd-file.patch
patching file src/openvpn/multi.c
patching file src/openvpn/options.c
Hunk #1 succeeded at 7495 (offset -41 lines).
patching file src/openvpn/options.h
Hunk #1 succeeded at 629 (offset 1 line).
patching file src/openvpn/ssl.c
Hunk #1 succeeded at 2396 (offset -5 lines).

Thank you!

comment:9 Changed 3 years ago by slesru

And is not in 2.4.3...

comment:10 Changed 2 years ago by slesru

and in 2.4.4 :-(
Could you, please, tell me will it be included in main tree?
I'm tired from patching ;)
Thank you!

Note: See TracTickets for help on using tickets.