Changes between Version 65 and Version 66 of CipherNegotiation


Ignore:
Timestamp:
07/29/21 01:53:13 (2 months ago)
Author:
tct
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • CipherNegotiation

    v65 v66  
    3838      ... Unless both Client and Server have a **secure** `--cipher` configured.[[br]]
    3939      ... otherwise, the VPN connection will fail.[[br]]
     40
     41  **The Point**:
     42{{{
     43 @cron2_ | for clients calling in without NCP                                                               │
     44 @cron2_ | could be a 2.5 client called with --ncp-disable "because someone on the Internet said so"        │
     45  wiscii | but that would auto-fallback to AES* ? 2.5 .. no ?                                               │
     46       * | wiscii checks                                                                                    │
     47  wiscii | --ncp-disable is deprecated ..                                                                   │
     48  wiscii | and using it is currently a total fail FATAL error                                               │
     49  wiscii | ok ,, that is 2.6                                                                                │
     50  wiscii | i have clearly misunderstood the use of the data-cipher-fallback bit, it's just to convoluted    |
     51 @cron2_ | the point is that 2.5 and up do not select BF-CBC "by default" anymore, just because it was the  │
     52         | cipher in earlier times                                                                          │
     53 @cron2_ | *if* NCP is active, this is a non-issue, because AES                                             │
     54 @cron2_ | but if *no* NCP is active (old client or --ncp-disable), openvpn does not know what to do, and   │
     55         | on purpose does not "just use BF-CBC".  So it tells you: if you really want the old behaviour,   │
     56         | put it into your config.                                                                         │
     57  wiscii | yep .. i can see that logic                                                                      │
     58}}}
     59
    4060----
    4161**All**: `--cipher ALG` - Data channel cipher. **Will be deprecated**.[[br]]