Version 11 (modified by 4 years ago) (diff) | ,
---|
Cipher Negotiation
Data channel cipher negotiation is complicated. This wiki defines the expected behaviour between OpenVPN servers and clients.
Table of Contents
OpenVPN Directives:
--data-cipher ALG:ALG
- Data channel ciphers.
--data-cipher-fallback ALG:ALG*
- Fallback data channel cipher(s) (*List?).
--cipher ALG
- Data channel cipher. To be deprecated.
Expected Behaviour:
Server version 2.5
Client version 2.5
--cipher | --data-cipher | -fallback | NCP | Expected | |||
---|---|---|---|---|---|---|---|
Client | Server | Client | Server | Client | Server | ||
- | - | - | AES-256-GCM:AES-128-GCM | - | YES | YES | OK |
BF-CBC | - | - | AES-256-GCM:AES-128-GCM | - | YES | YES | OK |
Client version 2.4
--cipher | --data-cipher | -fallback | NCP | Expected | |||
---|---|---|---|---|---|---|---|
Client | Server | Client | Server | Client | Server | ||
- | - | - | AES-256-GCM:AES-128-GCM | - | YES | YES | OK |
AES-256-CBC | - | - | AES-256-GCM:AES-128-GCM | - | YES | YES | OK |
BF-CBC | - | - | AES-256-GCM:AES-128-GCM | - | YES | YES | OK |
Client version 2.3
--cipher | --data-cipher | -fallback | NCP | Expected | |||
---|---|---|---|---|---|---|---|
Client | Server | Client | Server | Client | Server | ||
- | - | - | AES-256-GCM:AES-128-GCM | - | NO | YES | FAIL |
- | - | - | AES-256-GCM:AES-128-GCM | BF-CBC | NO | YES | OK |
AES-256-CBC | - | - | AES-256-GCM:AES-128-GCM | - | NO | YES | FAIL |
AES-256-CBC | - | - | AES-256-GCM:AES-128-GCM | AES-256-CBC | NO | YES | OK |
BF-CBC | - | - | AES-256-GCM:AES-128-GCM | - | NO | YES | FAIL |
BF-CBC | - | - | AES-256-GCM:AES-128-GCM | BF-CBC | NO | YES | OK |
Client version 2.2
--cipher | --data-cipher | -fallback | NCP | Expected | |||
---|---|---|---|---|---|---|---|
Client | Server | Client | Server | Client | Server | ||
- | - | - | AES-256-GCM:AES-128-GCM | - | NO | YES | FAIL |
- | - | - | AES-256-GCM:AES-128-GCM | BF-CBC | NO | YES | OK |
BF-CBC | - | - | AES-256-GCM:AES-128-GCM | - | NO | YES | FAIL |
BF-CBC | - | - | AES-256-GCM:AES-128-GCM | BF-CBC | NO | YES | OK |
And some fun ;-)
|
|
| NCP | Expected | |||
Client | Server | Client | Server | Client | Server | ||
- | - | - | AES-256-GCM:AES-128-GCM | YES | YES | OK | |
Even .. |