wiki:CipherNegotiation

Version 11 (modified by tct, 4 years ago) (diff)

--

Cipher Negotiation

Data channel cipher negotiation is complicated. This wiki defines the expected behaviour between OpenVPN servers and clients.

Table of Contents

  1. OpenVPN Directives:
  2. Expected Behaviour:
    1. Server version 2.5
      1. Client version 2.5
      2. Client version 2.4
      3. Client version 2.3
      4. Client version 2.2

OpenVPN Directives:

--data-cipher ALG:ALG - Data channel ciphers.
--data-cipher-fallback ALG:ALG* - Fallback data channel cipher(s) (*List?).
--cipher ALG - Data channel cipher. To be deprecated.

Expected Behaviour:

Server version 2.5

Client version 2.5

--cipher --data-cipher -fallback NCP Expected
Client Server Client Server Client Server
- - - AES-256-GCM:AES-128-GCM - YES YES OK
BF-CBC - - AES-256-GCM:AES-128-GCM - YES YES OK

Client version 2.4

--cipher --data-cipher -fallback NCP Expected
Client Server Client Server Client Server
- - - AES-256-GCM:AES-128-GCM - YES YES OK
AES-256-CBC - - AES-256-GCM:AES-128-GCM - YES YES OK
BF-CBC - - AES-256-GCM:AES-128-GCM - YES YES OK

Client version 2.3

--cipher --data-cipher -fallback NCP Expected
Client Server Client Server Client Server
- - - AES-256-GCM:AES-128-GCM - NO YES FAIL
- - - AES-256-GCM:AES-128-GCM BF-CBC NO YES OK
AES-256-CBC - - AES-256-GCM:AES-128-GCM - NO YES FAIL
AES-256-CBC - - AES-256-GCM:AES-128-GCM AES-256-CBC NO YES OK
BF-CBC - - AES-256-GCM:AES-128-GCM - NO YES FAIL
BF-CBC - - AES-256-GCM:AES-128-GCM BF-CBC NO YES OK

Client version 2.2

--cipher --data-cipher -fallback NCP Expected
Client Server Client Server Client Server
- - - AES-256-GCM:AES-128-GCM - NO YES FAIL
- - - AES-256-GCM:AES-128-GCM BF-CBC NO YES OK
BF-CBC - - AES-256-GCM:AES-128-GCM - NO YES FAIL
BF-CBC - - AES-256-GCM:AES-128-GCM BF-CBC NO YES OK


And some fun ;-)

--cipher

--data-cipher

-fallback

NCP

Expected

Client

Server

Client

Server

Client

Server

-

-

-

AES-256-GCM:AES-128-GCM

YES

YES

OK

Even ..