= Cipher Negotiation
Data channel cipher negotiation is complicated.  This wiki defines the expected behaviour between OpenVPN servers and clients.
[[TOC(notitle, inline)]]

== OpenVPN Directives:
`--data-cipher ALG:ALG` - Data channel ciphers.[[br]]
`--data-cipher-fallback ALG:ALG*` - Fallback data channel cipher(s) (*List?).[[br]]
`--cipher ALG` - Data channel cipher. To be deprecated.[[br]]

== Expected Behaviour:
=== Server version 2.5
==== Client version 2.5
||||  `--cipher`  ||||=  `--data-cipher`  =||=  `-fallback`  =||||  NCP  ||  Expected  ||
||  Client  ||  Server  ||=  Client  =||=  Server  =||=  =||  Client  ||  Server  ||       ||
||    -     ||    -     ||=  -       =||=  AES-256-GCM:AES-128-GCM  =||=  -  =||  YES  ||  YES  ||  OK  ||
||  BF-CBC  ||  -       ||=  -       =||=  AES-256-GCM:AES-128-GCM  =||=  -  =||  YES  ||  YES  ||  OK  ||

==== Client version 2.4
||||  `--cipher`  ||||=  `--data-cipher`  =||=  `-fallback`  =||||  NCP  ||  Expected  ||
||  Client  ||  Server  ||=  Client  =||=  Server  =||=  =||  Client  ||  Server  ||       ||
||    -     ||    -     ||=  -       =||=  AES-256-GCM:AES-128-GCM  =||=  -  =||  YES  ||  YES  ||  OK  ||
||  AES-256-CBC  ||    -     ||=  -       =||=  AES-256-GCM:AES-128-GCM  =||=  -  =||  YES  ||  YES  ||  OK  ||
||  BF-CBC  ||  -       ||=  -       =||=  AES-256-GCM:AES-128-GCM  =||=  -  =||  YES  ||  YES  ||  OK  ||

==== Client version 2.3
||||  `--cipher`  ||||=  `--data-cipher`  =||=  `-fallback`  =||||  NCP  ||  Expected  ||
||  Client  ||  Server  ||=  Client  =||=  Server  =||=  =||  Client  ||  Server  ||       ||
||    -     ||    -     ||=  -       =||=  AES-256-GCM:AES-128-GCM  =||=  -  =||  NO  ||  YES  ||  FAIL  ||
||  -  ||  -       ||=  -       =||=  AES-256-GCM:AES-128-GCM  =||=  BF-CBC  =||  NO  ||  YES  ||  OK  ||
||  AES-256-CBC  ||  -       ||=  -       =||=  AES-256-GCM:AES-128-GCM  =||=  -  =||  NO  ||  YES  ||  FAIL  ||
||  AES-256-CBC  ||  -       ||=  -       =||=  AES-256-GCM:AES-128-GCM  =||=  AES-256-CBC  =||  NO  ||  YES  ||  OK  ||
||  BF-CBC  ||  -       ||=  -       =||=  AES-256-GCM:AES-128-GCM  =||=  -  =||  NO  ||  YES  ||  FAIL  ||
||  BF-CBC  ||  -       ||=  -       =||=  AES-256-GCM:AES-128-GCM  =||=  BF-CBC  =||  NO  ||  YES  ||  OK  ||

==== Client version 2.2
||||  `--cipher`  ||||=  `--data-cipher`  =||=  `-fallback`  =||||  NCP  ||  Expected  ||
||  Client  ||  Server  ||=  Client  =||=  Server  =||=  =||  Client  ||  Server  ||       ||
||    -     ||    -     ||=  -       =||=  AES-256-GCM:AES-128-GCM  =||=  -  =||  NO  ||  YES  ||  FAIL  ||
||    -     ||    -     ||=  -       =||=  AES-256-GCM:AES-128-GCM  =||=  BF-CBC  =||  NO  ||  YES  ||  OK  ||
||  BF-CBC  ||  -       ||=  -       =||=  AES-256-GCM:AES-128-GCM  =||=  -  =||  NO  ||  YES  ||  FAIL  ||
||  BF-CBC  ||  -       ||=  -       =||=  AES-256-GCM:AES-128-GCM  =||=  BF-CBC  =||  NO  ||  YES  ||  OK  ||



[[br]]

And some fun ;-)

{{{#!td colspan=2 align=middle
`--cipher`
}}}
{{{#!td colspan=2 align=middle
`--data-cipher`
}}}
{{{#!td align=middle
`-fallback`
}}}
{{{#!td colspan=2 align=middle
NCP
}}}
{{{#!td align=middle
Expected
}}}
|----------------
{{{#!td style="background: #eef" align=middle
Client
}}}
{{{#!td style="background: #eef" align=middle
Server
}}}
{{{#!td style="background: #fee" align=middle
Client
}}}
{{{#!td style="background: #fee" align=middle
Server
}}}
{{{#!td align=middle

}}}
{{{#!td style="background: #efe" align=middle
Client
}}}
{{{#!td style="background: #efe" align=middle
Server
}}}
{{{#!td align=middle

}}}
|----------------
{{{#!td style="background: #eef" align=middle
-
}}}
{{{#!td style="background: #eef" align=middle
-
}}}
{{{#!td style="background: #fee" align=middle
-
}}}
{{{#!td style="background: #fee" align=middle
AES-256-GCM:AES-128-GCM
}}}
{{{#!td align=middle

}}}
{{{#!td style="background: #efe" align=middle
YES
}}}
{{{#!td style="background: #efe" align=middle
YES
}}}
{{{#!td align=middle
OK
}}}
|----------------
{{{#!td
Even ..
}}}