= Cipher Negotiation (Quick reference) Data channel cipher negotiation is complicated. This wiki defines the expected behaviour between OpenVPN servers and clients. For full details please see: [[br]] https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/cipher-negotiation.rst [[TOC(notitle, inline)]] == OpenVPN effective directives: `--data-cipher ALG:ALG` - Data channel ciphers. Default `ALG` AES-256-GCM:AES-128-GCM [[br]] `--data-cipher-fallback ALG` - Fallback data channel cipher.[[br]] `--cipher ALG` - Data channel cipher. To be deprecated.Default `ALG` BF-CBC [[br]] `--ncp-disable` - Disable NCP - Deprecated [[br]] == Common configurations: === Servers: ==== 2.5 a. Default configuration: No effective directives specified.[[br]] b. Using `--data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC`[[br]] ==== 2.4 a. Default configuration: No effective directives specified.[[br]] b. Using `--cipher AES-256-CBC`[[br]] c. Using `--cipher AES-256-CBC` & `--ncp-disable`[[br]] ==== 2.3 a. Default configuration: No effective directives specified.[[br]] b. Using `--cipher AES-256-CBC`[[br]] ==== 2.2 a. Default configuration: No effective directives specified.[[br]] All other bets are off.[[br]] == Expected Behaviour indexed by Server version: === Server version 2.5 - a. Default configuration: No effective directives specified.[[br]] || `--cipher` ||= `--data-cipher` =||= `-fallback` =|| NCP || || - ||= - =||= - =|| Yes || ==== Client version 2.5 || `--cipher` ||= `--data-cipher` =||= `-fallback` =|| NCP || Connection || || - ||= - =||= - =|| Yes || OK. AES-256-GCM || || AES-256-CBC ||= - =||= - =|| Yes || OK. AES-256-GCM || || BF-CBC ||= - =||= - =|| Yes || OK. AES-256-GCM || ==== Client version 2.4 || `--cipher` || NCP || Connection || || - || Yes || OK. AES-256-GCM || || AES-256-CBC || Yes || OK. AES-256-GCM || || BF-CBC || Yes || OK. AES-256-GCM || ==== Client version 2.3 || `--cipher` || NCP || Connection || || - || No || Fail. (no shared cipher) || || AES-256-CBC || No || Fail. (no shared cipher) || || BF-CBC || No || Fail. (no shared cipher) || ==== Client version 2.2 || `--cipher` || NCP || Connection || || - || No || Fail (no shared cipher) || || BF-CBC || No || Fail (no shared cipher) || === Server version 2.5 - b. Using `--data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC`[[br]] || `--cipher` ||= `--data-cipher` =||= `-fallback` =|| NCP || || - ||= AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC =||= - =|| Yes || ==== Client version 2.3 || `--cipher` || NCP || Connection || || - || No || OK. BF-CBC || || AES-256-CBC || No || OK. AES-256-CBC || || BF-CBC || No || OK. BF-CBC || ==== Client version 2.2 || `--cipher` || NCP || Connection || || - || No || OK. BF-CBC || || BF-CBC || No || OK. BF-CBC || ---- == Corner case: OpenVPN built with `--enable-small` TODO.[[br]] Only effects .. [[br]] And some fun ;-) {{{#!td colspan=2 align=middle `--cipher` }}} {{{#!td colspan=2 align=middle `--data-cipher` }}} {{{#!td align=middle `-fallback` }}} {{{#!td colspan=2 align=middle NCP }}} {{{#!td align=middle Expected }}} |---------------- {{{#!td style="background: #eef" align=middle Client }}} {{{#!td style="background: #eef" align=middle Server }}} {{{#!td style="background: #fee" align=middle Client }}} {{{#!td style="background: #fee" align=middle Server }}} {{{#!td align=middle }}} {{{#!td style="background: #efe" align=middle Client }}} {{{#!td style="background: #efe" align=middle Server }}} {{{#!td align=middle }}} |---------------- {{{#!td style="background: #eef" align=middle - }}} {{{#!td style="background: #eef" align=middle - }}} {{{#!td style="background: #fee" align=middle - }}} {{{#!td style="background: #fee" align=middle AES-256-GCM:AES-128-GCM }}} {{{#!td align=middle }}} {{{#!td style="background: #efe" align=middle YES }}} {{{#!td style="background: #efe" align=middle YES }}} {{{#!td align=middle OK }}} |---------------- {{{#!td Even .. }}}