Version 14 (modified by 4 years ago) (diff) | ,
---|
Cipher Negotiation (Quick reference)
Data channel cipher negotiation is complicated. This wiki defines the expected behaviour between OpenVPN servers and clients.
For full details please see:
https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/cipher-negotiation.rst
Table of Contents
OpenVPN effective directives:
--data-ciphers ALG:ALG
- Data channel ciphers. Default ALG
AES-256-GCM:AES-128-GCM
--data-cipher-fallback ALG
- Fallback data channel cipher.
--cipher ALG
- Data channel cipher. To be deprecated.Default ALG
BF-CBC
--ncp-disable
- Disable NCP - Deprecated
Common configurations:
Servers:
2.5
- Default configuration: No effective directives specified.
- Using
--data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC
2.4
- Default configuration: No effective directives specified.
- Using
--cipher AES-256-CBC
- Using
--cipher AES-256-CBC
&--ncp-disable
2.3
- Default configuration: No effective directives specified.
- Using
--cipher AES-256-CBC
2.2
- Default configuration: No effective directives specified.
All bets are off.
Expected Behaviour indexed by Server version:
Server version 2.5 - a. Default configuration: No effective directives specified.
--cipher | --data-ciphers | -fallback | NCP |
---|---|---|---|
- | - | - | Yes |
Client version 2.5
--cipher
--data-ciphers
-fallback
NCP Connection - - - Yes OK. AES-256-GCM AES-256-CBC - - Yes OK. AES-256-GCM BF-CBC - - Yes OK. AES-256-GCM
Client version 2.4
--cipher
NCP Connection - Yes OK. AES-256-GCM AES-256-CBC Yes OK. AES-256-GCM BF-CBC Yes OK. AES-256-GCM
Client version 2.3
--cipher
NCP Connection - No Fail. (no shared cipher) AES-256-CBC No Fail. (no shared cipher) BF-CBC No Fail. (no shared cipher)
Client version 2.2
--cipher
NCP Connection - No Fail (no shared cipher) BF-CBC No Fail (no shared cipher)
Server version 2.5 - b. Using --data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC
--cipher | --data-ciphers | -fallback | NCP |
---|---|---|---|
- | AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC | - | Yes |
Client version 2.3
--cipher
NCP Connection - No OK. BF-CBC AES-256-CBC No OK. AES-256-CBC BF-CBC No OK. BF-CBC
Client version 2.2
--cipher
NCP Connection - No OK. BF-CBC BF-CBC No OK. BF-CBC
Corner case: OpenVPN built with --enable-small
TODO.
Only effects ..
And some fun ;-)
|
|
| NCP | Expected | |||
Client | Server | Client | Server | Client | Server | ||
- | - | - | AES-256-GCM:AES-128-GCM | YES | YES | OK | |
Even .. |