wiki:CipherNegotiation

Version 14 (modified by tct, 4 years ago) (diff)

--

Cipher Negotiation (Quick reference)

Data channel cipher negotiation is complicated. This wiki defines the expected behaviour between OpenVPN servers and clients.

For full details please see:
https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/cipher-negotiation.rst

OpenVPN effective directives:

--data-ciphers ALG:ALG - Data channel ciphers. Default ALG AES-256-GCM:AES-128-GCM
--data-cipher-fallback ALG - Fallback data channel cipher.
--cipher ALG - Data channel cipher. To be deprecated.Default ALG BF-CBC
--ncp-disable - Disable NCP - Deprecated

Common configurations:

Servers:

2.5

  1. Default configuration: No effective directives specified.
  2. Using --data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC

2.4

  1. Default configuration: No effective directives specified.
  2. Using --cipher AES-256-CBC
  3. Using --cipher AES-256-CBC & --ncp-disable

2.3

  1. Default configuration: No effective directives specified.
  2. Using --cipher AES-256-CBC

2.2

  1. Default configuration: No effective directives specified.
    All bets are off.

Expected Behaviour indexed by Server version:

Server version 2.5 - a. Default configuration: No effective directives specified.

--cipher --data-ciphers -fallback NCP
- - - Yes

Client version 2.5

--cipher --data-ciphers -fallback NCP Connection
- - - Yes OK. AES-256-GCM
AES-256-CBC - - Yes OK. AES-256-GCM
BF-CBC - - Yes OK. AES-256-GCM

Client version 2.4

--cipher NCP Connection
- Yes OK. AES-256-GCM
AES-256-CBC Yes OK. AES-256-GCM
BF-CBC Yes OK. AES-256-GCM

Client version 2.3

--cipher NCP Connection
- No Fail. (no shared cipher)
AES-256-CBC No Fail. (no shared cipher)
BF-CBC No Fail. (no shared cipher)

Client version 2.2

--cipher NCP Connection
- No Fail (no shared cipher)
BF-CBC No Fail (no shared cipher)

Server version 2.5 - b. Using --data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC

--cipher --data-ciphers -fallback NCP
- AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC - Yes

Client version 2.3

--cipher NCP Connection
- No OK. BF-CBC
AES-256-CBC No OK. AES-256-CBC
BF-CBC No OK. BF-CBC

Client version 2.2

--cipher NCP Connection
- No OK. BF-CBC
BF-CBC No OK. BF-CBC

Corner case: OpenVPN built with --enable-small

TODO.
Only effects ..


And some fun ;-)

--cipher

--data-cipher

-fallback

NCP

Expected

Client

Server

Client

Server

Client

Server

-

-

-

AES-256-GCM:AES-128-GCM

YES

YES

OK

Even ..