wiki:CipherNegotiation

Version 17 (modified by tct, 4 years ago) (diff)

--

OpenVPN Cipher Negotiation (Quick reference)

This wiki defines the expected behaviour of Cipher Negotiation between common configurations of OpenVPN servers and clients.

For full details please see:
https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/cipher-negotiation.rst

Table of Contents

  1. Effective directives
  2. Common configurations
    1. Servers
    2. Clients
  3. Expected Behaviour indexed by Server version
    1. Server version 2.5
      1. Default configuration: No effective directives specified.
      2. Using: --data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC
    2. Server version 2.4
      1. Default configuration: No effective directives specified.
  4. Corner case: OpenVPN built with --enable-small

Effective directives

--data-ciphers ALG:ALG - Data channel ciphers. Default ALG AES-256-GCM:AES-128-GCM
--data-cipher-fallback ALG - Fallback data channel cipher.
--cipher ALG - Data channel cipher. To be deprecated.

In OpenVPN 2.5 --cipher does not have a default ALG.
In OpenVPN upto 2.4 the default ALG is BF-CBC.

--ncp-disable - Disable NCP - Deprecated.

Common configurations

Servers

  1. Version 2.5
    1. Default configuration: No effective directives specified.
    2. Using --data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC

  2. Version 2.4
    1. Default configuration: No effective directives specified.
    2. Using --cipher AES-256-CBC
    3. Using --cipher AES-256-CBC & --ncp-disable

  3. Version 2.3
    1. Default configuration: No effective directives specified.
    2. Using --cipher AES-256-CBC

  4. Version 2.2
    1. Default configuration: No effective directives specified.
    2. All bets are off.

Clients

  1. Version 2.5
    1. Default configuration: No effective directives specified.

  2. Version 2.4
    1. Default configuration: No effective directives specified.

  3. Version 2.3
    1. Default configuration: No effective directives specified.

  4. Version 2.2
    1. Default configuration: No effective directives specified.

Expected Behaviour indexed by Server version

Server version 2.5

Default configuration: No effective directives specified.

--cipher --data-ciphers -fallback NCP
- - - Yes
  • Client version 2.5
--cipher --data-ciphers -fallback NCP Connection
- - - Yes OK. AES-256-GCM
AES-256-CBC - - Yes OK. AES-256-GCM
BF-CBC - - Yes OK. AES-256-GCM
  • Client version 2.4
--cipher NCP Connection
- Yes OK. AES-256-GCM
AES-256-CBC Yes OK. AES-256-GCM
BF-CBC Yes OK. AES-256-GCM
  • Client version 2.3
--cipher NCP Connection
- No Fail. (no shared cipher)
AES-256-CBC No Fail. (no shared cipher)
BF-CBC No Fail. (no shared cipher)
  • Client version 2.2
--cipher NCP Connection
- No Fail (no shared cipher)
BF-CBC No Fail (no shared cipher)

Using: --data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC

--cipher --data-ciphers -fallback NCP
- AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC - Yes
  • Client version 2.3
--cipher NCP Connection
- No OK. BF-CBC
AES-256-CBC No OK. AES-256-CBC
BF-CBC No OK. BF-CBC
  • Client version 2.2
--cipher NCP Connection
- No OK. BF-CBC
BF-CBC No OK. BF-CBC

Server version 2.4

Default configuration: No effective directives specified.

--cipher --ncp-ciphers NCP
- - Yes
  1. Client version 2.5
--cipher --data-ciphers -fallback NCP Connection
- - - Yes OK. AES-256-GCM
AES-256-CBC - - Yes OK. AES-256-GCM
BF-CBC - - Yes OK. AES-256-GCM
  1. Client version 2.4
--cipher --ncp-ciphers NCP Connection
- - Yes OK. AES-256-GCM
AES-256-CBC - Yes OK. AES-256-GCM
BF-CBC - Yes OK. AES-256-GCM

Corner case: OpenVPN built with --enable-small

TODO.
Only effects ..


And some fun ;-)

--cipher

--data-cipher

-fallback

NCP

Expected

Client

Server

Client

Server

Client

Server

-

-

-

AES-256-GCM:AES-128-GCM

YES

YES

OK

Even ..