Version 17 (modified by 4 years ago) (diff) | ,
---|
OpenVPN Cipher Negotiation (Quick reference)
This wiki defines the expected behaviour of Cipher Negotiation between common configurations of OpenVPN servers and clients.
For full details please see:
https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/cipher-negotiation.rst
Table of Contents
Effective directives
--data-ciphers ALG:ALG
- Data channel ciphers. Default ALG
AES-256-GCM:AES-128-GCM
--data-cipher-fallback ALG
- Fallback data channel cipher.
--cipher ALG
- Data channel cipher. To be deprecated.
In OpenVPN 2.5
--cipher
does not have a defaultALG
.
In OpenVPN upto 2.4 the defaultALG
is BF-CBC.
--ncp-disable
- Disable NCP - Deprecated.
Common configurations
Servers
- Version 2.5
- Default configuration: No effective directives specified.
- Using
--data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC
- Default configuration: No effective directives specified.
- Version 2.4
- Default configuration: No effective directives specified.
- Using
--cipher AES-256-CBC
- Using
--cipher AES-256-CBC
&--ncp-disable
- Default configuration: No effective directives specified.
- Version 2.3
- Default configuration: No effective directives specified.
- Using
--cipher AES-256-CBC
- Default configuration: No effective directives specified.
- Version 2.2
- Default configuration: No effective directives specified.
- All bets are off.
- Default configuration: No effective directives specified.
Clients
- Version 2.5
- Default configuration: No effective directives specified.
- Default configuration: No effective directives specified.
- Version 2.4
- Default configuration: No effective directives specified.
- Default configuration: No effective directives specified.
- Version 2.3
- Default configuration: No effective directives specified.
- Default configuration: No effective directives specified.
- Version 2.2
- Default configuration: No effective directives specified.
- Default configuration: No effective directives specified.
Expected Behaviour indexed by Server version
Server version 2.5
Default configuration: No effective directives specified.
--cipher | --data-ciphers | -fallback | NCP |
---|---|---|---|
- | - | - | Yes |
- Client version 2.5
--cipher
--data-ciphers
-fallback
NCP Connection - - - Yes OK. AES-256-GCM AES-256-CBC - - Yes OK. AES-256-GCM BF-CBC - - Yes OK. AES-256-GCM
- Client version 2.4
--cipher
NCP Connection - Yes OK. AES-256-GCM AES-256-CBC Yes OK. AES-256-GCM BF-CBC Yes OK. AES-256-GCM
- Client version 2.3
--cipher
NCP Connection - No Fail. (no shared cipher) AES-256-CBC No Fail. (no shared cipher) BF-CBC No Fail. (no shared cipher)
- Client version 2.2
--cipher
NCP Connection - No Fail (no shared cipher) BF-CBC No Fail (no shared cipher)
Using: --data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC
--cipher | --data-ciphers | -fallback | NCP |
---|---|---|---|
- | AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC | - | Yes |
- Client version 2.3
--cipher
NCP Connection - No OK. BF-CBC AES-256-CBC No OK. AES-256-CBC BF-CBC No OK. BF-CBC
- Client version 2.2
--cipher
NCP Connection - No OK. BF-CBC BF-CBC No OK. BF-CBC
Server version 2.4
Default configuration: No effective directives specified.
--cipher | --ncp-ciphers | NCP |
---|---|---|
- | - | Yes |
- Client version 2.5
--cipher
--data-ciphers
-fallback
NCP Connection - - - Yes OK. AES-256-GCM AES-256-CBC - - Yes OK. AES-256-GCM BF-CBC - - Yes OK. AES-256-GCM
- Client version 2.4
--cipher
--ncp-ciphers
NCP Connection - - Yes OK. AES-256-GCM AES-256-CBC - Yes OK. AES-256-GCM BF-CBC - Yes OK. AES-256-GCM
Corner case: OpenVPN built with --enable-small
TODO.
Only effects ..
And some fun ;-)
|
|
| NCP | Expected | |||
Client | Server | Client | Server | Client | Server | ||
- | - | - | AES-256-GCM:AES-128-GCM | YES | YES | OK | |
Even .. |