= OpenVPN Cipher Negotiation (Quick reference) This wiki defines the **expected** behaviour of Cipher Negotiation between common configurations of OpenVPN servers and clients. OpenVPN would like to know about any ''unexpected'' behaviour. For full details please see: [[br]] https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/cipher-negotiation.rst [[TOC(notitle, inline)]] == Effective directives 2.5: `--data-ciphers ALG:ALG` - Data channel ciphers. Default `ALG` AES-256-GCM:AES-128-GCM [[br]] 2.5: `--data-cipher-fallback ALG` - Fallback data channel cipher.[[br]] All: `--cipher ALG` - Data channel cipher. **Will be deprecated**.[[br]] In OpenVPN 2.5 `--cipher` does not have a default `ALG`.[[br]] In OpenVPN upto 2.4 the default `ALG` is BF-CBC.[[br]] 2.4: `--ncp-disable` - Disable NCP - **Deprecated**.[[br]] == Common configurations Commonly expected configurations of the ''Effective directives'' above. === Servers * Version 2.5 a. Default configuration: No effective directives specified.[[br]] a. Configuring:[[br]] `--data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC`[[br]] `--cipher BF-CBC`[[br]] * Version 2.4 a. Default configuration: No effective directives specified.[[br]] a. Configuring: `--cipher`[[br]] a. Configuring: `--cipher` and `--ncp-disable`[[br]] * Version 2.3 a. Default configuration: No effective directives specified.[[br]] a. Configuring: `--cipher`[[br]] * Version 2.2 a. Default configuration: No effective directives specified.[[br]] a. Configuring: All bets are off - Upgrade now! [[br]] === Clients * Version 2.5 a. Default configuration: No effective directives specified.[[br]] * Version 2.4 a. Default configuration: No effective directives specified.[[br]] a. Configuring: `--cipher`[[br]] * Version 2.3 a. Default configuration: No effective directives specified.[[br]] a. Configuring: `--cipher`[[br]] * Version 2.2 a. Default configuration: No effective directives specified.[[br]] a. Configuring: All bets are off - Upgrade now! [[br]] == Expected Behaviour indexed by Server version === Server version 2.5 ==== Default configuration: No effective directives specified.[[br]] || `--cipher` ||= `--data-ciphers` =||= `-fallback` =|| NCP || || - ||= - =||= - =|| Yes || * __Client version 2.5__ || `--cipher` ||= `--data-ciphers` =||= `-fallback` =|| NCP || Connection || || - ||= - =||= - =|| Yes || OK. AES-256-GCM || || AES-256-CBC ||= - =||= - =|| Yes || OK. AES-256-GCM || || BF-CBC ||= - =||= - =|| Yes || OK. AES-256-GCM || * __Client version 2.4__ || `--cipher` || NCP || Connection || || - || Yes || OK. AES-256-GCM || || AES-256-CBC || Yes || OK. AES-256-GCM || || BF-CBC || Yes || OK. AES-256-GCM || * __Client version 2.3__ || `--cipher` || NCP || Connection || || - || No || `Fail (no shared cipher)` || || AES-256-CBC || No || `Fail (no shared cipher)` || || BF-CBC || No || `Fail (no shared cipher)` || * __Client version 2.2__ || `--cipher` || NCP || Connection || || - || No || `Fail (no shared cipher)` || || BF-CBC || No || `Fail (no shared cipher)` || ---- ==== Server version 2.5 Configuring: `--data-ciphers` and `--cipher`[[br]] || `--cipher` ||= `--data-ciphers` =||= `-fallback` =|| NCP || || BF-CBC ||= AES-256-GCM:AES-128-GCM:AES-256-CBC =||= - =|| Yes || * __Client version 2.3__ || `--cipher` || NCP || Connection || || - || No || OK. BF-CBC || || AES-256-CBC || No || OK. AES-256-CBC || || BF-CBC || No || OK. BF-CBC || * __Client version 2.2__ || `--cipher` || NCP || Connection || || - || No || OK. BF-CBC || || BF-CBC || No || OK. BF-CBC || ---- === Server version 2.4 ==== Default configuration: No effective directives specified.[[br]] || `--cipher` ||= `--ncp-ciphers` =|| NCP || || - ||= - =|| Yes || * __Client version 2.5__ || `--cipher` ||= `--data-ciphers` =||= `-fallback` =|| NCP || Connection || || - ||= - =||= - =|| Yes || OK. AES-256-GCM || || AES-256-CBC ||= - =||= - =|| Yes || OK. AES-256-GCM || || BF-CBC ||= - =||= - =|| Yes || OK. AES-256-GCM || * __Client version 2.4__ || `--cipher` ||= `--ncp-ciphers` =|| NCP || Connection || || - ||= - =|| Yes || OK. AES-256-GCM || || AES-256-CBC ||= - =|| Yes || OK. AES-256-GCM || || BF-CBC ||= - =|| Yes || OK. AES-256-GCM || * __Client version 2.3__ || `--cipher` || NCP || Connection || || - || No || OK. BF-CBC || || AES-256-CBC || No || `Fail (no shared cipher)` || || BF-CBC || No || OK. BF-CBC || * __Client version 2.2__ || `--cipher` || NCP || Connection || || - || No || OK. BF-CBC || || BF-CBC || No || OK. BF-CBC || ---- ==== Server version 2.4 Configuring: `--cipher`[[br]] || `--cipher` ||= `--ncp-ciphers` =|| NCP || || AES-256-CBC ||= - =|| Yes || * __Client version 2.5__ || `--cipher` ||= `--data-ciphers` =||= `-fallback` =|| NCP || Connection || || - ||= - =||= - =|| Yes || OK. AES-256-GCM || || AES-256-CBC ||= - =||= - =|| Yes || OK. AES-256-GCM || || BF-CBC ||= - =||= - =|| Yes || OK. AES-256-GCM || * __Client version 2.4__ || `--cipher` ||= `--ncp-ciphers` =|| NCP || Connection || || - ||= - =|| Yes || OK. AES-256-GCM || || AES-256-CBC ||= - =|| Yes || OK. AES-256-GCM || || BF-CBC ||= - =|| Yes || OK. AES-256-GCM || * __Client version 2.3__ || `--cipher` || NCP || Connection || || - || No || `Fail (no shared cipher)` || || AES-256-CBC || No || OK. AES-256-CBC || || BF-CBC || No || `Fail (no shared cipher)` || * __Client version 2.2__ || `--cipher` || NCP || Connection || || - || No || `Fail (no shared cipher)` || || BF-CBC || No || `Fail (no shared cipher)` || ---- ==== Server version 2.4 Configuring: `--cipher` and `--ncp-disable`[[br]] || `--cipher` ||= `--ncp-ciphers` =|| NCP || || AES-256-CBC ||= - =|| No || * __Client version 2.5__ || `--cipher` ||= `--data-ciphers` =||= `-fallback` =|| NCP || Connection || || - ||= - =||= - =|| Yes || `Fail (no shared cipher)` || || AES-256-CBC ||= - =||= - =|| Yes || OK. AES-256-CBC || || BF-CBC ||= - =||= - =|| Yes || `Fail (no shared cipher)` || * __Client version 2.4__ || `--cipher` ||= `--ncp-ciphers` =|| NCP || Connection || || - ||= - =|| Yes || `Fail (no shared cipher)` || || AES-256-CBC ||= - =|| Yes || OK. AES-256-CBC || || BF-CBC ||= - =|| Yes || `Fail (no shared cipher)` || * __Client version 2.3__ || `--cipher` || NCP || Connection || || - || No || `Fail (no shared cipher)` || || AES-256-CBC || No || OK. AES-256-CBC || || BF-CBC || No || `Fail (no shared cipher)` || * __Client version 2.2__ || `--cipher` || NCP || Connection || || - || No || `Fail (no shared cipher)` || || BF-CBC || No || `Fail (no shared cipher)` || ---- === Server version 2.3 ==== Default configuration: No effective directives specified.[[br]] || `--cipher` || NCP || || - || No || * __Client version 2.5__ || `--cipher` ||= `--data-ciphers` =||= `-fallback` =|| NCP || Connection || || - ||= - =||= - =|| `Denied` || `Fail (no shared cipher)` || || AES-256-CBC ||= - =||= - =|| `Denied` || `Fail (no shared cipher)` || || BF-CBC ||= - =||= - =|| `Denied` || OK. BF-CBC || * __Client version 2.4__ || `--cipher` ||= `--ncp-ciphers` =|| NCP || Connection || || - ||= - =|| `Denied` || `Fail (no shared cipher)` || || AES-256-CBC ||= - =|| `Denied` || `Fail (no shared cipher)` || || BF-CBC ||= - =|| `Denied` || OK. BF-CBC || * __Client version 2.3__ || `--cipher` || NCP || Connection || || - || No || OK. BF-CBC || || AES-256-CBC || No || `Fail (no shared cipher)` || || BF-CBC || No || OK. BF-CBC || * __Client version 2.2__ || `--cipher` || NCP || Connection || || - || No || OK. BF-CBC || || BF-CBC || No || OK. BF-CBC || ---- ==== Server version 2.3 Configuring: `--cipher`[[br]] || `--cipher` || NCP || || AES-256-CBC || No || * __Client version 2.5__ || `--cipher` ||= `--data-ciphers` =||= `-fallback` =|| NCP || Connection || || - ||= - =||= - =|| `Denied` || `Fail (no shared cipher)` || || AES-256-CBC ||= - =||= - =|| `Denied` || OK. AES-256-CBC || || BF-CBC ||= - =||= - =|| `Denied` || `Fail (no shared cipher)` || * __Client version 2.4__ || `--cipher` ||= `--ncp-ciphers` =|| NCP || Connection || || - ||= - =|| `Denied` || `Fail (no shared cipher)` || || AES-256-CBC ||= - =|| `Denied` || OK. AES-256-CBC || || BF-CBC ||= - =|| `Denied` || `Fail (no shared cipher)` || * __Client version 2.3__ || `--cipher` || NCP || Connection || || - || No || `Fail (no shared cipher)` || || AES-256-CBC || No || OK. AES-256-CBC || || BF-CBC || No || `Fail (no shared cipher)` || * __Client version 2.2__ || `--cipher` || NCP || Connection || || - || No || `Fail (no shared cipher)` || || BF-CBC || No || `Fail (no shared cipher)` || ---- === Server version 2.2 ==== Default configuration: No effective directives specified.[[br]] || `--cipher` || NCP || || - || No || * __Client version 2.5__ || `--cipher` ||= `--data-ciphers` =||= `-fallback` =|| NCP || Connection || || - ||= - =||= - =|| `Denied` || `Fail (no shared cipher)` || || AES-256-CBC ||= - =||= - =|| `Denied` || `Fail (no shared cipher)` || || BF-CBC ||= - =||= - =|| `Denied` || OK. BF-CBC || * __Client version 2.4__ || `--cipher` ||= `--ncp-ciphers` =|| NCP || Connection || || - ||= - =|| `Denied` || OK. BF-CBC || || AES-256-CBC ||= - =|| `Denied` || `Fail (no shared cipher)` || || BF-CBC ||= - =|| `Denied` || OK. BF-CBC || * __Client version 2.3__ || `--cipher` || NCP || Connection || || - || No || OK. BF-CBC || || AES-256-CBC || No || `Fail (no shared cipher)` || || BF-CBC || No || OK. BF-CBC || * __Client version 2.2__ || `--cipher` || NCP || Connection || || - || No || OK. BF-CBC || || BF-CBC || No || OK. BF-CBC || ---- ==== Server version 2.2 Configuring: `--cipher`[[br]] || `--cipher` || NCP || || CAMELLIA-128-CBC || No || * Medal to you if you know what to do .. ---- == Corner case: OpenVPN built with `--enable-small` **TODO**.[[br]] Only effects .. ? Please contact OpenVPN if you have issues related to `--enable-small` ---- And some fun ;-) An early version. {{{#!td colspan=2 align=middle `--cipher` }}} {{{#!td colspan=2 align=middle `--data-cipher` }}} {{{#!td align=middle `-fallback` }}} {{{#!td colspan=2 align=middle NCP }}} {{{#!td align=middle Expected }}} |---------------- {{{#!td style="background: #eef" align=middle Client }}} {{{#!td style="background: #eef" align=middle Server }}} {{{#!td style="background: #fee" align=middle Client }}} {{{#!td style="background: #fee" align=middle Server }}} {{{#!td align=middle }}} {{{#!td style="background: #efe" align=middle Client }}} {{{#!td style="background: #efe" align=middle Server }}} {{{#!td align=middle }}} |---------------- {{{#!td style="background: #eef" align=middle - }}} {{{#!td style="background: #eef" align=middle - }}} {{{#!td style="background: #fee" align=middle - }}} {{{#!td style="background: #fee" align=middle AES-256-GCM:AES-128-GCM }}} {{{#!td align=middle }}} {{{#!td style="background: #efe" align=middle YES }}} {{{#!td style="background: #efe" align=middle YES }}} {{{#!td align=middle OK }}} |---------------- {{{#!td Even .. }}}