= OpenVPN Cipher Negotiation (Quick reference) This wiki defines the **expected** behaviour of Cipher Negotiation between common configurations of OpenVPN servers and clients. OpenVPN would like to know about any ''unexpected'' behaviour. For full details please see: [[br]] https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/cipher-negotiation.rst [[TOC(notitle, inline)]] == Effective directives 2.5: `--data-ciphers ALG:ALG` - Data channel ciphers. Default `ALG` AES-256-GCM:AES-128-GCM [[br]] 2.5: `--data-ciphers-fallback ALG` - Fallback data channel cipher.[[br]] All: `--cipher ALG` - Data channel cipher. **Will be deprecated**.[[br]] In OpenVPN 2.5 `--cipher` does not have a default `ALG`.[[br]] In OpenVPN up to 2.4 the default `ALG` is BF-CBC.[[br]] 2.4: `--ncp-disable` - Disable NCP - **Deprecated**.[[br]] == Common configurations Commonly expected configurations of the ''Effective directives'' above. === Servers * Version 2.5 a. Default configuration: No effective directives specified.[[br]] a. Configuring: `--data-ciphers` and `--cipher`[[br]] * Version 2.4 a. Default configuration: No effective directives specified.[[br]] a. Configuring: `--cipher`[[br]] a. Configuring: `--cipher` and `--ncp-disable`[[br]] * Version 2.3 a. Default configuration: No effective directives specified.[[br]] a. Configuring: `--cipher`[[br]] * Version 2.2 a. Default configuration: No effective directives specified.[[br]] a. Configuring: All bets are off - Upgrade now! [[br]] === Clients * Version 2.5 a. Default configuration: No effective directives specified.[[br]] * Version 2.4 a. Default configuration: No effective directives specified.[[br]] a. Configuring: `--cipher`[[br]] * Version 2.3 a. Default configuration: No effective directives specified.[[br]] a. Configuring: `--cipher`[[br]] * Version 2.2 a. Default configuration: No effective directives specified.[[br]] a. Configuring: All bets are off - Upgrade now! [[br]] == Expected Behaviour indexed by Server version === Server version 2.5 ==== Default configuration: No effective directives specified.[[br]] || `--cipher` ||= `--data-ciphers` =||= `-fallback` =|| NCP || || - ||= - =||= - =|| Yes || * __Client version 2.5__ || `--cipher` ||= `--data-ciphers` =||= `-fallback` =|| NCP || Connection || || - ||= - =||= - =|| Yes || '''[[span(style=color: #007000, OK. AES-256-GCM )]]''' || || AES-256-CBC ||= - =||= - =|| Yes || '''[[span(style=color: #007000, OK. AES-256-GCM )]]''' || || BF-CBC ||= - =||= - =|| Yes || '''[[span(style=color: #007000, OK. AES-256-GCM )]]''' || * __Client version 2.4__ || `--cipher` || NCP || Connection || || - || Yes || '''[[span(style=color: #007000, OK. AES-256-GCM )]]''' || || AES-256-CBC || Yes || '''[[span(style=color: #007000, OK. AES-256-GCM )]]''' || || BF-CBC || Yes || '''[[span(style=color: #007000, OK. AES-256-GCM )]]''' || * __Client version 2.3__ || `--cipher` || NCP || Connection || || - || No || `Fail (no shared cipher)` || || AES-256-CBC || No || `Fail (no shared cipher)` || || BF-CBC || No || `Fail (no shared cipher)` || * __Client version 2.2__ || `--cipher` || NCP || Connection || || - || No || `Fail (no shared cipher)` || || AES-256-CBC || No || `Fail (no shared cipher)` || || BF-CBC || No || `Fail (no shared cipher)` || ---- ==== Server version 2.5 Configuring: `--data-ciphers` and `--cipher`[[br]] || `--cipher` ||= `--data-ciphers` =||= `-fallback` =|| NCP || || BF-CBC ||= AES-256-GCM:AES-128-GCM:AES-256-CBC =||= - =|| Yes || * __Client version 2.3__ || `--cipher` || NCP || Connection || || - || No || ''[[span(style=color: #806000, **Weak** BF-CBC )]]'' || || AES-256-CBC || No || '''[[span(style=color: #007000, OK. AES-256-CBC )]]''' || || BF-CBC || No || ''[[span(style=color: #806000, **Weak** BF-CBC )]]'' || * __Client version 2.2__ || `--cipher` || NCP || Connection || || - || No || ''[[span(style=color: #806000, **Weak** BF-CBC )]]'' || || AES-256-CBC || No || '''[[span(style=color: #007000, OK. AES-256-CBC )]]''' || || BF-CBC || No || ''[[span(style=color: #806000, **Weak** BF-CBC )]]'' || ---- === Server version 2.4 ==== Default configuration: No effective directives specified.[[br]] || `--cipher` ||= `--ncp-ciphers` =|| NCP || || - ||= - =|| Yes || * __Client version 2.5__ || `--cipher` ||= `--data-ciphers` =||= `-fallback` =|| NCP || Connection || || - ||= - =||= - =|| Yes || '''[[span(style=color: #007000, OK. AES-256-GCM )]]''' || || AES-256-CBC ||= - =||= - =|| Yes || '''[[span(style=color: #007000, OK. AES-256-GCM )]]''' || || BF-CBC ||= - =||= - =|| Yes || '''[[span(style=color: #007000, OK. AES-256-GCM )]]''' || * __Client version 2.4__ || `--cipher` ||= `--ncp-ciphers` =|| NCP || Connection || || - ||= - =|| Yes || '''[[span(style=color: #007000, OK. AES-256-GCM )]]''' || || AES-256-CBC ||= - =|| Yes || '''[[span(style=color: #007000, OK. AES-256-GCM )]]''' || || BF-CBC ||= - =|| Yes || '''[[span(style=color: #007000, OK. AES-256-GCM )]]''' || * __Client version 2.3__ || `--cipher` || NCP || Connection || || - || No || ''[[span(style=color: #806000, **Weak** BF-CBC )]]'' || || AES-256-CBC || No || `Fail (no shared cipher)` || || BF-CBC || No || ''[[span(style=color: #806000, **Weak** BF-CBC )]]'' || * __Client version 2.2__ || `--cipher` || NCP || Connection || || - || No || ''[[span(style=color: #806000, **Weak** BF-CBC )]]'' || || AES-256-CBC || No || `Fail (no shared cipher)` || || BF-CBC || No || ''[[span(style=color: #806000, **Weak** BF-CBC )]]'' || ---- ==== Server version 2.4 Configuring: `--cipher`[[br]] || `--cipher` ||= `--ncp-ciphers` =|| NCP || || AES-256-CBC ||= - =|| Yes || * __Client version 2.5__ || `--cipher` ||= `--data-ciphers` =||= `-fallback` =|| NCP || Connection || || - ||= - =||= - =|| Yes || '''[[span(style=color: #007000, OK. AES-256-GCM )]]''' || || AES-256-CBC ||= - =||= - =|| Yes || '''[[span(style=color: #007000, OK. AES-256-GCM )]]''' || || BF-CBC ||= - =||= - =|| Yes || '''[[span(style=color: #007000, OK. AES-256-GCM )]]''' || * __Client version 2.4__ || `--cipher` ||= `--ncp-ciphers` =|| NCP || Connection || || - ||= - =|| Yes || '''[[span(style=color: #007000, OK. AES-256-GCM )]]''' || || AES-256-CBC ||= - =|| Yes || '''[[span(style=color: #007000, OK. AES-256-GCM )]]''' || || BF-CBC ||= - =|| Yes || '''[[span(style=color: #007000, OK. AES-256-GCM )]]''' || * __Client version 2.3__ || `--cipher` || NCP || Connection || || - || No || `Fail (no shared cipher)` || || AES-256-CBC || No || '''[[span(style=color: #007000, OK. AES-256-CBC )]]''' || || BF-CBC || No || `Fail (no shared cipher)` || * __Client version 2.2__ || `--cipher` || NCP || Connection || || - || No || `Fail (no shared cipher)` || || AES-256-CBC || No || '''[[span(style=color: #007000, OK. AES-256-CBC )]]''' || || BF-CBC || No || `Fail (no shared cipher)` || ---- ==== Server version 2.4 Configuring: `--cipher` and `--ncp-disable`[[br]] || `--cipher` ||= `--ncp-ciphers` =|| NCP || || AES-256-CBC ||= - =|| No || * __Client version 2.5__ || `--cipher` ||= `--data-ciphers` =||= `-fallback` =|| NCP || Connection || || - ||= - =||= - =|| `Denied` || `Fail (no shared cipher)` || || AES-256-CBC ||= - =||= - =|| `Denied` || '''[[span(style=color: #007000, OK. AES-256-CBC )]]''' || || BF-CBC ||= - =||= - =|| `Denied` || `Fail (no shared cipher)` || * __Client version 2.4__ || `--cipher` ||= `--ncp-ciphers` =|| NCP || Connection || || - ||= - =|| `Denied` || `Fail (no shared cipher)` || || AES-256-CBC ||= - =|| `Denied` || '''[[span(style=color: #007000, OK. AES-256-CBC )]]''' || || BF-CBC ||= - =|| `Denied` || `Fail (no shared cipher)` || * __Client version 2.3__ || `--cipher` || NCP || Connection || || - || No || `Fail (no shared cipher)` || || AES-256-CBC || No || '''[[span(style=color: #007000, OK. AES-256-CBC )]]''' || || BF-CBC || No || `Fail (no shared cipher)` || * __Client version 2.2__ || `--cipher` || NCP || Connection || || - || No || `Fail (no shared cipher)` || || AES-256-CBC || No || '''[[span(style=color: #007000, OK. AES-256-CBC )]]''' || || BF-CBC || No || `Fail (no shared cipher)` || ---- === Server version 2.3 ==== Default configuration: No effective directives specified.[[br]] || `--cipher` || NCP || || - || No || * __Client version 2.5__ || `--cipher` ||= `--data-ciphers` =||= `-fallback` =|| NCP || Connection || || - ||= - =||= - =|| `Denied` || `Fail (no shared cipher)` || || AES-256-CBC ||= - =||= - =|| `Denied` || `Fail (no shared cipher)` || || BF-CBC ||= - =||= - =|| `Denied` || ''[[span(style=color: #806000, **Weak** BF-CBC )]]'' || * __Client version 2.4__ || `--cipher` ||= `--ncp-ciphers` =|| NCP || Connection || || - ||= - =|| `Denied` || `Fail (no shared cipher)` || || AES-256-CBC ||= - =|| `Denied` || `Fail (no shared cipher)` || || BF-CBC ||= - =|| `Denied` || ''[[span(style=color: #806000, **Weak** BF-CBC )]]'' || * __Client version 2.3__ || `--cipher` || NCP || Connection || || - || No || ''[[span(style=color: #806000, **Weak** BF-CBC )]]'' || || AES-256-CBC || No || `Fail (no shared cipher)` || || BF-CBC || No || ''[[span(style=color: #806000, **Weak** BF-CBC )]]'' || * __Client version 2.2__ || `--cipher` || NCP || Connection || || - || No || ''[[span(style=color: #806000, **Weak** BF-CBC )]]'' || || AES-256-CBC || No || `Fail (no shared cipher)` || || BF-CBC || No || ''[[span(style=color: #806000, **Weak** BF-CBC )]]'' || ---- ==== Server version 2.3 Configuring: `--cipher`[[br]] || `--cipher` || NCP || || AES-256-CBC || No || * __Client version 2.5__ || `--cipher` ||= `--data-ciphers` =||= `-fallback` =|| NCP || Connection || || - ||= - =||= - =|| `Denied` || `Fail (no shared cipher)` || || AES-256-CBC ||= - =||= - =|| `Denied` || '''[[span(style=color: #007000, OK. AES-256-CBC )]]''' || || BF-CBC ||= - =||= - =|| `Denied` || `Fail (no shared cipher)` || * __Client version 2.4__ || `--cipher` ||= `--ncp-ciphers` =|| NCP || Connection || || - ||= - =|| `Denied` || `Fail (no shared cipher)` || || AES-256-CBC ||= - =|| `Denied` || '''[[span(style=color: #007000, OK. AES-256-CBC )]]''' || || BF-CBC ||= - =|| `Denied` || `Fail (no shared cipher)` || * __Client version 2.3__ || `--cipher` || NCP || Connection || || - || No || `Fail (no shared cipher)` || || AES-256-CBC || No || '''[[span(style=color: #007000, OK. AES-256-CBC )]]''' || || BF-CBC || No || `Fail (no shared cipher)` || * __Client version 2.2__ || `--cipher` || NCP || Connection || || - || No || `Fail (no shared cipher)` || || AES-256-CBC || No || '''[[span(style=color: #007000, OK. AES-256-CBC )]]''' || || BF-CBC || No || `Fail (no shared cipher)` || ---- === Server version 2.2 ==== Default configuration: No effective directives specified.[[br]] || `--cipher` || NCP || || - || No || * __Client version 2.5__ || `--cipher` ||= `--data-ciphers` =||= `-fallback` =|| NCP || Connection || || - ||= - =||= - =|| `Denied` || `Fail (no shared cipher)` || || AES-256-CBC ||= - =||= - =|| `Denied` || `Fail (no shared cipher)` || || BF-CBC ||= - =||= - =|| `Denied` || ''[[span(style=color: #806000, **Weak** BF-CBC )]]'' || * __Client version 2.4__ || `--cipher` ||= `--ncp-ciphers` =|| NCP || Connection || || - ||= - =|| `Denied` || ''[[span(style=color: #806000, **Weak** BF-CBC )]]'' || || AES-256-CBC ||= - =|| `Denied` || `Fail (no shared cipher)` || || BF-CBC ||= - =|| `Denied` || ''[[span(style=color: #806000, **Weak** BF-CBC )]]'' || * __Client version 2.3__ || `--cipher` || NCP || Connection || || - || No || ''[[span(style=color: #806000, **Weak** BF-CBC )]]'' || || AES-256-CBC || No || `Fail (no shared cipher)` || || BF-CBC || No || ''[[span(style=color: #806000, **Weak** BF-CBC )]]'' || * __Client version 2.2__ || `--cipher` || NCP || Connection || || - || No || ''[[span(style=color: #806000, **Weak** BF-CBC )]]'' || || AES-256-CBC || No || `Fail (no shared cipher)` || || BF-CBC || No || ''[[span(style=color: #806000, **Weak** BF-CBC )]]'' || ---- ==== Server version 2.2 Configuring: `--cipher`[[br]] || `--cipher` || NCP || || AES-256-CBC || No || * __Client version 2.5__ || `--cipher` ||= `--data-ciphers` =||= `-fallback` =|| NCP || Connection || || - ||= - =||= - =|| `Denied` || `Fail (no shared cipher)` || || AES-256-CBC ||= - =||= - =|| `Denied` || '''[[span(style=color: #007000, OK. AES-256-CBC )]]''' || || BF-CBC ||= - =||= - =|| `Denied` || `Fail (no shared cipher)` || * __Client version 2.4__ || `--cipher` ||= `--ncp-ciphers` =|| NCP || Connection || || - ||= - =|| `Denied` || `Fail (no shared cipher)` || || AES-256-CBC ||= - =|| `Denied` || '''[[span(style=color: #007000, OK. AES-256-CBC )]]''' || || BF-CBC ||= - =|| `Denied` || `Fail (no shared cipher)` || * __Client version 2.3__ || `--cipher` || NCP || Connection || || - || No || `Fail (no shared cipher)` || || AES-256-CBC || No || '''[[span(style=color: #007000, OK. AES-256-CBC )]]''' || || BF-CBC || No || `Fail (no shared cipher)` || * __Client version 2.2__ || `--cipher` || NCP || Connection || || - || No || `Fail (no shared cipher)` || || AES-256-CBC || No || '''[[span(style=color: #007000, OK. AES-256-CBC )]]''' || || BF-CBC || No || `Fail (no shared cipher)` || ---- == Corner case: OpenVPN built with `--enable-small` === Server version 2.3 built with `--enable-small` ==== Default configuration: No effective directives specified.[[br]] || `--cipher` || NCP || || - || No || * __Client version 2.5__ || `--cipher` ||= `--data-ciphers` =||= `-fallback` =|| NCP || Connection || || - ||= - =||= BF-CBC =|| `Denied` || ''[[span(style=color: #806000, **Weak** BF-CBC )]]'' || || AES-256-CBC ||= - =||= - =|| `Denied` || `Fail (no shared cipher)` || || AES-256-GCM ||= - =||= - =|| `Denied` || `Fail (no shared cipher)` || === Server version 2.3 built with `--enable-small` ==== Configuring: `--cipher`[[br]] || `--cipher` || NCP || || AES-256-CBC || No || * __Client version 2.5__ || `--cipher` ||= `--data-ciphers` =||= `-fallback` =|| NCP || Connection || || - ||= - =||= BF-CBC =|| `Denied` || `Fail (no shared cipher)` || || AES-256-CBC ||= - =||= - =|| `Denied` || '''[[span(style=color: #007000, OK. AES-256-CBC )]]''' || || AES-256-GCM ||= - =||= - =|| `Denied` || `Fail (no shared cipher)` || === Client version 2.3 built with `--enable-small` ==== Default configuration: No effective directives specified.[[br]] || `--cipher` || NCP || || - || No || * __Server version 2.5__ || `--cipher` ||= `--data-ciphers` =||= `-fallback` =|| NCP || Connection || || - ||= - =||= BF-CBC =|| `Denied` || ''[[span(style=color: #806000, **Weak** BF-CBC )]]'' || || AES-256-CBC ||= - =||= - =|| `Denied` || `Fail (no shared cipher)` || || BF-CBC ||= - =||= - =|| `Denied` || `Fail (no shared cipher)` || === Client version 2.3 built with `--enable-small` ==== Configuring: `--cipher`[[br]] || `--cipher` || NCP || || AES-256-CBC || No || * __Server version 2.5__ || `--cipher` ||= `--data-ciphers` =||= `-fallback` =|| NCP || Connection || || - ||= - =||= AES-256-CBC =|| `Denied` || '''[[span(style=color: #007000, OK. AES-256-CBC )]]''' || || AES-256-CBC ||= - =||= - =|| `Denied` || `Fail (no shared cipher)` || || BF-CBC ||= - =||= - =|| `Denied` || `Fail (no shared cipher)` ||