wiki:CipherNegotiation

Version 5 (modified by tct, 4 years ago) (diff)

--

Cipher Negotiation

Data channel cipher negotiation is complicated. This wiki defines the expected behaviour between OpenVPN servers and clients.

OpenVPN Directives:

--data-cipher ALG:ALG
--data-cipher-fallback ALG:ALG

Expected Behaviour:

Server version 2.5

Client version 2.5

--cipher

--data-cipher

-fallback

NCP

Expected

Client

Server

Client

Server

Client

Server

-

-

-

AES-256-GCM:AES-128-GCM

YES

YES

OK

Even ..


--cipher --data-cipher -fallback NCP Expected
Client Server Client Server Client Server
- - - AES-256-GCM:AES-128-GCM - YES YES OK
BF-CBC - - AES-256-GCM:AES-128-GCM - YES YES OK

Client version 2.4

--cipher --data-cipher -fallback NCP Expected
Client Server Client Server
- - - AES-256-GCM:AES-128-GCM
BF-CBC - - AES-256-GCM:AES-128-GCM

Client version 2.3

--cipher --data-cipher -fallback NCP Expected
Client Server Client Server
- - - AES-256-GCM:AES-128-GCM
BF-CBC - - AES-256-GCM:AES-128-GCM

Client version 2.2

--cipher --data-cipher -fallback NCP Expected
Client Server Client Server
- - - AES-256-GCM:AES-128-GCM
BF-CBC - - AES-256-GCM:AES-128-GCM

Server version 2.5

Client version --data-cipher --fallback-data-cipher Expected Other..
Client Server
2.5 x x x
2.4 x x x
2.3 x x x
2.2 x x x

Server version 2.4

Client version --data-cipher --fallback-data-cipher Expected Other..
Client Server
2.5 x x x
2.4 x x x
2.3 x x x
2.2 x x x