On 07/18/2017 03:55 PM, Jaroslav Reznik wrote:
This will result in the following:
* OpenVPN 2.4 based clients will automatically upgrade to AES-256-GCM,
regardless if they have --cipher in their configuration file or not.
For OpenVPN v2.4 configurations not wanting this cipher upgrade, the
client configuration needs to deploy --ncp-disable.
* OpenVPN 2.3 based clients and older (and v2.4 clients using
--ncp-disable in the client configuration) can connect to the server
using any of the --ncp-ciphers list; this is what is called "poor
man's cipher negotiation" by the upstream OpenVPN developers.
* Any client not providing --cipher defaults to BF-CBC. These clients
should still be able to connect to the server as the server allows
BF-CBC through --ncp-ciphers.
unfortunately it's not working:-(
it takes me long time to debug it on my own server and a long discussion
in this ticket:
https://community.openvpn.net/openvpn/ticket/886
it's not possible to set
cipher AES-256-GCM
since in this case old clients eg android client which not updated to
2.4.x are not able to connect.
--
Levente "Si vis pacem para bellum!"