On 07/18/2017 10:03 PM, David Sommerseth wrote:
On 18/07/17 17:50, Farkas Levente wrote:
> On 07/18/2017 03:55 PM, Jaroslav Reznik wrote:
>> This will result in the following:
>> * OpenVPN 2.4 based clients will automatically upgrade to AES-256-GCM,
>> regardless if they have --cipher in their configuration file or not.
>> For OpenVPN v2.4 configurations not wanting this cipher upgrade, the
>> client configuration needs to deploy --ncp-disable.
>> * OpenVPN 2.3 based clients and older (and v2.4 clients using
>> --ncp-disable in the client configuration) can connect to the server
>> using any of the --ncp-ciphers list; this is what is called "poor
>> man's cipher negotiation" by the upstream OpenVPN developers.
>> * Any client not providing --cipher defaults to BF-CBC. These clients
>> should still be able to connect to the server as the server allows
>> BF-CBC through --ncp-ciphers.
>
> unfortunately it's not working:-(
> it takes me long time to debug it on my own server and a long discussion
> in this ticket:
>
https://community.openvpn.net/openvpn/ticket/886
> it's not possible to set
> cipher AES-256-GCM
> since in this case old clients eg android client which not updated to
> 2.4.x are not able to connect.
The issue I believe you refer to ("unreliable NCP") should be fixed in
OpenVPN v2.4.3.
<
https://community.openvpn.net/openvpn/ticket/887#comment:13>
this means only a few weeks ago...
imho openvpn is _very_ widely used and if it's break anything it's break
a lots of thing...
i'd rather postpone it to f28 when it's fully tested and stabilized.
--
Levente "Si vis pacem para bellum!"