Am 30.08.16 um 09:42 schrieb Steffan Karger:
> Hi,
>
> On 30 August 2016 at 09:01, Jens Neuhalfen <openvpn-de...@neuhalfen.name>
> wrote:
>>> OTOH, what we could do is: indeed *change+ the default, and add a big fat
>>> warning ("you have not specified a --cipher directive. The default has
>>> been changed from 2.3 to 2.4, so please ensure your config matches the
>>> other end" or something like that)
>> This seems like a good idea, maybe like so?
>>
>> - A “default will change” warning on “2.3” when no chipher is selected
>> - AES-256-GCM as new default for 2.4
> Even though I'm in favour of changing the default cipher, I'm afraid
> this will break too many setups, causing users to give up on OpenVPN.
> Cipher negotiation basically updates the default to AES-256-GCM, but
> will not break connections with older clients. Whether we should also
> change the default cipher is something I'll let the OpenVPN 'veterans'
> decide.
>
Especially a silent (only logging) change will break a lot of setup.
Someone updating their OS and suddenly OpenVPN stops working. That will
be a support nightmare.
It might be better to implement a server side/client mechansim later
that refuses clients/servers that do not renogiate to a strong cipher.
Arne
------------------------------------------------------------------------------
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
