Am 30.08.16 um 09:42 schrieb Steffan Karger: > Hi, > > On 30 August 2016 at 09:01, Jens Neuhalfen <openvpn-de...@neuhalfen.name> > wrote: >>> OTOH, what we could do is: indeed *change+ the default, and add a big fat >>> warning ("you have not specified a --cipher directive. The default has >>> been changed from 2.3 to 2.4, so please ensure your config matches the >>> other end" or something like that) >> This seems like a good idea, maybe like so? >> >> - A “default will change” warning on “2.3” when no chipher is selected >> - AES-256-GCM as new default for 2.4 > Even though I'm in favour of changing the default cipher, I'm afraid > this will break too many setups, causing users to give up on OpenVPN. > Cipher negotiation basically updates the default to AES-256-GCM, but > will not break connections with older clients. Whether we should also > change the default cipher is something I'll let the OpenVPN 'veterans' > decide. > Especially a silent (only logging) change will break a lot of setup. Someone updating their OS and suddenly OpenVPN stops working. That will be a support nightmare.
It might be better to implement a server side/client mechansim later that refuses clients/servers that do not renogiate to a strong cipher. Arne ------------------------------------------------------------------------------ _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel