Adriaan de Jong wrote: > Unfortunately BF isn't supported in PolarSSL though. > > Do you have any other suggestions? I'm open to most ideas other than > "implement blowfish" :) > hmmm then perhaps the default should be changed to AES-128 ?
I foresee a lot of openvpn-users mails and forums hits from people saying stuff like 'I am running opevpn 2.1 on the server using default settings and am connecting using openvpn 2.3/polarssl and bla bla' : we need to think about how we want to tackle issues like that (is there a way to determine at runtime which version of which SSL implementation is used? OpenSSL has such a (runtime!) call. The ideal solution would be to set a 'crypto negotiation phase' during which the client and server negotiate about the available crypto routines, pretty much like the "standard" TLS/SSL protocol does (and which is done on the OpenVPN control channel, but not on the data channel). JJK >> -----Original Message----- >> From: Jan Just Keijser [mailto:janj...@nikhef.nl] >> Sent: maandag 24 oktober 2011 10:55 >> To: Adriaan de Jong >> Cc: openvpn-devel@lists.sourceforge.net >> Subject: Re: [Openvpn-devel] [PATCH 3/3] Changed default algorithm for >> PolarSSL to AES-128, as BF is not supported >> >> I'd NACK this patch : the default behaviour of OpenVPN should be >> independent of the SSL implementation. >> >> JJK >> >> Adriaan de Jong wrote: >> >>> Signed-off-by: Adriaan de Jong <dej...@fox-it.com> >>> --- >>> options.c | 5 +++++ >>> 1 files changed, 5 insertions(+), 0 deletions(-) >>> >>> diff --git a/options.c b/options.c >>> index 39e7a57..d917072 100644 >>> --- a/options.c >>> +++ b/options.c >>> @@ -810,7 +810,12 @@ init_options (struct options *o, const bool >>> >> init_gc) >> >>> o->server_poll_timeout = 0; >>> #endif >>> #ifdef USE_CRYPTO >>> +#ifdef USE_OPENSSL >>> o->ciphername = "BF-CBC"; >>> +#endif >>> +#ifdef USE_POLARSSL >>> + o->ciphername = "AES-128-CBC"; >>> +#endif >>> o->ciphername_defined = true; >>> o->authname = "SHA1"; >>> o->authname_defined = true; >>> >>> > >