> PrivateTmp=true > WorkingDirectory=/etc/openvpn/server > -ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log > --status-version 2 --suppress-timestamps --config %i.conf > +ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log > --status-version 2 --suppress-timestamps --cipher AES-256-GCM --ncp-ciphers > AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC --config %i.conf > CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE > CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE > CAP_AUDIT_WRITE > LimitNPROC=10 > DeviceAllow=/dev/null rw >
NACK. Setting ncp-cipher to include BF-CBC by default allows BF-CBC in configs that did not allow it before. Basically any config that had something other than cipher BF-CBC and no ncp-ciphers in it will now allow clients with BF-CBC to connect. I don't want force users to set ncp-cipher to a sane value since the systemd unit file doesn't. Arne
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
