On 22/06/2020 14:21, Arne Schwabe wrote: > >> PrivateTmp=true >> WorkingDirectory=/etc/openvpn/server >> -ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log >> --status-version 2 --suppress-timestamps --config %i.conf >> +ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log >> --status-version 2 --suppress-timestamps --cipher AES-256-GCM --ncp-ciphers >> AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC --config %i.conf >> CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE >> CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE >> CAP_AUDIT_WRITE >> LimitNPROC=10 >> DeviceAllow=/dev/null rw >> > > NACK. > > Setting ncp-cipher to include BF-CBC by default allows BF-CBC in configs > that did not allow it before. Basically any config that had something > other than cipher BF-CBC and no ncp-ciphers in it will now allow clients > with BF-CBC to connect. I don't want force users to set ncp-cipher to a > sane value since the systemd unit file doesn't.
That will break existing configs on the next upgrade. Do we want do do that? I'm fine with removing BF-CBC, but it is scheduled for removal in OpenVPN 2.6. <https://community.openvpn.net/openvpn/wiki/DeprecatedOptions#Policy:Removalofinsecureciphers:Cipherswithcipherblock-sizelessthan128bitsmostcommonlyBFDESCAST5IDEAandRC2> -- kind regards, David Sommerseth OpenVPN Inc
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel