[Openvpn-users] openvpn 2.4.0 and cipher negotiation with older clients

Tue, 24 Jan 2017 02:54:07 -0800 

Hello!

Unfortunately, some of our points still uses blowfish, but we can't 
change cipher on all of them once,

so we decided to upgrade servers to 2.4.0 and then , one by one, change 
client's ciphers.

Don't know why, but I decided to set default cipher on server to 
AES-256-CBC ,

and

ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC


so blowfish is in list.


and found that servers successfully uses blowfish for some old clients, 
but for others not:


client config has no cipher info, i.e. it is default:

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x


But during connection server tries to use AES-256 ( i removed client ip).

Jan 24 13:00:21 inetgw2 openvpn[11265]: :16900 Data Channel Encrypt: 
Cipher 'AES-256-CBC' initialized with 256 bit key
Jan 24 13:00:21 inetgw2 openvpn[11265]: :16900 Data Channel Encrypt: 
Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 24 13:00:21 inetgw2 openvpn[11265]: :16900 Data Channel Decrypt: 
Cipher 'AES-256-CBC' initialized with 256 bit key
Jan 24 13:00:21 inetgw2 openvpn[11265]: :16900 Data Channel Decrypt: 
Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 24 13:00:21 inetgw2 openvpn[11265]: :16900 Control Channel: TLSv1, 
cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 1024 bit RSA

this results in fail:

Jan 24 13:00:34 inetgw2 openvpn[11265]: turetskoye:16900 
Authenticate/Decrypt packet error: cipher final failed


This is

OpenVPN 2.3.2 i486-unknown-linux-uclibc [SSL (OpenSSL)] [LZO] [EPOLL] 
[eurephia] [MH] [IPv6] built on Nov  6 2014


the same problem is for

OpenVPN 2.3.0 arm-buildroot-linux-uclibcgnueabi [SSL (OpenSSL)] [LZO] 
[EPOLL] [MH] [IPv6] built on Oct 28 2014


So, for now, I left default cipher on server.


But, according to man servers has to choose blowfish:


" to  allow  for  more smooth transition, if NCP is enabled, OpenVPN 
will inherit the cipher of the peer if that cipher is different from the 
local --cipher setting, but the peer
               cipher is one of the ciphers specified in --ncp-ciphers.  
E.g. a non-NCP client (<=2.3, or with --ncp-disabled set) connecting to 
a NCP server (2.4+) with "--cipher BF-CBC" and "--ncp-ciphers
               AES-256-GCM:AES-256-CBC" set can either specify "--cipher 
BF-CBC" or "--cipher AES-256-CBC" and both will work."


Right?


Or what I'm doing wrong?


Thank you!





------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to