Hi, On Tue, Jan 24, 2017 at 02:51:48PM +0400, Dmitry Melekhov wrote: > Unfortunately, some of our points still uses blowfish, but we can't > change cipher on all of them once, > > so we decided to upgrade servers to 2.4.0 and then , one by one, change > client's ciphers. > > Don't know why, but I decided to set default cipher on server to > AES-256-CBC , > > and > > ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC > > > so blowfish is in list.
ncp-ciphers is good, but "cipher" should be set to "what the old clients
use".
> and found that servers successfully uses blowfish for some old clients,
> but for others not:
It depends on whether the client sends OCC info about its config - if it
doesn't send that (like "because it was compiled with --disable-occ")
the server will have to use what is configured.
[..]
> OpenVPN 2.3.2 i486-unknown-linux-uclibc [SSL (OpenSSL)] [LZO] [EPOLL]
> [eurephia] [MH] [IPv6] built on Nov 6 2014
Scary old :-) - and "uclibc" sounds like "--enable-small", which is also
turning off OCC.
> the same problem is for
>
> OpenVPN 2.3.0 arm-buildroot-linux-uclibcgnueabi [SSL (OpenSSL)] [LZO]
> [EPOLL] [MH] [IPv6] built on Oct 28 2014
Ditto.
> So, for now, I left default cipher on server.
>
>
> But, according to man servers has to choose blowfish:
Default is blowfish, so that's OK. Just do configure the same "cipher"
on both old-clients-without-OCC and new-server.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
