Hi, On Tue, Jan 24, 2017 at 02:51:48PM +0400, Dmitry Melekhov wrote: > Unfortunately, some of our points still uses blowfish, but we can't > change cipher on all of them once, > > so we decided to upgrade servers to 2.4.0 and then , one by one, change > client's ciphers. > > Don't know why, but I decided to set default cipher on server to > AES-256-CBC , > > and > > ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC > > > so blowfish is in list.
ncp-ciphers is good, but "cipher" should be set to "what the old clients use". > and found that servers successfully uses blowfish for some old clients, > but for others not: It depends on whether the client sends OCC info about its config - if it doesn't send that (like "because it was compiled with --disable-occ") the server will have to use what is configured. [..] > OpenVPN 2.3.2 i486-unknown-linux-uclibc [SSL (OpenSSL)] [LZO] [EPOLL] > [eurephia] [MH] [IPv6] built on Nov 6 2014 Scary old :-) - and "uclibc" sounds like "--enable-small", which is also turning off OCC. > the same problem is for > > OpenVPN 2.3.0 arm-buildroot-linux-uclibcgnueabi [SSL (OpenSSL)] [LZO] > [EPOLL] [MH] [IPv6] built on Oct 28 2014 Ditto. > So, for now, I left default cipher on server. > > > But, according to man servers has to choose blowfish: Default is blowfish, so that's OK. Just do configure the same "cipher" on both old-clients-without-OCC and new-server. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users