24.01.2017 15:43, Gert Doering пишет: > Hi, > > On Tue, Jan 24, 2017 at 02:51:48PM +0400, Dmitry Melekhov wrote: >> Unfortunately, some of our points still uses blowfish, but we can't >> change cipher on all of them once, >> >> so we decided to upgrade servers to 2.4.0 and then , one by one, change >> client's ciphers. >> >> Don't know why, but I decided to set default cipher on server to >> AES-256-CBC , >> >> and >> >> ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC >> >> >> so blowfish is in list. > ncp-ciphers is good, but "cipher" should be set to "what the old clients > use". > >> and found that servers successfully uses blowfish for some old clients, >> but for others not: > It depends on whether the client sends OCC info about its config - if it > doesn't send that (like "because it was compiled with --disable-occ") > the server will have to use what is configured.
I see, it's very pity :-( Because, it means that there is no cipher info on server on such clients, server will use default, i.e. I can't run some of this old clients with blowfish and others with aes. > [..] >> OpenVPN 2.3.2 i486-unknown-linux-uclibc [SSL (OpenSSL)] [LZO] [EPOLL] >> [eurephia] [MH] [IPv6] built on Nov 6 2014 > Scary old :-) - and "uclibc" sounds like "--enable-small", which is also > turning off OCC. > >> the same problem is for >> >> OpenVPN 2.3.0 arm-buildroot-linux-uclibcgnueabi [SSL (OpenSSL)] [LZO] >> [EPOLL] [MH] [IPv6] built on Oct 28 2014 > Ditto. > >> So, for now, I left default cipher on server. >> >> >> But, according to man servers has to choose blowfish: > Default is blowfish, so that's OK. Just do configure the same "cipher" > on both old-clients-without-OCC and new-server. > This ruins my plans to change ciphers on clients one by one, i.e. we need to change it on clients and the same time and on server, this is almost impossible :-( Well, I just need another plan .... ;-) Thank you! ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
