Hi, On Thu, Feb 16, 2017 at 02:44:13PM +0100, David Sommerseth wrote: > A v2.4 (and newer) client which adds --ncp-ciphers can steer which > ciphers a NCP capable server will use. So if the server uses > --ncp-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM:AES-128-CBC and you > want your client to only use 128 bits ciphers, you add to the client > configuration --ncp-ciphers AES-128-GCM:AES-128-CBC. With this > configuration, even if the server have --cipher BF-CBC as the default, > the client ciphers will be upgraded to AES-128-GCM or AES-128-CBC > (depending on the strongest cipher which the SSL libraries support).
Close. There is no signalling client->server about the list of
supported ciphers yet, only "I can do NCP!" - in this case the server
will pick the first cipher from *the server side* --ncp-ciphers list.
"I can do NCP!" (IV_NCP=1) is defined as "the client can do server-pushed
ciphers, AND supports AES-256-GCM".
[..]
> In addition, which cipher which will effectively be used also depends on
> which ciphers the SSL libraries OpenVPN is built against supports.
Sort of. If the SSL libraries do not support AES, NCP will be disabled.
Otherwise, there is no automatism "SSL library does not have <x>, so fall
back to <x>" - it will just fail.
(... and I bet there's yet another detail I didn't get right either)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany [email protected]
fax: +49-89-35655025 [email protected]
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users
