On 16/02/17 18:58, Gert Doering wrote: > Hi, > > On Thu, Feb 16, 2017 at 02:44:13PM +0100, David Sommerseth wrote: >> A v2.4 (and newer) client which adds --ncp-ciphers can steer which >> ciphers a NCP capable server will use. So if the server uses >> --ncp-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM:AES-128-CBC and you >> want your client to only use 128 bits ciphers, you add to the client >> configuration --ncp-ciphers AES-128-GCM:AES-128-CBC. With this >> configuration, even if the server have --cipher BF-CBC as the default, >> the client ciphers will be upgraded to AES-128-GCM or AES-128-CBC >> (depending on the strongest cipher which the SSL libraries support). > > Close. There is no signalling client->server about the list of > supported ciphers yet, only "I can do NCP!" - in this case the server > will pick the first cipher from *the server side* --ncp-ciphers list. > > "I can do NCP!" (IV_NCP=1) is defined as "the client can do server-pushed > ciphers, AND supports AES-256-GCM".
Ahh! Thanks! I was not aware that AES-GCM is required for NCP > [..] >> In addition, which cipher which will effectively be used also depends on >> which ciphers the SSL libraries OpenVPN is built against supports. > > Sort of. If the SSL libraries do not support AES, NCP will be disabled. Do you mean AES-GCM, or AES in general? AES-GCM is the AEAD cipher stuff which is quite different from plain AES. And AES is even supported in OpenSSL v0.9.8. > Otherwise, there is no automatism "SSL library does not have <x>, so fall > back to <x>" - it will just fail. Right! > (... and I bet there's yet another detail I didn't get right either) Steffan, come save us! :) -- kind regards, David Sommerseth OpenVPN Technologies, Inc
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users
