Hi, On Fri, Jun 30, 2017 at 07:27:14AM +0200, SaAtomic wrote: > If the server does not explicitly define the `ncp-ciphers` option in the > configuration, just `cipher AES-128-CBC`, I assume the default of the > `ncp-ciphers` is enabled (AES-256-GCM:AES-128-GCM), right?
Right.
> The client has the option `cipher AES-128-CBC` defined, but also uses
> `ncp-disable`. This connection should work fine, as both ciphers match.
Right.
> If the client changes the cipher to `cipher AES-256-GCM`(or AES-128-GCM), but
> keeps the `ncp-disable` in its configuration and then reconnects to the same
> server,
> would the connection succeed, due to the server having the cipher in the
> `ncp-ciphers` default list, or would it fail due to a cipher mismatch?
If the *server* has the cipher in its list, this should cause the same
behaviour as if a 2.3 client (that does not have NCP) connects to the
2.4 server, using --cipher <something> --> if it's in the server's
allowed cipher list, the server will use that. So, for AES-256-GCM,
they should be all fine.
Now, if you try "--cipher BF", it will not work, as that is not in the
server's allowed cipher list (unless you put it there).
(As a side note: please upgrade to 2.4.3)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany [email protected]
fax: +49-89-35655025 [email protected]
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users
