Package: openvpn
Version: 2.6.0~rc1
Severity: normal
Dear Maintainer,
after updating openvpn from bullseye-backports from 2.5.1 to 2.6.0~rc1 I got a
broken VPN client-to-site connection to a server
not supporting TLS 1.2 (forced min TLS version: 1.0, overridden cipher:
AES-128-CBC).
The reason is not the explicit cipher in the setting, but
network-manager-openvpn relies on a different option set.
Message:
--cipher set to 'AES-128-CBC' but missing in --data-ciphers
(AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for
cipher negotiations.
As a result, the connection cannot be established.
IMHO, in each case it is not a idea to backport openvpn 2.6 unless
network-manager-openvpn supports to override also --data-ciphers.
-- System Information:
Debian Release: 11.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'stable'), (100, 'bullseye-fasttrack'), (100, 'bullseye-backports-staging')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.0.0-0.deb11.6-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages openvpn depends on:
ii debconf [debconf-2.0] 1.5.77
ii iproute2 6.1.0-1~bpo11+1
ii libc6 2.31-13+deb11u5
ii liblz4-1 1.9.3-2
ii liblzo2-2 2.10-2
ii libpam0g 1.4.0-9+deb11u1
ii libpkcs11-helper1 1.27-1
ii libssl1.1 1.1.1n-0+deb11u3
ii libsystemd0251.3-1~bpo11+1
ii lsb-base 11.1.0
Versions of packages openvpn recommends:
ii easy-rsa 3.0.8-1
Versions of packages openvpn suggests:
ii openssl 1.1.1n-0+deb11u3
pn openvpn-systemd-resolved
pn resolvconf
-- debconf information:
openvpn/create_tun: false