Hi,
On 30 August 2016 at 09:01, Jens Neuhalfen <openvpn-de...@neuhalfen.name> wrote:
>> OTOH, what we could do is: indeed *change+ the default, and add a big fat
>> warning ("you have not specified a --cipher directive. The default has
>> been changed from 2.3 to 2.4, so please ensure your config matches the
>> other end" or something like that)
>
> This seems like a good idea, maybe like so?
>
> - A “default will change” warning on “2.3” when no chipher is selected
> - AES-256-GCM as new default for 2.4
Even though I'm in favour of changing the default cipher, I'm afraid
this will break too many setups, causing users to give up on OpenVPN.
Cipher negotiation basically updates the default to AES-256-GCM, but
will not break connections with older clients. Whether we should also
change the default cipher is something I'll let the OpenVPN 'veterans'
decide.
> - When used, a “You are using 64 bit block ciphers and this is a bad idea”
> message on 2.3 and 2.4
This we already have in place in both 2.3(.12) and 2.4, see
http://www.mail-archive.com/openvpn-devel%40lists.sourceforge.net/msg00030.html.
-Steffan
------------------------------------------------------------------------------
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
