Am 17.04.16 um 18:23 schrieb Steffan Karger: > In the past years, the internet has been moving forward wrt deprecating > older and less secure ciphers. Let's follow this example in OpenVPN and > also restrict the default list of negotiable TLS ciphers in 2.3.x. > > This disables the following: > * Export ciphers (these are broken on purpose...) > * Ciphers in the LOW and MEDIUM security cipher list of OpenSSL > The LOW suite will be completely removed from OpenSSL in 1.1.0, > the MEDIUM suite contains ciphers like RC4 and SEED. > * Ciphers that are not supported by OpenVPN anyway (cleans up the list) > > Note that users are able to override this default, using --tls-cipher, if > they for some reason need ciphers that are now disabled by default.
ACK (like in master) Changing this in 2.3.x might break some configs. In my Android client the last change broke various config, a few broken OpenSSL installations but mainly custom "hardening" by specifying a very small cipher list with tls-cipher. Arne
