On 29/03/2019 14:27, Arne Schwabe wrote: > With modern Clients and server initialising the crypto cipher later > and not when reading in the config, most users never the warning when > having selected BF-CBC in the configuration. > > This patch adds the logic to print out warning to init_key_type. > > Main reason for this patch is a personal experience with someone who was > strictly against putting 'cipher' into a config file because he did not > like hardcoding a cipher and "OpenVPN will do AES-GCM anyway" and thinks > that it is better to not have it in configuration even after told by me > that 15 year defaults might not be good anymore. > > Signed-off-by: Arne Schwabe <a...@rfc2549.org> Just so that I understand this correctly.
If a pre-2.4 _server_ (or 2.4 server with NCP disabled) uses default BF-CBC and the client is *not* listing --cipher at all - expecting the server to push a sane cipher - the current behaviour will to NOT warn about a weak cipher. Is that correctly understood? In general, I don't mind annoying/scaring users that they use an insecure cipher - no matter if it is through direct or indirect (pushed) configuration options. -- kind regards, David Sommerseth OpenVPN Inc _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
