Am 02.04.19 um 11:45 schrieb David Sommerseth: > On 29/03/2019 14:27, Arne Schwabe wrote: >> With modern Clients and server initialising the crypto cipher later >> and not when reading in the config, most users never the warning when >> having selected BF-CBC in the configuration. >> >> This patch adds the logic to print out warning to init_key_type. >> >> Main reason for this patch is a personal experience with someone who was >> strictly against putting 'cipher' into a config file because he did not >> like hardcoding a cipher and "OpenVPN will do AES-GCM anyway" and thinks >> that it is better to not have it in configuration even after told by me >> that 15 year defaults might not be good anymore. >> >> Signed-off-by: Arne Schwabe <a...@rfc2549.org> > Just so that I understand this correctly. > > If a pre-2.4 _server_ (or 2.4 server with NCP disabled) uses default BF-CBC > and the client is *not* listing --cipher at all - expecting the server to push > a sane cipher - the current behaviour will to NOT warn about a weak cipher. > Is that correctly understood?
Condition is 2.4 server or 2.4 client with cipher BF-CBC in the config (or no cipher). If they push/get a secure cipher pushed, never warn about having an insecure configuration. Especially on a server this is important because without cipher in both client and server everything works but only you actually connect a 2.3 or ncp-disable, you get a warning that your configuration is potentially insecure. With this patch, server/client warn as soon as you load the configuration. Arne _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
