Hi, On 04-11-16 02:03, Jason Haar wrote: > Am I correct that to move off Blowfish cipher, we'll have to reconfigure > the openvpn servers and clients simultaneously? The server and clients > don't currently have "cipher" defined, but the newer clients are > generating those "cipher" warnings. > > Also, am I correct that "cipher" cannot be used within a "<connection>" > block? ie there's no way to migrate - it has to be a "hard" outage. > > I'm just wondering how other people do it. I can't see any way out of > this other than bringing up entirely independent server infrastructure, > so that the new clients can use the new servers while the old clients > migrate.
With 2.3, yes. OpenVPN 2.4 offers 'Negotiable Crypto Parameters', which will (by default) negotiate AES-GCM if both client and server support negotiation (ie, are 2.4+). That is the more elegant migration path. 2.4 isn't stable yet, but an alpha2 preview is available for testing [1]. The current goal is to release 2.4.0 by the end of this year. The risks of the 64-bit block ciphers are as of 2.3.13 mitigated by setting --reneg-bytes to 64 MB. That is of course suboptimal, but should be barely noticeable for most use cases. So you might want to consider waiting for the 2.4.0 release, or start testing 2.4 right away and migrate as soon as you've got confidence in the 2.4 code base. (The 2.4/master branch really is quite stable actually, and has a lot of other nice features worth migrating for.) -Steffan [1] https://openvpn.net/index.php/open-source/downloads.html ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
