Hi, On Wed, Apr 26, 2017 at 05:58:19PM -0400, David Mehler wrote: > Currently I have in both my server and client configuration files: > > cipher AES-256-GCM > > if I add the line: > > push "cipher AES-256-GCM" > > to the server configuration file can I then remove the client cipher > AES-256-GCM line? >
"Yes, no, maybe". The answer to that is complicated, and depends on
whether client or server are 2.3 or 2.4.
If the clients are 2.3, pushing ciphers does not work, because the client
does not support it.
If the clients are 2.4, and the server is 2.3, you can do that.
If the clients *and* server are 2.4, which I assume as 2.3 doesn't do
AES-GCM at all :-) - then you can just leave out push *and* client config,
because 2.4<->2.4 will negotiate - and AES-256-GCM is what they will
choose anyway.
> Same question for the auth SHA512 line which is in both the server and
> client configuration files, if I add push "auth SHA512" can I remove
> the auth SHA512 line from the client?
If you use GCM, the "auth" line is only used for tls-auth - and if you
use tls-auth (or tls-crypt), this needs to be correct before a connection
can be established at all. So, not pushable.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
