Hi, On Thu, Oct 29, 2020 at 03:10:30PM +0100, Ralf Hildebrandt wrote: > on the server side log -- for all my clients. The server config (2.5.0) says: > > cipher AES-256-GCM > data-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM:AES-128-CBC:BF-CBC > auth SHA256 > > and the client config says: > > cipher AES-256-CBC > auth SHA256
Ah. Now I see the problem - the server-configured data-channel
cipher+HMAC is GCM (+none), while the client-configured cipher is
CBC + SHA256.
So at the early stages of "is my config matching what the other side
has?" it correctly complains about "I am conf'ed with SHA256 while the
other side is conf'ed with [null-digest]".
*After that*, cipher negotiation kicks in, and the server pushes
GCM to the client - after that it's consistent (and secure).
You should be able to get rid of that by setting "cipher AES-256-CBC"
in the server config. Given the way 2.5 does cipher negotiation, it
will not actually change anything (*), except get rid of the warning.
(*) if a client with NCP connects, it will get the best match between
data-ciphers and what the client announces. If a client without NCP
connects, the server will use "whatever the client has configured, if
it's permitted". What is configured for --cipher on the server does
not have a real effect anymore, unless you turn off NCP on the server.
Now, this is still not satisfying, twiddling a config statement "that
does not have a real effect" just to get rid of a (silly) warning...
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
