On 19/06/2023 14:45, Gert Doering wrote:
Hi,
On Mon, Jun 19, 2023 at 02:26:01PM +0200, Giulio wrote:
I found this difference in the service script and I was wondering
whether I should use it "as is" or maybe rebuild the RPM w/o that patch
in order to let openvpn use its default crypto settings.
I think this should go. It's likely a leftover from the dawn of times
(like, 2.4 era).
2.6 will not advertise or use BF-CBC by itself, defaulting to the
AES-GCM + CHACHA (if available) ciphers, negotiating between client
and server what is available.
As in: with 2.5 and 2.6, --cipher and --data-ciphers usually should not
be touched, except if needed to be compatible with pre-2.4 clients that
default to BF-CBC and can not negotiate something else.
So the history of this hack is related to changing the default ciphers
in Fedora 27 and newer:
<https://fedoraproject.org/wiki/Changes/New_default_cipher_in_OpenVPN>
A slight change was added recently as it broke the very newest Fedora
releases and RHEL-9, and it was a simple fix to unbreak things. But
somewhere far down on my todo list is an item to dig into if this is
really needed with OpenVPN 2.6. I just haven't had enough to improve this.
But I'm open to apply patches and pay attention to related discussions.
As long as we're sure we don't break existing setups, I'm fine to also
remove this for Fedora 38+ and RHEL 9+ (which are the distros shipping
2.6 through mainline Fedora repos). Fedora Copr repo for OpenVPN 2.6
will be kept in sync as well.
--
kind regards,
David Sommerseth
OpenVPN Inc
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
