Re: [Openvpn-users] How to continue operation with comp-lzo and/or migrate from it?

Tue, 18 Jun 2024 08:28:18 -0700 

Hi,

On Tue, Jun 18, 2024 at 12:52:58PM +0200, Eike Lohmann wrote:
> on a flavor we have
> 
> - clients with comp-lzo in their local config and we have no access to this
> clients. (can't change it)
> 
> - very old clients below 2.3 (no peer info)

These really should be upgraded to 2.4+

> - also "modern" clients of all versions 2.3.2 - 3.8.5

2.3.x is not "modern" by any definition of modern...

> Our minimum Cipher is AES-256-CBC as fallback, when does AES-256-CBC is
> supported by openvpn? It could reveal the minimum client version.

CBC might work with those ancient versions, but the client will not 
signal what it supports - and I think 2.3.x might not accept pushed
ciphers anyway.  Versions before 2.3.0 will definitely not support
pushed carriers - and if you touch them to add "cipher AES-256-CBC",
upgrading is a better strategy.

> --allow-compression asym
> 
> can be set, but clients will still compress. Clients without, can't connect.

Yep.  This is basically not configuring compression, but allowing other
compression options (2.6 will refuse configs with "compress <anything>" by
default).  "asym" will allow compression options, to accept incoming
compressed packets, but still not use it for outgoing packets.

This is not what you want :-)

> --compress migrate
> 
> clients > 2.3 get pushed "stub-v2" all other "comp-lzo no".
> 
> What happens to clients wich does not support it? e.g. 2.2.x

As far as I remember, "comp-lzo no" has always been there.

> This parameter is not documented in the reference manual, it is still
> supported in 2.6 and how long it may be supported?

Which one?  "compress migrate"?  That is brand new and has only been
introduced into 2.6 :-) - so this will stay for a long time.

"comp-lzo no" might go away, but for 2.6+ clients, it's not needed anyway.

> What could be the best way to operate it with a little attack surface
> (voracle) but remaining compatibility for old clients?

"--compress migrate" on the server was made specifically for this.

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             g...@greenie.muc.de

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users






















					Reply via email to