Browse code
Improve sections about older OpenVPN clients in cipher-negotiation.rst
- Explain the IV_NCP=2 client situation in 2.4 a bit better.
- Make more clear what exact versions are meant in the old client section
- add a missing - in a heading
Thanks to Richard Bohnhomme for initial proof reading.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200812085412.19178-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20714.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe authored on 2020/08/12 17:54:12Showing 1 changed files
| ... | ... |
@@ -22,14 +22,18 @@ it is automatically added to this list. If both options are unset the default is |
| 22 | 22 |
|
| 23 | 23 |
OpenVPN 2.4 clients |
| 24 | 24 |
------------------- |
| 25 |
-The negotiation support in OpenVPN 2.4 was a first implementation and still had some |
|
| 26 |
-quirks. Its main goal was "upgrade to AES-256-GCM when possible". |
|
| 25 |
+The negotiation support in OpenVPN 2.4 was the first iteration of the implementation |
|
| 26 |
+and still had some quirks. Its main goal was "upgrade to AES-256-GCM when possible". |
|
| 27 | 27 |
An OpenVPN 2.4 client that is built against a crypto library that supports AES in GCM |
| 28 | 28 |
mode and does not have ``--ncp-disable`` will always announce support for |
| 29 |
-`AES-256-GCM` and `AES-128-GCM` even if the ``--ncp-ciphers`` option does not include |
|
| 30 |
-those two ciphers. It is therefore recommended to add `AES-256-GCM` and `AES-128-GCM` |
|
| 31 |
-to the ``--ncp-ciphers`` options to workaround this bug. |
|
| 29 |
+`AES-256-GCM` and `AES-128-GCM` to a server by sending :code:`IV_NCP=2`. |
|
| 32 | 30 |
|
| 31 |
+This only causes a problem if ``--ncp-ciphers`` option has been changed from the |
|
| 32 |
+default of :code:`AES-256-GCM:AES-128-GCM` to a value that does not include |
|
| 33 |
+these two ciphers. When a OpenVPN servers try to use `AES-256-GCM` or |
|
| 34 |
+`AES-128-GCM` the connection will then fail. It is therefore recommended to |
|
| 35 |
+always have the `AES-256-GCM` and `AES-128-GCM` ciphers to the ``--ncp-ciphers`` |
|
| 36 |
+options to avoid this behaviour. |
|
| 33 | 37 |
|
| 34 | 38 |
OpenVPN 3 clients |
| 35 | 39 |
----------------- |
| ... | ... |
@@ -42,7 +46,7 @@ To support OpenVPN 3.x based clients at least one of these ciphers needs to be |
| 42 | 42 |
included in the server's ``--data-ciphers`` option. |
| 43 | 43 |
|
| 44 | 44 |
|
| 45 |
-OpenVPN 2.3 clients and older (and clients with ``--ncp-disable``) |
|
| 45 |
+OpenVPN 2.3 and older clients (and clients with ``--ncp-disable``) |
|
| 46 | 46 |
------------------------------------------------------------------ |
| 47 | 47 |
When a client without cipher negotiation support connects to a server the |
| 48 | 48 |
cipher specified with the ``--cipher`` option in the client configuration |
| ... | ... |
@@ -50,10 +54,10 @@ must be included in the ``--data-ciphers`` option of the server to allow |
| 50 | 50 |
the client to connect. Otherwise the client will be sent the ``AUTH_FAILED`` |
| 51 | 51 |
message that indicates no shared cipher. |
| 52 | 52 |
|
| 53 |
-If the client has been configured with the ``--enable-small`` |
|
| 54 |
-:code:``./configure`` argument, using ``data-ciphers-fallback cipher`` |
|
| 55 |
-in the server config file with the explicit cipher used by the client |
|
| 56 |
-is necessary. |
|
| 53 |
+If the client is 2.3 or older and has been configured with the |
|
| 54 |
+``--enable-small`` :code:`./configure` argument, using |
|
| 55 |
+``data-ciphers-fallback cipher`` in the server config file with the explicit |
|
| 56 |
+cipher used by the client is necessary. |
|
| 57 | 57 |
|
| 58 | 58 |
OpenVPN 2.4 server |
| 59 | 59 |
------------------ |
| ... | ... |
@@ -66,18 +70,18 @@ adding `AES-128-GCM` and `AES-256-GCM` to the client's ``--data-ciphers`` |
| 66 | 66 |
option is required. OpenVPN 2.5+ will only announce the ``IV_NCP=2`` flag if |
| 67 | 67 |
those ciphers are present. |
| 68 | 68 |
|
| 69 |
-OpenVPN 2.3 and older servers (and servers with ``-ncp-disable``) |
|
| 69 |
+OpenVPN 2.3 and older servers (and servers with ``--ncp-disable``) |
|
| 70 |
+------------------------------------------------------------------ |
|
| 70 | 71 |
The cipher used by the server must be included in ``--data-ciphers`` to |
| 71 | 72 |
allow the client connecting to a server without cipher negotiation |
| 72 | 73 |
support. |
| 73 | 74 |
(For compatibility OpenVPN 2.5 will also accept the cipher set with |
| 74 | 75 |
``--cipher``) |
| 75 | 76 |
|
| 76 |
-If the server has been configured with the ``--enable-small`` |
|
| 77 |
-:code:``./configure` argument, adding ``data-ciphers-fallback cipher`` |
|
| 78 |
-to the client config with the explicit cipher used by the server |
|
| 79 |
-is necessary. |
|
| 77 |
+If the server is 2.3 or older and has been configured with the |
|
| 78 |
+``--enable-small`` :code:`./configure` argument, adding |
|
| 79 |
+``data-ciphers-fallback cipher`` to the client config with the explicit |
|
| 80 |
+cipher used by the server is necessary. |
|
| 80 | 81 |
|
| 81 | 82 |
Blowfish in CBC mode (BF-CBC) deprecation |
| 82 | 83 |
------------------------------------------ |