channel.
Improved Data channel cipher negotiation
+ The option ``ncp-ciphers`` has been renamed to ``data-ciphers``.
+ The old name is still accepted. The change in name signals that
+ ``data-ciphers`` is the preferred way to configure data channel
+ ciphers and the data prefix is chosen to avoid the ambiguity that
+ exists with ``--cipher`` for the data cipher and ``tls-cipher``
+ for the TLS ciphers.
+
OpenVPN clients will now signal all supported ciphers from the
- ``ncp-ciphers`` option to the server via ``IV_CIPHERS``. OpenVPN
- servers will select the first common cipher from the ``ncp-ciphers``
+ ``data-ciphers`` option to the server via ``IV_CIPHERS``. OpenVPN
+ servers will select the first common cipher from the ``data-ciphers``
list instead of blindly pushing the first cipher of the list. This
allows to use a configuration like
- ``ncp-ciphers ChaCha20-Poly1305:AES-256-GCM`` on the server that
+ ``data-ciphers ChaCha20-Poly1305:AES-256-GCM`` on the server that
prefers ChaCha20-Poly1305 but uses it only if the client supports it.
Asynchronous (deferred) authentication support for auth-pam plugin.
The default is :code:`BF-CBC`, an abbreviation for Blowfish in Cipher
Block Chaining mode. When cipher negotiation (NCP) is allowed,
OpenVPN 2.4 and newer on both client and server side will automatically
- upgrade to :code:`AES-256-GCM`. See ``--ncp-ciphers`` and
+ upgrade to :code:`AES-256-GCM`. See ``--data-ciphers`` and
``--ncp-disable`` for more details on NCP.
Using :code:`BF-CBC` is no longer recommended, because of its 64-bit
non-standard key lengths, and a larger key may offer no real guarantee
of greater security, or may even reduce security.
---ncp-ciphers cipher-list
+--data-ciphers cipher-list
Restrict the allowed ciphers to be negotiated to the ciphers in
``cipher-list``. ``cipher-list`` is a colon-separated list of ciphers,
and defaults to :code:`AES-256-GCM:AES-128-GCM`.
Additionally, to allow for more smooth transition, if NCP is enabled,
OpenVPN will inherit the cipher of the peer if that cipher is different
from the local ``--cipher`` setting, but the peer cipher is one of the
- ciphers specified in ``--ncp-ciphers``. E.g. a non-NCP client (<=v2.3,
+ ciphers specified in ``--data-ciphers``. E.g. a non-NCP client (<=v2.3,
or with --ncp-disabled set) connecting to a NCP server (v2.4+) with
- ``--cipher BF-CBC`` and ``--ncp-ciphers AES-256-GCM:AES-256-CBC`` set can
+ ``--cipher BF-CBC`` and ``--data-ciphers AES-256-GCM:AES-256-CBC`` set can
either specify ``--cipher BF-CBC`` or ``--cipher AES-256-CBC`` and both
will work.
This list is restricted to be 127 chars long after conversion to OpenVPN
ciphers.
+ This option was called ``ncp-ciphers`` in OpenVPN 2.4 but has been renamed
+ to ``data-ciphers`` in OpenVPN 2.5 to more accurately reflect its meaning.
+
--ncp-disable
Disable "Negotiable Crypto Parameters". This completely disables cipher
negotiation.
*AES-GCM-128* and *AES-GCM-256*.
:code:`IV_CIPHERS=<ncp-ciphers>`
- The client pushes the list of configured ciphers with the
- ``--ciphers`` option to the server.
+ The client announces the list of supported ciphers configured with the
+ ``--data-ciphers`` option to the server.
:code:`IV_GUI_VER=<gui_id> <version>`
The UI version of a UI if one is running, for example
# then you must also specify it here.
# Note that v2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
-# See also the ncp-cipher option in the manpage
+# See also the data-ciphers option in the manpage
cipher AES-256-CBC
# Enable compression on the VPN link.
else
{
/*
- * Push the first cipher from --ncp-ciphers to the client that
+ * Push the first cipher from --data-ciphers to the client that
* the client announces to be supporting.
*/
char *push_cipher = ncp_get_best_cipher(o->ncp_ciphers, o->ciphername,
{
msg(M_INFO, "PUSH: No common cipher between server and "
"client. Expect this connection not to work. Server "
- "ncp-ciphers: '%s', client supported ciphers '%s'",
+ "data-ciphers: '%s', client supported ciphers '%s'",
o->ncp_ciphers, peer_ciphers);
}
else
"--cipher alg : Encrypt packets with cipher algorithm alg\n"
" (default=%s).\n"
" Set alg=none to disable encryption.\n"
- "--ncp-ciphers list : List of ciphers that are allowed to be negotiated.\n"
+ "--data-ciphers list : List of ciphers that are allowed to be negotiated.\n"
"--ncp-disable : (DEPRECATED) Disable cipher negotiation.\n"
"--prng alg [nsl] : For PRNG, use digest algorithm alg, and\n"
" nonce_secret_len=nsl. Set alg=none to disable PRNG.\n"
VERIFY_PERMISSION(OPT_P_NCP|OPT_P_INSTANCE);
options->ciphername = p[1];
}
- else if (streq(p[0], "ncp-ciphers") && p[1] && !p[2])
+ else if ((streq(p[0], "data-ciphers") || streq(p[0], "ncp-ciphers"))
+ && p[1] && !p[2])
{
VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE);
options->ncp_ciphers = p[1];
const cipher_kt_t *ktc = cipher_kt_get(token);
if (!ktc)
{
- msg(M_WARN, "Unsupported cipher in --ncp-ciphers: %s", token);
+ msg(M_WARN, "Unsupported cipher in --data-ciphers: %s", token);
error_found = true;
}
else
if (!(buf_forward_capacity(&new_list) >
strlen(ovpn_cipher_name) + 2))
{
- msg(M_WARN, "Length of --ncp-ciphers is over the "
+ msg(M_WARN, "Length of --data-ciphers is over the "
"limit of 127 chars");
error_found = true;
}
projects / thirdparty / openvpn.git / commitdiff
