Newer OpenVPN 3 core versions now allow limited configuration of ciphers:
// Allow usage of legacy (cipher) algorithm that are no longer
// considered safe
// This includes BF-CBC, single DES and RC2 private key encryption.
// With OpenSSL 3.0 this also instructs OpenSSL to load the legacy
// provider.
bool enableLegacyAlgorithms = false;
// By default modern OpenVPN version (OpenVPN 2.6 and OpenVPN core
// 3.7) will only allow
// preferred algorithms (AES-GCM, Chacha20-Poly1305) that also work
// with the newer DCO
// implementations. If this is enabled, we fall back to allowing all
// algorithms (if these are
// supported by the crypto library)
bool enableNonPreferredDCAlgorithms = false;
Adjust the man page section accordingly but only really mention the AEAD
ciphers to be always present and that they should be included in the
data-ciphers option.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <
20230210142712.572303-7-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26226.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
OpenVPN 3 clients
-----------------
Clients based on the OpenVPN 3.x library (https://github.com/openvpn/openvpn3/)
-do not have a configurable ``--ncp-ciphers`` or ``--data-ciphers`` option. Instead
-these clients will announce support for all their supported AEAD ciphers
+do not have a configurable ``--ncp-ciphers`` or ``--data-ciphers`` option. Newer
+versions by default disable legacy AES-CBC, BF-CBC, and DES-CBC ciphers.
+These clients will always announce support for all their supported AEAD ciphers
(`AES-256-GCM`, `AES-128-GCM` and in newer versions also `Chacha20-Poly1305`).
To support OpenVPN 3.x based clients at least one of these ciphers needs to be
projects / thirdparty / openvpn.git / commitdiff
