OpenVPN 2.4 clients
-------------------
-The negotiation support in OpenVPN 2.4 was a first implementation and still had some
-quirks. Its main goal was "upgrade to AES-256-GCM when possible".
+The negotiation support in OpenVPN 2.4 was the first iteration of the implementation
+and still had some quirks. Its main goal was "upgrade to AES-256-GCM when possible".
An OpenVPN 2.4 client that is built against a crypto library that supports AES in GCM
mode and does not have ``--ncp-disable`` will always announce support for
-`AES-256-GCM` and `AES-128-GCM` even if the ``--ncp-ciphers`` option does not include
-those two ciphers. It is therefore recommended to add `AES-256-GCM` and `AES-128-GCM`
-to the ``--ncp-ciphers`` options to workaround this bug.
+`AES-256-GCM` and `AES-128-GCM` to a server by sending :code:`IV_NCP=2`.
+This only causes a problem if ``--ncp-ciphers`` option has been changed from the
+default of :code:`AES-256-GCM:AES-128-GCM` to a value that does not include
+these two ciphers. When a OpenVPN servers try to use `AES-256-GCM` or
+`AES-128-GCM` the connection will then fail. It is therefore recommended to
+always have the `AES-256-GCM` and `AES-128-GCM` ciphers to the ``--ncp-ciphers``
+options to avoid this behaviour.
OpenVPN 3 clients
-----------------
included in the server's ``--data-ciphers`` option.
-OpenVPN 2.3 clients and older (and clients with ``--ncp-disable``)
+OpenVPN 2.3 and older clients (and clients with ``--ncp-disable``)
------------------------------------------------------------------
When a client without cipher negotiation support connects to a server the
cipher specified with the ``--cipher`` option in the client configuration
the client to connect. Otherwise the client will be sent the ``AUTH_FAILED``
message that indicates no shared cipher.
-If the client has been configured with the ``--enable-small``
-:code:``./configure`` argument, using ``data-ciphers-fallback cipher``
-in the server config file with the explicit cipher used by the client
-is necessary.
+If the client is 2.3 or older and has been configured with the
+``--enable-small`` :code:`./configure` argument, using
+``data-ciphers-fallback cipher`` in the server config file with the explicit
+cipher used by the client is necessary.
OpenVPN 2.4 server
------------------
option is required. OpenVPN 2.5+ will only announce the ``IV_NCP=2`` flag if
those ciphers are present.
-OpenVPN 2.3 and older servers (and servers with ``-ncp-disable``)
------------------------------------------------------------------
+OpenVPN 2.3 and older servers (and servers with ``--ncp-disable``)
+------------------------------------------------------------------
The cipher used by the server must be included in ``--data-ciphers`` to
allow the client connecting to a server without cipher negotiation
support.
(For compatibility OpenVPN 2.5 will also accept the cipher set with
``--cipher``)
-If the server has been configured with the ``--enable-small``
-:code:``./configure` argument, adding ``data-ciphers-fallback cipher``
-to the client config with the explicit cipher used by the server
-is necessary.
+If the server is 2.3 or older and has been configured with the
+``--enable-small`` :code:`./configure` argument, adding
+``data-ciphers-fallback cipher`` to the client config with the explicit
+cipher used by the server is necessary.
Blowfish in CBC mode (BF-CBC) deprecation
------------------------------------------
projects / thirdparty / openvpn.git / commitdiff
