Discussion:
Default behaviour of ncp-ciphers on the server
(too old to reply)
SaAtomic
2017-06-30 05:27:14 UTC
Permalink
Raw Message
Hello!

I have a question regarding the default behaviour of the ncp-ciphers option on the server.
In the example, both client and server use OpenVPN 2.4.0.

If the server does not explicitly define the `ncp-ciphers` option in the configuration, just `cipher AES-128-CBC`, I assume the default of the `ncp-ciphers` is enabled (AES-256-GCM:AES-128-GCM), right?

The client has the option `cipher AES-128-CBC` defined, but also uses `ncp-disable`. This connection should work fine, as both ciphers match.

If the client changes the cipher to `cipher AES-256-GCM`(or AES-128-GCM), but keeps the `ncp-disable` in its configuration and then reconnects to the same server,
would the connection succeed, due to the server having the cipher in the `ncp-ciphers` default list, or would it fail due to a cipher mismatch?

Thank you for the help,
kind regards,
SaAtomic
Gert Doering
2017-06-30 05:42:38 UTC
Permalink
Raw Message
Hi,
Post by SaAtomic
If the server does not explicitly define the `ncp-ciphers` option in the configuration, just `cipher AES-128-CBC`, I assume the default of the `ncp-ciphers` is enabled (AES-256-GCM:AES-128-GCM), right?
Right.
Post by SaAtomic
The client has the option `cipher AES-128-CBC` defined, but also uses `ncp-disable`. This connection should work fine, as both ciphers match.
Right.
Post by SaAtomic
If the client changes the cipher to `cipher AES-256-GCM`(or AES-128-GCM), but keeps the `ncp-disable` in its configuration and then reconnects to the same server,
would the connection succeed, due to the server having the cipher in the `ncp-ciphers` default list, or would it fail due to a cipher mismatch?
If the *server* has the cipher in its list, this should cause the same
behaviour as if a 2.3 client (that does not have NCP) connects to the
2.4 server, using --cipher <something> --> if it's in the server's
allowed cipher list, the server will use that. So, for AES-256-GCM,
they should be all fine.

Now, if you try "--cipher BF", it will not work, as that is not in the
server's allowed cipher list (unless you put it there).

(As a side note: please upgrade to 2.4.3)

gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany ***@greenie.muc.de
fax: +49-89-35655025 ***@net.informatik.tu-muenchen.de
Loading...