Menu
▾
▴
Re: [Openvpn-devel] [PATCH] Ignore --cipher for cipher negotiation in server client mode
|
From: David S. <op...@sf...> - 2021-03-04 21:55:35
|
On 07/09/2020 18:18, Arne Schwabe wrote: > OpenVPN will ignore --cipher in lieu of the replacement data-ciphers > for cipher negioation. > > Signed-off-by: Arne Schwabe <ar...@rf...> > --- > doc/man-sections/protocol-options.rst | 6 ++++-- > src/openvpn/options.c | 26 ++++---------------------- > 2 files changed, 8 insertions(+), 24 deletions(-) I'm not at all convinced about this one. Because this essentially touches the same arguments we had a discussion about on --udp-mtu. Removing an outdated alias was too much hassle for no gain, despite being an alias not been seen in use for ages (it was deprecated before the v1.5 release, and no configs or bug reports turns up in various google/bing/yahoo/ddg searches using --udp-mtu). Dropping this outdated option would with high probability *not* break any configuration in the wild. However, one of the argument raised for keeping it as is was that it *could* break a configuration in the wild. The behaviour between --udp-mtu and --link-mtu are identical. This change on --ciphers adds this warning if --cipher is used in 2.6+: > +········msg(M_WARN,·"Note:·--cipher·set·to·'%s'·but·missing·in" > +············"·--data-ciphers·(%s).·OpenVPN·2.6+·ignores·--cipher·for·" > +············"cipher·negiotiation.", Ignoring --cipher in a future release will have quite a higher probability of breaking existing configurations. Now, this is set in context of --data-ciphers, which is very different code wise. But the code for --ciphers is essentially the same as --data-ciphers-fallback. I am therefore of the opinion, based on the prior --udp-mtu discussion, that --ciphers should be an alias to --data-ciphers-fallback. In addition, since adding a warning about using the deprecated --udp-mtu option and put up a plan for removing it was also considered too much, I don't see why that argument would be much different with --ciphers. -- kind regards, David Sommerseth OpenVPN Inc |
