Menu
▾
▴
Re: [Openvpn-users] openvpn 2.6.5 RPM from Fedora Copr and data-ciphers patch
|
From: Antonio Q. <a...@un...> - 2023-06-17 20:29:30
|
Hi, On 17/06/2023 14:06, Giulio wrote: > This package > https://download.copr.fedorainfracloud.org/results/dsommers/openvpn-release-2.6/epel-7-x86_64/06080865-openvpn/openvpn-2.6.5-1.el7.src.rpm > contains > 0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch > which contains > This change makes the server use AES-256-GCM instead of BF-CBC as > the default > cipher for the VPN tunnel. > --- a/distro/systemd/openvpn-server@.service.in > +++ b/distro/systemd/openvpn-server@.service.in > @@ -10,7 +10,7 @@ > Type=notify > PrivateTmp=true > WorkingDirectory=/etc/openvpn/server > -ExecStart=@sbindir@/openvpn --status > %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps > --config %i.conf > +ExecStart=@sbindir@/openvpn --status > %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps > --cipher AES-256-GCM --data-ciphers > AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC --config %i.conf > > > Is this actually still necessary in openvpn 2.6.x? > > Besides, changelog for 2.6 contains > ... > CHACHA20-POLY1305 is included in the default of |--data-ciphers| > when available. > ... > will this patch disable CHACHA-20? I think so, because the patch is explicitly setting --data-ciphers and it is not including CHACHA20POLY1305. Do you have clients advertising chachapoly only? Cheers, -- Antonio Quartulli |
