Hi, > On 23 Nov 2020, at 14:28, Kienker, Fred wrote: > > Eric: > > The idea of putting all of the encryption settings on one page is a good > one. There are now so many encryption settings and choices that they > really need their own page. If we need an extra page, I would say we have done our job wrong. We need to make sure that this is easy to use. If we have a whole page full of cryptography options that are very dangerous to change (because that is how OpenVPN works) then we will only have people with broken setups. > The settings changes, at first look, should work but sometimes these > backwards compatibility settings don't always work as advertised.. > Testing with a variety of clients and both the current and reasonable > legacy versions would be recommended, even if it is hard to get people > to assist. With OpenVPN people have a tendency to set it up, get it > working and leave it alone until it stops working so there are always a > lot of old clients out there. > > Best regards, > Fred > > Please note: Although we may sometimes respond to email, text and phone > calls instantly at all hours of the day, our regular business hours are > 9:00 AM - 6:00 PM ET, Monday thru Friday. > > -----Original Message----- > From: ummeegge > Sent: Monday, November 23, 2020 4:15 AM > To: development(a)lists.ipfire.org > Subject: Re: OpenVPN-2.5.0 update procedure and idea collector > > Some additions and WUI restructure ideas after some more testings. > > '--cipher' is no longer needed if '--data-cipher-fallback' is in usage, > there is also no need for '--data-ciphers' for the first if '--data- > cipher-fallback' is active. The client can still uses the '--cipher alg' > directive and the 2.5.0 server responds with '--data-ciphers- fallback > alg' . > > The idea: Remove the cipher section from the global area from the WUI, > rename simply '--cipher' to '--data-ciphers-fallback' in server.conf and > keep the index, include the 'DCIPHER' (also 'DAUTH' and 'TLSAUTH') > variable(s) to the advanced encryption section with the related indexes > to keep the old configuration but set also new defaults for new > configurations. > > If '--data-ciphers' is active, all old clients have the chance with e.g. > an old CBC cipher to migrate also to newer clients step-by-step so we > can get rid of the old broken algorithms like CAST, DES and BF since > they won´t appear in the new advanced encryption section... > > > As an idea !? > > Best, > > Erik > > >