From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: OpenVPN-2.5.0 update procedure and idea collector Date: Mon, 23 Nov 2020 18:06:12 +0000 Message-ID: <299BBA55-B088-4041-83A6-8358CD0F7A62@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0740925397995779880==" List-Id: --===============0740925397995779880== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, > On 23 Nov 2020, at 14:28, Kienker, Fred wrote: >=20 > Eric: >=20 > The idea of putting all of the encryption settings on one page is a good=20 > one. There are now so many encryption settings and choices that they=20 > really need their own page. If we need an extra page, I would say we have done our job wrong. We need to make sure that this is easy to use. If we have a whole page full o= f cryptography options that are very dangerous to change (because that is how= OpenVPN works) then we will only have people with broken setups. > The settings changes, at first look, should work but sometimes these=20 > backwards compatibility settings don't always work as advertised..=20 > Testing with a variety of clients and both the current and reasonable=20 > legacy versions would be recommended, even if it is hard to get people=20 > to assist. With OpenVPN people have a tendency to set it up, get it=20 > working and leave it alone until it stops working so there are always a=20 > lot of old clients out there.=20 >=20 > Best regards,=20 > Fred >=20 > Please note: Although we may sometimes respond to email, text and phone=20 > calls instantly at all hours of the day, our regular business hours are=20 > 9:00 AM - 6:00 PM ET, Monday thru Friday. >=20 > -----Original Message----- > From: ummeegge =20 > Sent: Monday, November 23, 2020 4:15 AM > To: development(a)lists.ipfire.org > Subject: Re: OpenVPN-2.5.0 update procedure and idea collector >=20 > Some additions and WUI restructure ideas after some more testings. >=20 > '--cipher' is no longer needed if '--data-cipher-fallback' is in usage,=20 > there is also no need for '--data-ciphers' for the first if '--data-=20 > cipher-fallback' is active. The client can still uses the '--cipher alg'=20 > directive and the 2.5.0 server responds with '--data-ciphers- fallback=20 > alg' . >=20 > The idea: Remove the cipher section from the global area from the WUI,=20 > rename simply '--cipher' to '--data-ciphers-fallback' in server.conf and=20 > keep the index, include the 'DCIPHER' (also 'DAUTH' and 'TLSAUTH') > variable(s) to the advanced encryption section with the related indexes=20 > to keep the old configuration but set also new defaults for new=20 > configurations. >=20 > If '--data-ciphers' is active, all old clients have the chance with e.g.=20 > an old CBC cipher to migrate also to newer clients step-by-step so we=20 > can get rid of the old broken algorithms like CAST, DES and BF since=20 > they won=C2=B4t appear in the new advanced encryption section... >=20 >=20 > As an idea !? >=20 > Best, >=20 > Erik >=20 >=20 >=20 --===============0740925397995779880==--