Re: OpenVPN-2.5.0 update procedure and idea collector

[ummeegge <ummeegge@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 2726 bytes --]

Am Montag, den 23.11.2020, 09:28 -0500 schrieb Kienker, Fred:
> Eric:
> 
> The idea of putting all of the encryption settings on one page is a
> good 
> one. There are now so many encryption settings and choices that they 
> really need their own page.
Yes, and there are even more may also good directives ;-) .

> 
> The settings changes, at first look, should work but sometimes these 
> backwards compatibility settings don't always work as advertised.. 
> Testing with a variety of clients and both the current and reasonable
> legacy versions would be recommended, even if it is hard to get
> people 
> to assist. With OpenVPN people have a tendency to set it up, get it 
> working and leave it alone until it stops working so there are always
> a 
> lot of old clients out there. 
Exactly, the --data-cipher-fallback uses the index of the already
configured --cipher, in that case no interaction is needed from the
user to run the old system. To enable the new --data-ciphers option the
user would need to interact (at least press the save button in the
advanced section) which is not needed in that case... So was my
implementation idea...

> 
> Best regards, 
> Fred

Best,

Erik

> 
> Please note: Although we may sometimes respond to email, text and
> phone 
> calls instantly at all hours of the day, our regular business hours
> are 
> 9:00 AM - 6:00 PM ET, Monday thru Friday.
> 
> -----Original Message-----
> From: ummeegge <ummeegge(a)ipfire.org> 
> Sent: Monday, November 23, 2020 4:15 AM
> To: development(a)lists.ipfire.org
> Subject: Re: OpenVPN-2.5.0 update procedure and idea collector
> 
> Some additions and WUI restructure ideas after some more testings.
> 
> '--cipher' is no longer needed if '--data-cipher-fallback' is in
> usage, 
> there is also no need for '--data-ciphers' for the first if '--data- 
> cipher-fallback' is active. The client can still uses the '--cipher
> alg' 
> directive and the 2.5.0 server responds with '--data-ciphers-
> fallback 
> alg' .
> 
> The idea: Remove the cipher section from the global area from the
> WUI, 
> rename simply '--cipher' to '--data-ciphers-fallback' in server.conf
> and 
> keep the index, include the 'DCIPHER' (also 'DAUTH' and 'TLSAUTH')
> variable(s) to the advanced encryption section with the related
> indexes 
> to keep the old configuration but set also new defaults for new 
> configurations.
> 
> If '--data-ciphers' is active, all old clients have the chance with
> e.g. 
> an old CBC cipher to migrate also to newer clients step-by-step so we
> can get rid of the old broken algorithms like CAST, DES and BF since 
> they won´t appear in the new advanced encryption section...
> 
> 
> As an idea !?
> 
> Best,
> 
> Erik
> 
> 
>