From mboxrd@z Thu Jan 1 00:00:00 1970 From: ummeegge To: development@lists.ipfire.org Subject: Re: OpenVPN-2.5.0 update procedure and idea collector Date: Mon, 23 Nov 2020 15:52:08 +0100 Message-ID: <47067ba1b027ad6683edf3490c6270768d31aee5.camel@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6084893311803555264==" List-Id: --===============6084893311803555264== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Am Montag, den 23.11.2020, 09:28 -0500 schrieb Kienker, Fred: > Eric: > > The idea of putting all of the encryption settings on one page is a > good > one. There are now so many encryption settings and choices that they > really need their own page. Yes, and there are even more may also good directives ;-) . > > The settings changes, at first look, should work but sometimes these > backwards compatibility settings don't always work as advertised.. > Testing with a variety of clients and both the current and reasonable > legacy versions would be recommended, even if it is hard to get > people > to assist. With OpenVPN people have a tendency to set it up, get it > working and leave it alone until it stops working so there are always > a > lot of old clients out there. Exactly, the --data-cipher-fallback uses the index of the already configured --cipher, in that case no interaction is needed from the user to run the old system. To enable the new --data-ciphers option the user would need to interact (at least press the save button in the advanced section) which is not needed in that case... So was my implementation idea... > > Best regards, > Fred Best, Erik > > Please note: Although we may sometimes respond to email, text and > phone > calls instantly at all hours of the day, our regular business hours > are > 9:00 AM - 6:00 PM ET, Monday thru Friday. > > -----Original Message----- > From: ummeegge > Sent: Monday, November 23, 2020 4:15 AM > To: development(a)lists.ipfire.org > Subject: Re: OpenVPN-2.5.0 update procedure and idea collector > > Some additions and WUI restructure ideas after some more testings. > > '--cipher' is no longer needed if '--data-cipher-fallback' is in > usage, > there is also no need for '--data-ciphers' for the first if '--data- > cipher-fallback' is active. The client can still uses the '--cipher > alg' > directive and the 2.5.0 server responds with '--data-ciphers- > fallback > alg' . > > The idea: Remove the cipher section from the global area from the > WUI, > rename simply '--cipher' to '--data-ciphers-fallback' in server.conf > and > keep the index, include the 'DCIPHER' (also 'DAUTH' and 'TLSAUTH') > variable(s) to the advanced encryption section with the related > indexes > to keep the old configuration but set also new defaults for new > configurations. > > If '--data-ciphers' is active, all old clients have the chance with > e.g. > an old CBC cipher to migrate also to newer clients step-by-step so we > can get rid of the old broken algorithms like CAST, DES and BF since > they won´t appear in the new advanced encryption section... > > > As an idea !? > > Best, > > Erik > > > --===============6084893311803555264==--