From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: OpenVPN-2.5.0 update procedure and idea collector Date: Mon, 23 Nov 2020 18:00:34 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6302072093917204282==" List-Id: --===============6302072093917204282== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, > On 23 Nov 2020, at 11:41, Adolf Belka wrote: >=20 > Hi Erik, >=20 > Thanks for all your work on OpenVPN. Much appreciated, especially in these = challenging times of many changes. >=20 > Am I correct in my presumption that in the advanced encryption settings GUI= we will be able to select multiple entries, which will then be made into a l= ist in order that the entries are in the tables. >=20 > From the advanced encryption settings page I see that you have removed the = old insecure options, which is good. It is good to encourage people to use modern cryptography, but I would like t= o raise the point that if we want to support older clients, we will have to s= upport the old crypto, too. Otherwise it is not worth to add the extra work i= f it is virtually unusable. > For the Data-Channel fallback do you have to have a default or can you unse= lect everything. There could be people who only want to connect to systems th= at have the strongest ciphers and just refuse to connect with weaker ones. >=20 > For the Control-Channel sections I would suggest swapping the order of TLSv= 2 and TLSv3 on the screen. The Data-Channel goes from most secure to least se= cure from left to right. I think that the Control-Channel should do the same. >=20 > I don't have any comments about the defaults. They seem reasonable to me. >=20 > Excellent work, it's looking very nice. >=20 > Regards, > Adolf. >=20 >=20 > On 22/11/2020 17:30, ummeegge wrote: >> Hi all, >> i am currently in the update process of the already realeased OpenVPN- >> 2.5.0 --> https://openvpn.net/community-downloads-2/ . The update has >> been tested and worked so far also with the old default client >> configuration (tested with 2.4.9 client). There are two warnings --> >> 1) DEPRECATED OPTION: ncp-disable. Disabling dynamic cipher negotiation >> is a deprecated debug feature that will be removed in OpenVPN 2.6 >> 2) WARNING: --topology net30 support for server configs with IPv4 pools >> will be removed in a future release. Please migrate to --topology >> subnet as soon as possible. >> in the server log but it nevertheless works flawlessly. >> Am working currently on an "Advanced Encryption Settings" page which >> includes currently four new directives --data-ciphers (data channel >> encryption), --data-ciphers-fallback (data-channel encryption for >> clients <=3D OpenVPN-2.3.9), --tls-ciphers (control channel TLSv2 only) >> and --tls-ciphersuites (control channel >=3D TLSv3) all options are >> explained in here --> >> https://build.openvpn.net/man/openvpn-2.5/openvpn.8.html >> , which works here currently and looks like this: >> Button to belong to this page: >> https://people.ipfire.org/~ummeegge/OpenVPN-2.5.0/screenshots/ovpn_advance= d_encryption_button.png >> And the page itself: >> https://people.ipfire.org/~ummeegge/OpenVPN-2.5.0/screenshots/ovpn_advance= d_encryption.png >> You can see also the default settings, were i need also your ideas and >> comments for may better defaults. >> On the page itself is also more planned but to not overload this here >> now, i wanted to go now a two step procedure with this update. >> 1) Push OpenVPN-2.5.0 update with the new ciphers and HMACs for regukar >> global settings for RW and N2N. A overview of the new crypto can be >> found in here --> >> https://community.ipfire.org/t/openvpn-2-5-development-version/2173 . >> 2) I would push the "Advanced Encryption settings" development as seen >> above then as one patch <-- this would also eliminate the first warning >> causing --ncp-disable since we can delete this option then. >> Everything else would come detached from this. >> Some feedback might be nice. >> Best, >> Erik --===============6302072093917204282==--