Hi,
On 23 Nov 2020, at 14:28, Kienker, Fred fkienker@at4b.com wrote:
Eric:
The idea of putting all of the encryption settings on one page is a good one. There are now so many encryption settings and choices that they really need their own page.
If we need an extra page, I would say we have done our job wrong.
We need to make sure that this is easy to use. If we have a whole page full of cryptography options that are very dangerous to change (because that is how OpenVPN works) then we will only have people with broken setups.
The settings changes, at first look, should work but sometimes these backwards compatibility settings don't always work as advertised.. Testing with a variety of clients and both the current and reasonable legacy versions would be recommended, even if it is hard to get people to assist. With OpenVPN people have a tendency to set it up, get it working and leave it alone until it stops working so there are always a lot of old clients out there.
Best regards, Fred
Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 9:00 AM - 6:00 PM ET, Monday thru Friday.
-----Original Message----- From: ummeegge ummeegge@ipfire.org Sent: Monday, November 23, 2020 4:15 AM To: development@lists.ipfire.org Subject: Re: OpenVPN-2.5.0 update procedure and idea collector
Some additions and WUI restructure ideas after some more testings.
'--cipher' is no longer needed if '--data-cipher-fallback' is in usage, there is also no need for '--data-ciphers' for the first if '--data- cipher-fallback' is active. The client can still uses the '--cipher alg' directive and the 2.5.0 server responds with '--data-ciphers- fallback alg' .
The idea: Remove the cipher section from the global area from the WUI, rename simply '--cipher' to '--data-ciphers-fallback' in server.conf and keep the index, include the 'DCIPHER' (also 'DAUTH' and 'TLSAUTH') variable(s) to the advanced encryption section with the related indexes to keep the old configuration but set also new defaults for new configurations.
If '--data-ciphers' is active, all old clients have the chance with e.g. an old CBC cipher to migrate also to newer clients step-by-step so we can get rid of the old broken algorithms like CAST, DES and BF since they won´t appear in the new advanced encryption section...
As an idea !?
Best,
Erik