Am Montag, den 23.11.2020, 09:28 -0500 schrieb Kienker, Fred:
Eric:
The idea of putting all of the encryption settings on one page is a good one. There are now so many encryption settings and choices that they really need their own page.
Yes, and there are even more may also good directives ;-) .
The settings changes, at first look, should work but sometimes these backwards compatibility settings don't always work as advertised.. Testing with a variety of clients and both the current and reasonable legacy versions would be recommended, even if it is hard to get people to assist. With OpenVPN people have a tendency to set it up, get it working and leave it alone until it stops working so there are always a lot of old clients out there.
Exactly, the --data-cipher-fallback uses the index of the already configured --cipher, in that case no interaction is needed from the user to run the old system. To enable the new --data-ciphers option the user would need to interact (at least press the save button in the advanced section) which is not needed in that case... So was my implementation idea...
Best regards, Fred
Best,
Erik
Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 9:00 AM - 6:00 PM ET, Monday thru Friday.
-----Original Message----- From: ummeegge ummeegge@ipfire.org Sent: Monday, November 23, 2020 4:15 AM To: development@lists.ipfire.org Subject: Re: OpenVPN-2.5.0 update procedure and idea collector
Some additions and WUI restructure ideas after some more testings.
'--cipher' is no longer needed if '--data-cipher-fallback' is in usage, there is also no need for '--data-ciphers' for the first if '--data- cipher-fallback' is active. The client can still uses the '--cipher alg' directive and the 2.5.0 server responds with '--data-ciphers- fallback alg' .
The idea: Remove the cipher section from the global area from the WUI, rename simply '--cipher' to '--data-ciphers-fallback' in server.conf and keep the index, include the 'DCIPHER' (also 'DAUTH' and 'TLSAUTH') variable(s) to the advanced encryption section with the related indexes to keep the old configuration but set also new defaults for new configurations.
If '--data-ciphers' is active, all old clients have the chance with e.g. an old CBC cipher to migrate also to newer clients step-by-step so we can get rid of the old broken algorithms like CAST, DES and BF since they won´t appear in the new advanced encryption section...
As an idea !?
Best,
Erik