|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
b931012 |
From b56d52fa409c62720791e189e501efb86df0aff4 Mon Sep 17 00:00:00 2001
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
b931012 |
From: David Sommerseth <dazo@eurephia.org>
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
b931012 |
Date: Tue, 4 Jul 2017 16:06:24 +0200
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
b931012 |
Subject: [PATCH] Change the default cipher to AES-256-GCM for server
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
b931012 |
configurations
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
b931012 |
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
b931012 |
This change makes the server use AES-256-GCM instead of BF-CBC as the default
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
b931012 |
cipher for the VPN tunnel. To avoid breaking existing running configurations
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
b931012 |
defaulting to BF-CBC, the Negotiable Crypto Parameters (NCP) list contains
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
b931012 |
the BF-CBC in addition to AES-CBC. This makes it possible to migrate
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
b931012 |
existing older client configurations one-by-one to use at least AES-CBC unless
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
b931012 |
the client is updated to v2.4 (which defaults to upgrade to AES-GCM automatically)
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
b931012 |
---
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
b931012 |
distro/systemd/openvpn-server@.service.in | 2 +-
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
b931012 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
b931012 |
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
b931012 |
diff --git a/distro/systemd/openvpn-server@.service.in b/distro/systemd/openvpn-server@.service.in
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
b931012 |
index 9a8a2c7..0ecda08 100644
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
b931012 |
--- a/distro/systemd/openvpn-server@.service.in
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
b931012 |
+++ b/distro/systemd/openvpn-server@.service.in
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
b931012 |
@@ -10,7 +10,7 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
b931012 |
Type=notify
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
b931012 |
PrivateTmp=true
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
b931012 |
WorkingDirectory=/etc/openvpn/server
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
b931012 |
-ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
b931012 |
+ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC --config %i.conf
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
ba79cfa |
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
b931012 |
LimitNPROC=10
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
b931012 |
DeviceAllow=/dev/null rw
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
b931012 |
--
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
b931012 |
2.11.0
|
|
![](https://seccdn.libravatar.org/avatar/c0ff248819c36cdc405cd57273f056c337f49134b0ffae118028285e05617f2b?s=16&d=retro) |
b931012 |
|