You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
38 lines
2.0 KiB
38 lines
2.0 KiB
From: David Sommerseth <dazo@eurephia.org> |
|
Subject: [PATCH] Change the default cipher to AES-256-GCM for server |
|
configurations |
|
|
|
This change makes the server use AES-256-GCM instead of BF-CBC as the default |
|
cipher for the VPN tunnel. To avoid breaking existing running configurations |
|
defaulting to BF-CBC, the Negotiable Crypto Parameters (NCP) list contains |
|
the BF-CBC in addition to AES-CBC. This makes it possible to migrate |
|
existing older client configurations one-by-one to use at least AES-CBC unless |
|
the client is updated to v2.4 (which defaults to upgrade to AES-GCM automatically) |
|
|
|
[Update 2022-06-10] |
|
The BF-CBC reference is now removed as of Fedora 36 and newer. The Blowfish |
|
cipher is no longer available by default in OpenSSL 3.0. It can be enabled |
|
via the legacy provider in OpenSSL 3.0, but BF-CBC is deprecated and should |
|
not be used any more. OpenVPN 2.4 and newer will always negotiate a stronger |
|
cipher by default and older OpenVPN releases are no longer supported upstream. |
|
|
|
--- |
|
distro/systemd/openvpn-server@.service.in | 2 +- |
|
1 file changed, 1 insertion(+), 1 deletion(-) |
|
|
|
diff --git a/distro/systemd/openvpn-server@.service.in b/distro/systemd/openvpn-server@.service.in |
|
index 9a8a2c7..0ecda08 100644 |
|
--- a/distro/systemd/openvpn-server@.service.in |
|
+++ b/distro/systemd/openvpn-server@.service.in |
|
@@ -10,7 +10,7 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO |
|
Type=notify |
|
PrivateTmp=true |
|
WorkingDirectory=/etc/openvpn/server |
|
-ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf |
|
+ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --cipher AES-256-GCM --data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC --config %i.conf |
|
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE |
|
LimitNPROC=10 |
|
DeviceAllow=/dev/null rw |
|
-- |
|
2.11.0 |
|
|
|
|