[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] Change ciphers on a large installed base.


  • Subject: [Openvpn-users] Change ciphers on a large installed base.
  • From: "John Chatelle" <johnch@xxxxxxxxxx>
  • Date: Thu, 3 May 2007 09:09:01 -0400

 Hello Openvpn Fans;

    I have over 200 clients connected to a single server, and we're adding a 
few each day.   We'd like to discover the optimal method for switching our 
Cipher from  DES-EDE3-CBC  to AES-128-CBC for first new clients, and in 
time, our existing base, casually and safely.

  Is there a method that will allow the server to use both Ciphers at once?
I changed the OpenVPN server's config file to "see" both ciphers... 
 -----  < snip < -----
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC        # Blowfish (default)
cipher AES-128-CBC   # AES
cipher DES-EDE3-CBC  # Triple-DES
 -----  < snip < ------

 Despite changing the server's config file, and changing a clients config 
file to  simply: 
 -----  < snip < -----
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC        # Blowfish (default)
cipher AES-128-CBC   # AES
 -----  < snip < -----

  I though it would work, but the log file on the client had the 
disappointing line:
 -----  < snip < -----
 May  3 08:04:14 interface openvpn[28030]: WARNING: 'cipher' is used 
inconsistent
ly, local='cipher AES-128-CBC', remote='cipher DES-EDE3-CBC'
 -----  < snip < -----

  The log file line shows that the Server was only allowing one cipher, 
making a switchover more of a chore for a larger installed base.  I like 
that the client's log reports the cipher that the server is expecting. I 
just wish it could expect two ciphers and choose the one the client is 
using. 

  Is there a solution to this cipher change problem?

   If not, would it not be a wonderful enhancement to allow more than one 
cipher at at time? 

   Best Regards, 

  'Nuther OpenVPN Fan.  



  


This message and any attachments may contain information that is protected by law as privileged and confidential, and is transmitted for the sole use of the intended recipient(s). If you are not the intended recipient, you are hereby notified that any use, dissemination, copying or retention of this e-mail or the information contained herein is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender by e-mail, and permanently delete this e-mail.


-- 
This message has been scanned for viruses and
dangerous content by MailScanner and F-Prot AV.
--

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users