Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:rulezz
openvpn
_service:download_src_package:0001-Change-the-d...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:download_src_package:0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch of Package openvpn
From: David Sommerseth <dazo@eurephia.org> Subject: [PATCH] Change the default cipher to AES-256-GCM for server configurations This change makes the server use AES-256-GCM instead of BF-CBC as the default cipher for the VPN tunnel. To avoid breaking existing running configurations defaulting to BF-CBC, the Negotiable Crypto Parameters (NCP) list contains the BF-CBC in addition to AES-CBC. This makes it possible to migrate existing older client configurations one-by-one to use at least AES-CBC unless the client is updated to v2.4 (which defaults to upgrade to AES-GCM automatically) [Update 2022-06-10] The BF-CBC reference is now removed as of Fedora 36 and newer. The Blowfish cipher is no longer available by default in OpenSSL 3.0. It can be enabled via the legacy provider in OpenSSL 3.0, but BF-CBC is deprecated and should not be used any more. OpenVPN 2.4 and newer will always negotiate a stronger cipher by default and older OpenVPN releases are no longer supported upstream. --- distro/systemd/openvpn-server@.service.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/distro/systemd/openvpn-server@.service.in b/distro/systemd/openvpn-server@.service.in index 9a8a2c7..0ecda08 100644 --- a/distro/systemd/openvpn-server@.service.in +++ b/distro/systemd/openvpn-server@.service.in @@ -10,7 +10,7 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO Type=notify PrivateTmp=true WorkingDirectory=/etc/openvpn/server -ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf +ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --cipher AES-256-GCM --data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC --config %i.conf CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE LimitNPROC=10 DeviceAllow=/dev/null rw -- 2.11.0
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor