rigacci.org

User Tools

Site Tools

Trace: Android: come leggere una scheda SD crittografata Xiaomi Mi A1 Home Key Problem Drawing Text with Shadow Outline using Python Imagemagick Better photos from RAW files than from in-camera JPEGs
doc:appunti:linux:sa:debian_upgrade_11_12

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
doc:appunti:linux:sa:debian_upgrade_11_12 [2025/03/03 16:33] – [pnp4nagios] niccolodoc:appunti:linux:sa:debian_upgrade_11_12 [2025/03/20 12:30] (current) – [OpenVPN BF-CBC not supported] niccolo
Line 125: Line 125:
 ===== OpenVPN BF-CBC not supported ===== ===== OpenVPN BF-CBC not supported =====
  
-L'opzione **cipher** viene usata quando si usa una configurazione con l'opzione **secret** e pre-shared-key, una situazione che in generale dovrebbe essere rimpiazzata dalle configurazioni TLS (es. EasyRSA).+==== Configuration with --secret PSK ====
  
-L'impostazione predefinita per **cipher** è **BF-CBC**, che però non è più presente in **OpenVPN 2.6.3** (controllare con ''%%openvpn --show-ciphers%%''); si deve quindi necessariamente indicare un protocollo diversoad esempio:+In a configuration with PSK (**%%--secret%%** option) the **%%--cipher%%** parameter selects the cipher to use on the data channel. The default setting would be **BF-CBC**, but this is no longer present in **OpenVPN 2.6.3** (check with ''%%openvpn --show-ciphers%%''). You must therefore specify a different protocolfor example with: 
 + 
 +<file> 
 +# Do not use the default BF-CBC cipher, it was removed because of its 64-bit block size. 
 +cipher AES-256-CBC 
 +# Get the PSK from the external file. 
 +secret my-openvpn-secret.key 
 +</file> 
 + 
 +Of course, the other end of the VPN must support the same encryption. **WARNING**: Use **AES-256-CBC** because e.g. **AES-256-GCM** is not supported in pre-shared keys mode. 
 + 
 +==== Configuration with TLS ==== 
 + 
 +With OpenVPN 2.6.x the **%%--cipher%%** option should not be used any longer in TLS mode (e.g. when using EasyRSA). 
 + 
 +With OpenVPN 2.4.x or lower: The values declared into the %%--cipher%% option were appended to **%%--data-ciphers%%** for compatiblity, this is not longer the case. You have to explicitly declare **%%--data-ciphers%%** and remove ''%%--cipher%%'':
  
 <code> <code>
-The --cipher option is used to connect OpenVPN older than 2.6.0 using pre-shared keys. +# OpenVPN 2.6 using TLS should use the --data-ciphers option. 
-# Notice that AES-256-GCM is not supported in pre-shared keys mode. +data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC 
-#cipher AES-256-CBC +data-ciphers-fallback AES-256-CBC
-+
-# Newer connections using TLS uses the --data-ciphers option. +
-data-ciphers AES-256-GCM:AES-128-GCM+
 </code> </code>
 +
  
 ===== PostgreSQL da 13 a 15 ===== ===== PostgreSQL da 13 a 15 =====
doc/appunti/linux/sa/debian_upgrade_11_12.1741016020.txt.gz · Last modified: 2025/03/03 16:33 by niccolo