Page MenuHomeVyOS Platform
Create Task
Maniphest T5487

OPENVPN -DEPRECATED OPTION: --cipher
Backport candidate, HighPublicBUG
Actions

Description

based on this post in our forum , openvpn seems to deprecate this option --cipher move to --data-ciphers

https://forum.vyos.io/t/some-openvpn-server-cipher-options-are-ignored/11878

in our config-file should add this new option :

https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/cipher-negotiation.rst

data-ciphers AES-256-CBC

it was added 2.5 based on documentation

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.4-rolling-202308060317
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Config syntax change (migratable)
Issue type
Package upgrade

Related Objects

Event Timeline

fernando created this task.Aug 17 2023, 4:06 PM
pasik subscribed.Aug 17 2023, 4:15 PM
fernando added a comment.Aug 18 2023, 8:05 PM

I confirm this warning message , although, on Linux doesn't affect or at least with our server/client work as expected :

show log openvpn
 OpenVPN connection to vtun10...
Aug 18 19:20:38 openvpn-vtun10[1766]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.
Aug 18 19:20:38 openvpn-vtun10[1766]: OpenVPN 2.6.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] 

`

it is because 2.6 change default chiper to AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305

fernando changed the task status from Open to Confirmed.Aug 18 2023, 8:07 PM
fernando changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
fernando changed Issue type from Unspecified (please specify) to Package upgrade.
SrividyaA claimed this task.Sep 5 2023, 6:03 PM
fernando added a project: VyOS 1.3 Equuleus (1.3.5).Sep 20 2023, 2:55 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.6); removed VyOS 1.3 Equuleus (1.3.5).Dec 17 2023, 11:36 PM
dmbaturin triaged this task as High priority.Jan 11 2024, 11:58 AM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.7); removed VyOS 1.3 Equuleus (1.3.6).Feb 10 2024, 9:17 AM
dmbaturin edited projects, added Restricted Project, VyOS 1.5 Circinus, VyOS 1.4 Sagitta (1.4.0-epa3); removed VyOS 1.3 Equuleus (1.3.7), VyOS 1.4 Sagitta.Apr 4 2024, 10:29 PM
syncer moved this task from 1.4.0-epa3 to 1.4.0-GA on the VyOS 1.4 Sagitta board.May 15 2024, 9:30 AM
syncer edited projects, added VyOS 1.4 Sagitta (1.4.0-GA); removed VyOS 1.4 Sagitta (1.4.0-epa3).
natali-rs1985 claimed this task.May 15 2024, 12:31 PM
natali-rs1985 added a subscriber: SrividyaA.
natali-rs1985 changed Is it a breaking change? from Perfectly compatible to Config syntax change (migratable).May 17 2024, 9:21 AM
natali-rs1985 changed the task status from Confirmed to In progress.May 17 2024, 11:02 AM
Viacheslav closed this task as Resolved.Tue, Jul 2, 5:25 AM
Viacheslav edited projects, added VyOS 1.4 Sagitta (1.4.1); removed VyOS 1.4 Sagitta (1.4.0-GA).
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.5 Circinus board.
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta (1.4.1) board.
Viacheslav reopened this task as Backport candidate.Tue, Jul 2, 5:27 AM
Viacheslav moved this task from Finished to Backlog on the VyOS 1.4 Sagitta (1.4.1) board.
dmbaturin removed a project: VyOS 1.4 Sagitta (1.4.1).Wed, Jul 3, 12:14 PM
dmbaturin subscribed.

Removing from Sagitta, since we aren't changing any syntax within an LTS release.

c-po mentioned this in T6545: OpenVPN: Remove "none" option for ncp-cipher encryption.Thu, Jul 4, 7:23 AM