search

binhex / arch-delugevpn

Docker build script for Arch Linux base with Deluge, Privoxy and OpenVPN
GNU General Public License v3.0
696 stars 112 forks source link

Deprecated cipher AES-256-CBC #231

Closed kriegalex closed 3 years ago

kriegalex commented 3 years ago

Here is the issue:

2020-11-30 12:13:52 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.

Version : Docker binhex/arch-delugevpn:latest

binhex commented 3 years ago

issue related to what?, thats a deprecation warning triggered by a ovpn file that is using an old cypher, nothing to do with my code im afraid.

kriegalex commented 3 years ago

Well, I think it is, because it is written in clear in the warning what to do : Add 'AES-256-CBC' to --data-ciphers. I guess this is up to you, no, when calling OpenVPN ?

You can't ignore people which get this cipher from their VPN provider :(

binhex commented 3 years ago

Add 'AES-256-CBC' to --data-ciphers. I guess this is up to you, no, when calling OpenVPN ?

no, that should be defined in the ovpn file, and as previously mentioned it is a warning only, it is not a fatal error so at this time it will work.

if you wish to silence the warning then please do as the warning mentions, changing the values in the ovpn config file, just drop the double hyphens (command line options).

e.g. 

data-ciphers-fallback AES-256-CBC
kriegalex commented 3 years ago

Ok, so because of the message being so precise about using this flag, I did not see that indeed this could go into the ovpn file directly.

So taking this issue from another angle, if --cipher is prone to be deprecated, I'm sure you will get hammered at some point by requests from people using providers that don't update their stuff or people using very old ovpn.

Maybe you could get ahead of the curve by treating this directly at the OpenVPN level ? It is indeed only a warning, but soon to because an error.

binhex commented 3 years ago

Maybe you could get ahead of the curve by treating this directly at the OpenVPN level ? It is indeed only a warning, but soon to because an error.

sorry but i wont do this, it is not always as simple as replacing cipher with data-ciphers-fallback or data-ciphers, as i found out when i was debugging issues with PIA, and i dont want to get into tweaking ovpn config files on a per vpn provider basis, i just dont have the time to do this.