BF-CBC is sometimes refused, sometimes not

[bruceleerabbit]

General information

1. Android Version 5.1.1
2. Android Vendor/Custom ROM stock
3. Device obscure
4. Version of the app (version number/play store version/self-built) fdroid/0.7.41

Description of the issue

OpenVPN behaves inconsistently when following the guide on reverse tethering over USB using openvpn. Sometimes it gives this warning but then continues attempting to connect:

WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.7.

Other times the app dies with a fatal error saying that BF-CBC is not supported. It’s unclear which behavior is correct because it’s unclear whether the warning msg refers to the desktop software version or the AOS app version. Since the AOS app version is on 0.*, apparently the warning refers to the desktop version. But then the ABOUT page only gives the app version without stating which desktop version it’s aligned with. So it’s unclear whether BF-CBC usage should be warned or refused. Either way, the behavior should be consistent and it is not.

[schwabe]

The behaviour should be fairly consistent. Please include full logs and configs if you have something where it is misbehaving. And please see https://github.com/OpenVPN/openvpn/blob/master/Changes.rst for the changes.

The app has always followed the OpenVPN master branch.