openvpn: Change the default cipher to AES-256-GCM for server configurations

This change makes the server use AES-256-GCM instead of BF-CBC as the default cipher for the VPN tunnel. To avoid breaking existing running configurations defaulting to BF-CBC, the Negotiable Crypto Parameters (NCP) list contains the BF-CBC in addition to AES-CBC. This makes it possible to migrate existing older client configurations one-by-one to use at least AES-CBC unless the client is updated to v2.4 (which defaults to upgrade to AES-GCM automatically) Upstream-Status: Backport [https://src.fedoraproject.org/rpms/openvpn/blob/rawhide/f/0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch] Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: wangmy <wangmy@fujitsu.com> 2021-11-16 09:54:04 +0800
committer: Khem Raj <raj.khem@gmail.com> 2021-11-15 18:04:23 -0800
commit: 54567412b55e76f768d928a4eb06aae7ad8ba464 (patch)
tree: b9440d6ae8a8c2b107ebe7dfc369a1046ae18db9
parent: 542ffbafe17055988e580e71dd834600efca7495 (diff)
download: meta-openembedded-54567412b55e76f768d928a4eb06aae7ad8ba464.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/meta-networking/recipes-support/openvpn/openvpn/openvpn@.service b/meta-networking/recipes-support/openvpn/openvpn/openvpn@.service
index 358dcb791a..01dd2e8c25 100644
--- a/meta-networking/recipes-support/openvpn/openvpn/openvpn@.service
+++ b/meta-networking/recipes-support/openvpn/openvpn/openvpn@.service
@@ -6,7 +6,7 @@ After=syslog.target network.target
 PrivateTmp=true
 Type=forking
 PIDFile=/var/run/openvpn/%i.pid
-ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf
+ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --cipher AES-256-GCM --data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC --config %i.conf
 [Install]
 WantedBy=multi-user.target
author	wangmy <wangmy@fujitsu.com>	2021-11-16 09:54:04 +0800
committer	Khem Raj <raj.khem@gmail.com>	2021-11-15 18:04:23 -0800
commit	54567412b55e76f768d928a4eb06aae7ad8ba464 (patch)
tree	b9440d6ae8a8c2b107ebe7dfc369a1046ae18db9
parent	542ffbafe17055988e580e71dd834600efca7495 (diff)
download	meta-openembedded-54567412b55e76f768d928a4eb06aae7ad8ba464.tar.gz

diff --git a/meta-networking/recipes-support/openvpn/openvpn/openvpn@.service b/meta-networking/recipes-support/openvpn/openvpn/openvpn@.service index 358dcb791a..01dd2e8c25 100644 --- a/meta-networking/recipes-support/openvpn/openvpn/openvpn@.service +++ b/meta-networking/recipes-support/openvpn/openvpn/openvpn@.service
@@ -6,7 +6,7 @@ After=syslog.target network.target
6	PrivateTmp=true	6	PrivateTmp=true
7	Type=forking	7	Type=forking
8	PIDFile=/var/run/openvpn/%i.pid	8	PIDFile=/var/run/openvpn/%i.pid
9	ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf	9	ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --cipher AES-256-GCM --data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC --config %i.conf
10		10
11	[Install]	11	[Install]
12	WantedBy=multi-user.target	12	WantedBy=multi-user.target