When disabling "Use custom renegotiation interval" in the "Advanced" settings of an OpenVPN tunnel, the OpenVPN process is started with --reneg-sec 0. This disables time based renegotiation completely. This is invalid, as that overrides the default value (1 hour) and puts users at risk - in particular if the default blowfish or other weak cipher algorithm is used. See the SWEET32 information page [1] for more information. If a user wants to disable --reneg-sec, the user should set this value to 0 her/himself. On a related note, as of OpenVPN v2.3.13 --reneg-bytes will default to 64MB if weak ciphers are used. It would probably be benefitical to also expose this setting via the Advanced settings as well. For earlier OpenVPN versions before v2.3.13, the default is to have --reneg-bytes disabled for any cipher. Version-Release number of selected component (if applicable): NetworkManager-openvpn-1.0.8-1.el7.x86_64 [1] http://community.openvpn.net/openvpn/wiki/SWEET32
NetworkManager-openvpn-1.2.6-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-1427c2b2fc
NetworkManager-openvpn-1.2.6-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-1427c2b2fc
NetworkManager-openvpn-1.2.6-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.