This is a tracking bug for Change: New default cipher in OpenVPN For more details, see: https://fedoraproject.org//wiki/Changes/New_default_cipher_in_OpenVPN Since the discovery of the SWEET32 flaw, ciphers using cipher-blocks smaller than 128-bits are considered vulnerable and should not be used any more. OpenVPN uses Blowfish (BF-128-CBC) as the default cipher, which is hit by the SWEET32 flaw. This proposal changes the default cipher to AES-256-GCM while in parallel allowing clients to connect using AES-256-CBC, AES-128-CBC or the deprecated BF-CBC,
This change is applied to openvpn-2.4.3-4.fc27 (master branch) https://koji.fedoraproject.org/koji/buildinfo?buildID=951059
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle. Changing version to '27'.
On 2017-Sep-05 we reached the "Change Checkpoint: 100% Code Complete Deadline" milestone for Fedora 27 release. At this point all the Changes not at least in "ON_QA" state should be brought to FESCo for review. Please update the state of this bug to "ON_QA" if it is already 100% completed. Please let me know in case you have any trouble with the implementation and the Change needs any help or review. Thanks, Jan
commit b931012953451b2614b5fdfa5afe3c1d47c42fe8 Author: David Sommerseth <dazo> Date: Tue Jul 4 16:17:37 2017 +0200 Change default cipher for server configurations to AES-GCM At the same time, utilize the Negotiable Crypto Parameters (NCP) feature in OpenVPN v2.4, which allows clients using the old BF-CBC default cipher to connect without any issues. F-27 Change request: https://fedoraproject.org/wiki/Changes/New_default_cipher_in_OpenVPN This change was approved in the FESCO meeting 2017-08-04. Also fix a truncated changelog entry for openvpn-2.4.3-1 $ git branch --contains b931012953451b2614b5fdfa5afe3c1d47c42fe8 * f27 master $