Friday, November 17, 2017

OpenVPN - Wrong Encryption Algorithm Been Used

OpenVPN Version: 2.4.0

In one of our OpenVPN server and client connections, we observed a strange behavior from one of the client. Even though the client had "cipher AES-256-CBC" set in his configuration file, but in the logs, we still see:
Mon Feb 13 07:58:33 2017 xxx.xx.xxx.xx:50112 Data Channel Encrypt: 
Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Feb 13 07:58:33 2017 xxx.xx.xxx.xx:50112 Data Channel Decrypt: 
Cipher 'AES-256-GCM' initialized with 256 bit key

OpenVPN is using 'AES-256-GCM' encryption algorithm even on both server/client configuration files we set it to "AES-256-CBC".

This is due to you have the "Enable NCP" option enabled, and in your list of allowed NCP encryption algorithms, "AES-256-GCM" is preferred over "AES-256-CBC". If you want to stop this override behavior (NCP), you can disable the NCP override, or you can update your encryption algorithm.

No comments: