Skip to content

Commit

Permalink
openvpn: try to use CHACHA20-POLY1305 (if supported by the remote end…
Browse files Browse the repository at this point in the history 
…) on routers without AES acceleration
  • Loading branch information
@RMerl
RMerl committed Sep 18, 2020
1 parent ba48a1d commit 1db48ac
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion release/src/router/shared/defaults.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
#if defined(RTCONFIG_OPENVPN) && defined(HND_ROUTER) && !defined(HND_ROUTER_AX_675X)
#define DEFAULT_NCP_CIPHERS "AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC"
#else
#define DEFAULT_NCP_CIPHERS "AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC"
#define DEFAULT_NCP_CIPHERS "CHACHA20-POLY1305:AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC"
#endif

// stub for wlconf, etc.
Expand Down

1 comment on commit 1db48ac

@RMerl
Copy link
Owner Author

@RMerl RMerl commented on 1db48ac Oct 12, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't want to do that for legacy reasons, as a LOT of servers and clients out there still don't support GCM. Hence they are kept in but with a lower priority than the GCM ciphers, which will get used if the remote end supports it.

OpenVPN is not susceptible to POODLE. No official word regarding GOLDENDOODLE.

Keep in mind that these exploits are generally more problematic for open servers such as web servers. VPN servers require clients to be authenticated to be allowed to fully connect.

Please sign in to comment.