90 |
+ </entry> |
+ </entry> |
91 |
+ <entry> |
+ <entry> |
92 |
+ <base>SUGGESTED</base> |
+ <base>SUGGESTED</base> |
93 |
+ <trans>Sugested value</trans> |
+ <trans>Suggested value</trans> |
94 |
+ </entry> |
+ </entry> |
95 |
+ <entry> |
+ <entry> |
96 |
+ <base>DEFAULT</base> |
+ <base>DEFAULT</base> |
173 |
+my $tlsCipher12 = ( $db->get_prop($key,'tlsCipher12') ) ? $db->get_prop($key,'tlsCipher12') : "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256"; |
+my $tlsCipher12 = ( $db->get_prop($key,'tlsCipher12') ) ? $db->get_prop($key,'tlsCipher12') : "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256"; |
174 |
+ |
+ |
175 |
+ |
+ |
176 |
+# cipher default to BF if empty, we really want higher on new setup, but keep empty for default on existing one... |
+ |
177 |
+# here openvpn uses encrypt-then-mc so no issue using CBC rather than GCM, and GCM not implemented before openvpn 2.4 for data channel |
+ |
178 |
+my $cipher = ( $db->get_prop($key,'Cipher') && $db->get_prop($key,'Cipher') ne 'auto')? $db->get_prop($key,'Cipher') : undef; |
+ |
179 |
+ |
+ |
180 |
+ |
+ |
181 |
if ($auth eq 'SharedKey'){ |
if ($auth eq 'SharedKey'){ |
186 |
$OUT .= "tls-server\n"; |
$OUT .= "tls-server\n"; |
187 |
+ $OUT .= "tls-version-min $tlsVmin\n"; |
+ $OUT .= "tls-version-min $tlsVmin\n"; |
188 |
+ $OUT .= "tls-cipher $tlsCipher12\n" if defined $tlsCipher12; |
+ $OUT .= "tls-cipher $tlsCipher12\n" if defined $tlsCipher12; |
189 |
+ $OUT .= "tls-ciphersuites tlsCipherSuites13\n" if defined tlsCipherSuites13; |
+ $OUT .= "tls-ciphersuites $tlsCipherSuites13\n" if defined $tlsCipherSuites13; |
190 |
$OUT .= "ca pub/$key" . "_cacert.pem\n"; |
$OUT .= "ca pub/$key" . "_cacert.pem\n"; |
191 |
$OUT .= "cert pub/$key" . "_cert.pem\n"; |
$OUT .= "cert pub/$key" . "_cert.pem\n"; |
192 |
$OUT .= "key priv/$key" . "_key.pem\n"; |
$OUT .= "key priv/$key" . "_key.pem\n"; |
202 |
$OUT .= "tls-client\n"; |
$OUT .= "tls-client\n"; |
203 |
+ $OUT .= "tls-version-min $tlsVmin\n"; |
+ $OUT .= "tls-version-min $tlsVmin\n"; |
204 |
+ $OUT .= "tls-cipher $tlsCipher12\n" if defined $tlsCipher12; |
+ $OUT .= "tls-cipher $tlsCipher12\n" if defined $tlsCipher12; |
205 |
+ $OUT .= "tls-ciphersuites tlsCipherSuites13\n" if defined tlsCipherSuites13; |
+ $OUT .= "tls-ciphersuites $tlsCipherSuites13\n" if defined $tlsCipherSuites13; |
206 |
$OUT .= "ca pub/$key" . "_cacert.pem\n"; |
$OUT .= "ca pub/$key" . "_cacert.pem\n"; |
207 |
$OUT .= "cert pub/$key" . "_cert.pem\n"; |
$OUT .= "cert pub/$key" . "_cert.pem\n"; |
208 |
$OUT .= "key priv/$key" . "_key.pem\n"; |
$OUT .= "key priv/$key" . "_key.pem\n"; |