I have strange situation with OpenVPN on client side, no matter which platform on (Linux, Windows or Android). The problem occurs when there is no (at least):
cipher AES-256-CBC
option defined in the client config file, but it is configured on the server config, (then client won't connect):
Code: Select all
Tue Oct 17 14:46:43 2017 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1543', remote='link-mtu 1559'
Tue Oct 17 14:46:43 2017 WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-CBC'
Tue Oct 17 14:46:43 2017 WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
...
Tue Oct 17 14:46:59 2017 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Oct 17 14:46:59 2017 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Tue Oct 17 14:46:59 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Oct 17 14:46:59 2017 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Oct 17 14:46:59 2017 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Tue Oct 17 14:46:59 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Oct 17 14:46:59 2017 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
Tue Oct 17 14:46:59 2017 Preserving previous TUN/TAP instance: Ethernet 3
Tue Oct 17 14:46:59 2017 Initialization Sequence Completed
Tue Oct 17 14:46:59 2017 MANAGEMENT: >STATE:1508248019,CONNECTED,SUCCESS,10.190.5.6,1.2.3.44430,192.168.52.144,57804
Tue Oct 17 14:47:00 2017 Connection reset, restarting [0]
Tue Oct 17 14:47:00 2017 SIGUSR1[soft,connection-reset] received, process restarting
Tue Oct 17 14:47:00 2017 MANAGEMENT: >STATE:1508248020,RECONNECTING,connection-reset,,,,,
Tue Oct 17 14:47:00 2017 Restart pause, 5 second(s)
Why it is not trying to negotiate better ciphers if first won't comply?