Inconsistent 'tls-ciphers' for 'TLSv1.3' across different servers

Post a reply

:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek: :angel: :clap: :crazy: :eh: :lolno: :problem: :shh: :shifty: :sick: :silent: :think: :thumbdown: :thumbup: :wave: :wtf: :yawn:

BBCode is ON
[img] is ON
[flash] is OFF
[url] is ON
Smilies are ON

Topic review

If you wish to attach one or more files enter the details below.

Maximum filesize per attachment: 130 MiB.

Expand view Topic review: Inconsistent 'tls-ciphers' for 'TLSv1.3' across different servers

Re: Inconsistent 'tls-ciphers' for 'TLSv1.3' across different servers

by df » Fri Apr 30, 2021 5:05 am

I thought I responded to this already, oops. When I added "--tls-ciphersuites TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384" for TLSv1.3 to the server-side openvpn configs, I screwed up and missed a few of them. They're all fixed now, and they should have been restarted a while back to apply the changes. I restarted them a while back when adding "--data-ciphers CHACHA20-POLY1305:AES-256-GCM" so people can choose "--cipher CHACHA20-POLY1305" client-side (if they're running OpenVPN 2.5.x). That's the part that handles encrypting the actual traffic, the --tls-ciphersuites part just handles the encryption for the initial handshake.
Comments were also reintroduced to the configs, so you can read all about these changes in any of the configs on or

Inconsistent 'tls-ciphers' for 'TLSv1.3' across different servers

by AnonAsPossible » Thu Mar 11, 2021 8:21 am

Hi Df;
I've noticed inconsistent 'tls-ciphers' for 'TLSv1.3' across different servers. All my ed25519 ovpn.conf files are exactly the same, except of course the IP addy.

On these servers; US-Maine, US-Washington, Findland, Germany-Frankfurt, Ireland, Montreal, Serbia, Spain-Barcelona, Switzerland, Vancouver,, The log shows; 'Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256'

On these servers; Austria, Czech, Iceland, Ireland, Rome, Bulgaria, Latvia, Moldova, Norway, Hungary, Slovakia, Spain-Madrid, UK-London,Manchester,, The log shows; 'Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384'

Does it matter if the 'tls-ciphers' are different?

Is one preferable over the other?

If 'TLS_CHACHA20_POLY1305_SHA256' is better, how do I force the server to use this?