Page 1 of 1

Inconsistent 'tls-ciphers' for 'TLSv1.3' across different servers

Posted: Thu Mar 11, 2021 8:21 am
by AnonAsPossible
Hi Df;
I've noticed inconsistent 'tls-ciphers' for 'TLSv1.3' across different servers. All my ed25519 ovpn.conf files are exactly the same, except of course the IP addy.

On these servers; US-Maine, US-Washington, Findland, Germany-Frankfurt, Ireland, Montreal, Serbia, Spain-Barcelona, Switzerland, Vancouver,, The log shows; 'Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256'

On these servers; Austria, Czech, Iceland, Ireland, Rome, Bulgaria, Latvia, Moldova, Norway, Hungary, Slovakia, Spain-Madrid, UK-London,Manchester,, The log shows; 'Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384'

Does it matter if the 'tls-ciphers' are different?

Is one preferable over the other?

If 'TLS_CHACHA20_POLY1305_SHA256' is better, how do I force the server to use this?


thnx

Re: Inconsistent 'tls-ciphers' for 'TLSv1.3' across different servers

Posted: Fri Apr 30, 2021 5:05 am
by df
I thought I responded to this already, oops. When I added "--tls-ciphersuites TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384" for TLSv1.3 to the server-side openvpn configs, I screwed up and missed a few of them. They're all fixed now, and they should have been restarted a while back to apply the changes. I restarted them a while back when adding "--data-ciphers CHACHA20-POLY1305:AES-256-GCM" so people can choose "--cipher CHACHA20-POLY1305" client-side (if they're running OpenVPN 2.5.x). That's the part that handles encrypting the actual traffic, the --tls-ciphersuites part just handles the encryption for the initial handshake.
Comments were also reintroduced to the configs, so you can read all about these changes in any of the configs on https://cryptostorm.is/configs/ or https://github.com/cryptostorm/conf