Package: openvpn Version: 2.6.0~rc1 Severity: normal Dear Maintainer,
after updating openvpn from bullseye-backports from 2.5.1 to 2.6.0~rc1 I got a broken VPN client-to-site connection to a server not supporting TLS 1.2 (forced min TLS version: 1.0, overridden cipher: AES-128-CBC). The reason is not the explicit cipher in the setting, but network-manager-openvpn relies on a different option set. Message: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations. As a result, the connection cannot be established. IMHO, in each case it is not a idea to backport openvpn 2.6 unless network-manager-openvpn supports to override also --data-ciphers. -- System Information: Debian Release: 11.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable'), (100, 'bullseye-fasttrack'), (100, 'bullseye-backports-staging') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.0.0-0.deb11.6-amd64 (SMP w/8 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages openvpn depends on: ii debconf [debconf-2.0] 1.5.77 ii iproute2 6.1.0-1~bpo11+1 ii libc6 2.31-13+deb11u5 ii liblz4-1 1.9.3-2 ii liblzo2-2 2.10-2 ii libpam0g 1.4.0-9+deb11u1 ii libpkcs11-helper1 1.27-1 ii libssl1.1 1.1.1n-0+deb11u3 ii libsystemd0 251.3-1~bpo11+1 ii lsb-base 11.1.0 Versions of packages openvpn recommends: ii easy-rsa 3.0.8-1 Versions of packages openvpn suggests: ii openssl 1.1.1n-0+deb11u3 pn openvpn-systemd-resolved <none> pn resolvconf <none> -- debconf information: openvpn/create_tun: false
