Hallo, A question about the tinc Cipher= and Digest= values: Do these values absolutely need to be identical on both "sides" for the connection to work? Or does it only affect the outgoing side of the packets but not the receive? For example three nodes, two with ConnectTo= to Hub H, and on host A I have a hosts/H and hosts/B entry with: Cipher=blowfish Digest=sha1 But on host B I have a hosts/H and hosts/A entry with: Cipher=aes Digest=sha256 (And worst case like on Hub H hosts/A and hosts/B with Cipher=none, Digest=none) The question is because we currently have a big net using the default Cipher=blowfish and Digest=sha1, and would like to switch to something more secure and AES-NI optimized, but can't change all nodes at the same time, and do not want to break half the network in the middle. (And yes, I know this only affects the tinc 1.0 hosts, but they are still the majority) c'ya sven-haegar -- Three may keep a secret, if two of them are dead. - Ben F.
On Tue, Apr 07, 2015 at 08:49:06PM +0200, Sven-Haegar Koch wrote:> A question about the tinc Cipher= and Digest= values: > > Do these values absolutely need to be identical on both "sides" for the > connection to work? Or does it only affect the outgoing side of the > packets but not the receive?They do not have to be identical. It only affects outgoing packets.> For example three nodes, two with ConnectTo= to Hub H, and on host A I > have a hosts/H and hosts/B entry with: > > Cipher=blowfish > Digest=sha1 > > But on host B I have a hosts/H and hosts/A entry with: > > Cipher=aes > Digest=sha256 > > (And worst case like on Hub H hosts/A and hosts/B with Cipher=none, > Digest=none)This is fine. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20150408/577389d2/attachment.sig>