From 3fd4d5b9c595b43dddbb75cf0748450b36a5610a Mon Sep 17 00:00:00 2001
From: Viacheslav Hletenko <v.gletenko@vyos.io>
Date: Thu, 23 Feb 2023 11:07:46 +0000
Subject: T5027: Enable legacy provider to support current ciphers

* We will need to remove insecure ciphers as a long-term solution (BF-CBC, DES...)
---
 data/templates/openvpn/server.conf.j2 | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'data/templates/openvpn')

diff --git a/data/templates/openvpn/server.conf.j2 b/data/templates/openvpn/server.conf.j2
index 6dd4ef88d..af866f2a6 100644
--- a/data/templates/openvpn/server.conf.j2
+++ b/data/templates/openvpn/server.conf.j2
@@ -213,6 +213,9 @@ keysize 256
 data-ciphers {{ encryption.ncp_ciphers | openvpn_ncp_ciphers }}
 {%     endif %}
 {% endif %}
+# https://vyos.dev/T5027
+# Required to support BF-CBC (default ciphername when none given)
+providers legacy default
 
 {% if hash is vyos_defined %}
 auth {{ hash }}
-- 
cgit v1.2.3