@@ -17,7 +17,6 @@ cipher is no longer available by default in OpenSSL 3.0. It can be enabled
via the legacy provider in OpenSSL 3.0, but BF-CBC is deprecated and should
not be used any more. OpenVPN 2.4 and newer will always negotiate a stronger
cipher by default and older OpenVPN releases are no longer supported upstream.
-
---
distro/systemd/openvpn-server@.service.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
@@ -26,12 +25,12 @@ diff --git a/distro/systemd/openvpn-server@.service.in b/distro/systemd/openvpn-
index 6e8e7d9..6acbc8e 100644
--- a/distro/systemd/openvpn-server@.service.in
+++ b/distro/systemd/openvpn-server@.service.in
-@@ -10,7 +10,7 @@
+@@ -10,7 +10,7 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
Type=notify
PrivateTmp=true
WorkingDirectory=/etc/openvpn/server
-ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf
+ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --cipher AES-256-GCM --data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC --config %i.conf
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_SYS_NICE CAP_AUDIT_WRITE
- LimitNPROC=10
+ TasksMax=20
DeviceAllow=/dev/null rw
Since openvpn-server@.service.in changed recently and the default fuzz level for RPM's patch macro is 0, patch file can no longer be applied. This should fix the recently failing builds on copr.fedoraproject.org Signed-off-by: Christian Schürmann <spike@fedoraproject.org> --- ...hange-the-default-cipher-to-AES-256-GCM-for-server-.patch | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-)