From 4baf845e36960c06d5e0aa511813c7b559c1f2dc Mon Sep 17 00:00:00 2001
From: jtbr <jtbr@github>
Date: Fri, 29 Apr 2016 20:00:09 +0000
Subject: [PATCH] Undo TLS-CIPHER changes in f376ce91 in deference to
 harvester57's pull request

---
 README.md          | 7 +++----
 openvpn-install.sh | 5 ++---
 2 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index 02695af..26521cc 100644
--- a/README.md
+++ b/README.md
@@ -12,7 +12,6 @@ This fork includes :
 - AES-256-CBC and SHA-512 for HMAC (instead of BF-128-CBC and SHA1)
 - Run server in unprivileged mode, reducing risks to the system
 - TLS-auth to help [thwart DoS attacks](https://openvpn.net/index.php/open-source/documentation/howto.html#security) and provide a 2nd line of defense to the TLS channel.
-- [Perfect forward secrecy](http://en.wikipedia.org/wiki/Forward_secrecy)
 - [FDN's DNS Servers](http://www.fdn.fr/actions/dns/)
 - Nearest [OpenNIC DNS Servers](https://www.opennicproject.org/)
 - Up-to-date OpenVPN (2.3.10) thanks to [EPEL](http://fedoraproject.org/wiki/EPEL) and [swupdate.openvpn.net](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos)
@@ -34,12 +33,12 @@ Features :
 - 256 bits AES-GCM
 - SHA-384 RSA certificate
 
-### Fast (lower encryption, supports openvpn connect [ios/android] clients)
+### Fast (lower encryption)
 Features :
 - 2048 bits RSA private key
 - 2048 bits Diffie-Hellman key
-- 128 bits AES-CBC
-- SHA-128 RSA certificate
+- 128 bits AES-GCM
+- SHA-256 RSA certificate
 
 ## Compatibility
 
diff --git a/openvpn-install.sh b/openvpn-install.sh
index c390bfb..1222024 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -309,8 +309,7 @@ auth SHA512
 tls-version-min 1.2" > /etc/openvpn/server.conf
 	if [[ "$VARIANT" = '1' ]]; then
 		# If the user selected the fast, less hardened version
-		# iOS OpenVPN connect doesn't support GCM or SHA256; use next best
-		echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA" >> /etc/openvpn/server.conf
+		echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/server.conf
 	elif [[ "$VARIANT" = '2' ]]; then
 		# If the user selected the relatively slow, ultra hardened version
 		echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> /etc/openvpn/server.conf
@@ -448,7 +447,7 @@ tls-version-min 1.2
 tls-client" > /etc/openvpn/client-common.txt
 	if [[ "$VARIANT" = '1' ]]; then
 		# If the user selected the fast, less hardened version
-		echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA" >> /etc/openvpn/client-common.txt
+		echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/client-common.txt
 	elif [[ "$VARIANT" = '2' ]]; then
 		# If the user selected the relatively slow, ultra hardened version
 		echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> /etc/openvpn/client-common.txt