App Support.

We're here to help.

Error: Server Encryption Cipher Disallowed

Viscosity may present you with a "Server Encryption Cipher Disallowed" alert when attempting to connect to a VPN server that is using a legacy encryption cipher that is no longer considered secure by OpenVPN. Typically, this means that the OpenVPN server is running a very old version of OpenVPN. You may also see an error message similar to "OPTIONS ERROR: failed to negotiate cipher with server" in the connection log.

An encryption cipher is the algorithm used to encrypt your network traffic to prevent unauthorised parties from being able to view the network traffic. A good encryption cipher is impossible to break using modern computing resources. However, over time ciphers that were once considered secure may become less so, thanks to faster computing hardware becoming available or vulnerabilities or weaknesses in the algorithm being discovered.

BF-CBC (Blowfish) is one such cipher. It was the default cipher used by OpenVPN 2.4 and earlier versions. However, it is no longer considered as secure as it once was (with attacks such as SWEET32 being discovered). OpenVPN 2.5 and later versions will no longer allow BF-CBC (and other legacy ciphers considered potentially insecure) to be used by default. If you try to connect to an old OpenVPN server that only allows the use of a legacy cipher like BF-CBC, then the connection attempt will be terminated.

The recommended way to resolve this error message is to update the OpenVPN server to a newer version of OpenVPN (2.4 or later). However, if this is not possible, and you understand the risks from using a potentially insecure cipher, you can still connect to the server using Viscosity by ticking the "Always allow <cipher> for this connection" checkbox and then the OK button.