Hello Adolf, Sorry for digging this up so lateā¦
You are right that we cannot use ncp-disable at all any more with newer clients. However, there is no chance for a user to disable NCP on the server side any more. So we can simply remove the case of not having any ciphers set because that should never ever exist. I added this here: https://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=d6ec7e0bf08a00c734c9e7b5f7c517ef82029afe I had this in the back of my mind that this needed fixing, but I completely forgot that you sent this. You still sent me down the right way. -Michael > On 28 Aug 2025, at 11:29, Adolf Belka <[email protected]> wrote: > > - If a backup from before openvpn-2.6 is restored then the server.conf file > has > ncp-disable still in it. Also data-ciphers in server.conf and DATACIPHERS > in settings > will not be present. > - The existing code checks if DATACIPHERS is empty and if it is then it puts > ncp-disable > into server.conf which we no longer need to have. > - This patch changes this code section so that if DATACIPHERS is empty then > it has the > default ciphers added into server.conf and then also updates the > DATACIPHERS entry > in the settings file. > - I have made this an RFC patch as the patch does work but it might not be > the correct > or best way to go about this. > - If it is accepted then the previous patches I did for backup.pl and > update.sh can be > reverted. > - The change was tested out with the reverted backup.pl and all old backup > versions > were successfully restored correctly and worked as expected. Also tested > out the > change with a backup from CU197 and that restore also worked correctly. > > Tested-by: Adolf Belka <[email protected]> > Signed-off-by: Adolf Belka <[email protected]> > --- > html/cgi-bin/ovpnmain.cgi | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi > index dfe7f8ad5..8c908d725 100644 > --- a/html/cgi-bin/ovpnmain.cgi > +++ b/html/cgi-bin/ovpnmain.cgi > @@ -291,8 +291,14 @@ sub writeserverconf { > print CONF "status $RW_STATUS 30\n"; > > # Cryptography > + > + # Previous ncp-disable server conf will have an empty DATACIPHERS entry > + # This will occur with restores from prior to OpenVPN-2.6 > + # Replace the empty DATACIPHERS entry with the default value > if ($vpnsettings{'DATACIPHERS'} eq '') { > - print CONF "ncp-disable\n"; > + print CONF "data-ciphers " . "AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305" . > "\n"; > + $vpnsettings{'DATACIPHERS'} = "AES-256-GCM|AES-128-GCM|CHACHA20-POLY1305"; > + &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings); > } else { > print CONF "data-ciphers " . $vpnsettings{'DATACIPHERS'} =~ s/\|/:/gr . "\n"; > } > -- > 2.51.0 > >
