On Sat, Jul 01, 2017 at 09:38:20AM +0200, Steffan Karger wrote:
> If a peer has set --keysize, and NCP negotiates a cipher with a different
> key size (e.g. --keysize 128 + AES-256-GCM), that peer will exit with a
> "invalid key size" error. To prevent that, always set keysize=0 for NCP'd
> ciphers.
>
> Signed-off-by: Steffan Karger <stef...@karger.me>
> ---
> src/openvpn/ssl.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
> index f868457e..a8418d37 100644
> --- a/src/openvpn/ssl.c
> +++ b/src/openvpn/ssl.c
> @@ -1976,6 +1976,7 @@ tls_session_update_crypto_params(struct tls_session
> *session,
> {
> msg(D_HANDSHAKE, "Data Channel: using negotiated cipher '%s'",
> options->ciphername);
> + options->keysize = 0; /* Always use default key size for NCP */How about printing a message to inform the user that if any keysize was set it is now getting cleared up? Cheers, -- Antonio Quartulli
signature.asc
Description: Digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
