On Sat, Jul 01, 2017 at 09:38:20AM +0200, Steffan Karger wrote: > If a peer has set --keysize, and NCP negotiates a cipher with a different > key size (e.g. --keysize 128 + AES-256-GCM), that peer will exit with a > "invalid key size" error. To prevent that, always set keysize=0 for NCP'd > ciphers. > > Signed-off-by: Steffan Karger <stef...@karger.me> > --- > src/openvpn/ssl.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c > index f868457e..a8418d37 100644 > --- a/src/openvpn/ssl.c > +++ b/src/openvpn/ssl.c > @@ -1976,6 +1976,7 @@ tls_session_update_crypto_params(struct tls_session > *session, > { > msg(D_HANDSHAKE, "Data Channel: using negotiated cipher '%s'", > options->ciphername); > + options->keysize = 0; /* Always use default key size for NCP */
How about printing a message to inform the user that if any keysize was set it is now getting cleared up? Cheers, -- Antonio Quartulli
signature.asc
Description: Digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel