Hi, On 14-08-2020 10:06, Arne Schwabe wrote: > OpenVPN 2.5 clients do not correctly do a fallback to the server server. > This commit fixes that logic and also fixes --data-ciphers-fallback to > be used in situations other than no OCC cipher. > > To reproduce the error use a client with only --data-ciphers set against > a server without NCP. > > OPTIONS ERROR: failed to negotiate cipher with server. > Add the server's cipher ('AES-256-CBC') to --data-ciphers > (currently 'AES-256-CBC') if you want to connect to this server. > > Reported by: Richard Bonhomme <tincantek...@gmail.com> > > Signed-off-by: Arne Schwabe <a...@rfc2549.org> > --- > src/openvpn/ssl_ncp.c | 9 +++++---- > 1 file changed, 5 insertions(+), 4 deletions(-) > > diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c > index f522b8f0..c9ab85ce 100644 > --- a/src/openvpn/ssl_ncp.c > +++ b/src/openvpn/ssl_ncp.c > @@ -296,13 +296,14 @@ check_pull_client_ncp(struct context *c, const int > found) > } > /* If the server did not push a --cipher, we will switch to the > * remote cipher if it is in our ncp-ciphers list */ > - bool useremotecipher = tls_poor_mans_ncp(&c->options, > - > c->c2.tls_multi->remote_ciphername); > - > + if(tls_poor_mans_ncp(&c->options, c->c2.tls_multi->remote_ciphername)) > + { > + return true; > + } > > /* We could not figure out the peer's cipher but we have fallback > * enabled */ > - if (!useremotecipher && c->options.enable_ncp_fallback) > + if (!c->c2.tls_multi->remote_ciphername && > c->options.enable_ncp_fallback) > { > return true; > } >
This makes sense. Given that the commit message is fixed as suggested by Richard: Acked-by: Steffan Karger <stef...@karger.me> -Steffan _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel