Hi,
On 14-08-2020 10:06, Arne Schwabe wrote:
> OpenVPN 2.5 clients do not correctly do a fallback to the server server.
> This commit fixes that logic and also fixes --data-ciphers-fallback to
> be used in situations other than no OCC cipher.
>
> To reproduce the error use a client with only --data-ciphers set against
> a server without NCP.
>
> OPTIONS ERROR: failed to negotiate cipher with server.
> Add the server's cipher ('AES-256-CBC') to --data-ciphers
> (currently 'AES-256-CBC') if you want to connect to this server.
>
> Reported by: Richard Bonhomme <tincantek...@gmail.com>
>
> Signed-off-by: Arne Schwabe <a...@rfc2549.org>
> ---
> src/openvpn/ssl_ncp.c | 9 +++++----
> 1 file changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c
> index f522b8f0..c9ab85ce 100644
> --- a/src/openvpn/ssl_ncp.c
> +++ b/src/openvpn/ssl_ncp.c
> @@ -296,13 +296,14 @@ check_pull_client_ncp(struct context *c, const int
> found)
> }
> /* If the server did not push a --cipher, we will switch to the
> * remote cipher if it is in our ncp-ciphers list */
> - bool useremotecipher = tls_poor_mans_ncp(&c->options,
> -
> c->c2.tls_multi->remote_ciphername);
> -
> + if(tls_poor_mans_ncp(&c->options, c->c2.tls_multi->remote_ciphername))
> + {
> + return true;
> + }
>
> /* We could not figure out the peer's cipher but we have fallback
> * enabled */
> - if (!useremotecipher && c->options.enable_ncp_fallback)
> + if (!c->c2.tls_multi->remote_ciphername &&
> c->options.enable_ncp_fallback)
> {
> return true;
> }
>
This makes sense. Given that the commit message is fixed as suggested by
Richard:
Acked-by: Steffan Karger <stef...@karger.me>
-Steffan
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
