This commit fixes two separate issues which are closely linked.
First, a 2.5 client cannot connect to a server which does not support NCP
and is not using one of the default --data-ciphers (AES-*-GCM).
This is because the 2.5 client does not use its configured --data-ciphers
cipher in the "fall back to OCC based cipher negotiation" case. Fix this.
Second, do not allow the 2.5 client to use --data-ciphers-fallback in the
above situation because that is not it's intended use (only to be used if
there is no pushed cipher [NCP] and no OCC provided cipher).
To reproduce the error use a client with only --data-ciphers set against
a server without NCP.
OPTIONS ERROR: failed to negotiate cipher with server.
Add the server's cipher ('AES-256-CBC') to --data-ciphers
(currently 'AES-256-CBC') if you want to connect to this server.
Reported by: Richard Bonhomme <tincanteksup@gmail.com>
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <
20200814080619.2108-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20734.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
}
/* If the server did not push a --cipher, we will switch to the
* remote cipher if it is in our ncp-ciphers list */
- bool useremotecipher = tls_poor_mans_ncp(&c->options,
- c->c2.tls_multi->remote_ciphername);
-
+ if(tls_poor_mans_ncp(&c->options, c->c2.tls_multi->remote_ciphername))
+ {
+ return true;
+ }
/* We could not figure out the peer's cipher but we have fallback
* enabled */
- if (!useremotecipher && c->options.enable_ncp_fallback)
+ if (!c->c2.tls_multi->remote_ciphername && c->options.enable_ncp_fallback)
{
return true;
}
projects / thirdparty / openvpn.git / commitdiff
