This improves compatbility to a OpenVPN 2.5 server and
allows to negotiate a different cipher than AES-128/256-GCM
without abusing the poor man's NCP support with --cipher.
We keep the IV_NCP=2 flag logic as broken as it is since 2.5 server
ignore the flag if IV_CIPHERS is set and this might break existing
2.4 setups.
Server support for IV_CIPHERS is not added since it would be quite
intrusive and users should rather upgrade to 2.5 on the server
if they want the full benefits.
This commit cherry picks a few parts of
868b200c3aef6ee5acfdf679770832018ebc7b70
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <
20200830140736.16571-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20844.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
to.tcp_mode = link_socket_proto_connection_oriented(options->ce.proto);
to.config_ciphername = c->c1.ciphername;
to.config_authname = c->c1.authname;
+ to.config_ncp_ciphers = options->ncp_ciphers;
to.ncp_enabled = options->ncp_enabled;
to.transition_window = options->transition_window;
to.handshake_window = options->handshake_window;
if (session->opt->ncp_enabled
&& (session->opt->mode == MODE_SERVER || session->opt->pull))
{
+ /* We keep announcing IV_NCP=2 in OpenVPN 2.4 even though it is
+ * technically wrong to ensure not to break 2.4 setups on a
+ * minor release */
buf_printf(&out, "IV_NCP=2\n");
+ buf_printf(&out, "IV_CIPHERS=%s", session->opt->config_ncp_ciphers);
+ if (!tls_item_in_cipher_list(session->opt->config_ciphername,
+ session->opt->config_ncp_ciphers))
+ {
+ buf_printf(&out, ":%s", session->opt->config_ciphername);
+ }
+ buf_printf(&out, "\n");
}
/* push compression status */
const char *config_ciphername;
const char *config_authname;
+ const char *config_ncp_ciphers;
bool ncp_enabled;
/** TLS handshake wrapping state */
projects / thirdparty / openvpn.git / commitdiff
