git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Arne Schwabe <arne@rfc2549.org>
	Fri, 14 Aug 2020 08:06:19 +0000 (10:06 +0200)
committer	Gert Doering <gert@greenie.muc.de>
	Sun, 23 Aug 2020 19:03:40 +0000 (21:03 +0200)
commit	a61883406f7caf39aab274979bb2d43d85804df8
tree	488018e03f7d55fe89c138e8e9a80c04d8888381	tree
parent	f4761dd12ec5eb10a5897ecb7dc427f54a9b0769	commit \| diff

Fix client's poor man NCP fallback

This commit fixes two separate issues which are closely linked.

First, a 2.5 client cannot connect to a server which does not support NCP
and is not using one of the default --data-ciphers (AES-*-GCM).

This is because the 2.5 client does not use its configured --data-ciphers
cipher in the "fall back to OCC based cipher negotiation" case.  Fix this.

Second, do not allow the 2.5 client to use --data-ciphers-fallback in the
above situation because that is not it's intended use (only to be used if
there is no pushed cipher [NCP] and no OCC provided cipher).

To reproduce the error use a client with only --data-ciphers set against
a server without NCP.

        OPTIONS ERROR: failed to negotiate cipher with server.
        Add the server's cipher  ('AES-256-CBC') to --data-ciphers
        (currently 'AES-256-CBC') if you want to connect to this server.

Reported by: Richard Bonhomme <tincanteksup@gmail.com>

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20200814080619.2108-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20734.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 2ab0a92442dce1d82fcb9e2b305313ef668d40bf)