On Thu, Apr 21, 2016 at 10:36 PM, Gert Doering <g...@greenie.muc.de> wrote: > On Thu, Apr 21, 2016 at 10:27:50PM +0200, Jan Just Keijser wrote: >> there are a few notes about this patch: >> >> - I've tested it on Linux only >> - it works when pushing both --cipher andi/or --auth >> - works by re-doing part of the encryption setup (you'll see some >> messages fly by twice ) >> - pushing an HMAC (e.g. push "auth SHA256"") does **not** work in >> combination with --tls-auth: when tls-auth is used all incoming packets >> are signed using the "original" HMAC cipher and you won't even get to >> the "push" stage to get the correct cipher. > > Does it work on the server side, that is, having a ccd/ file or script > that tells the server "cipher <foo>" for a given client?
No, this is client-side support to accept pushed ciphers. This is no multi-cipher support on the server side. > Otherwise: impressive :-) (I leave the actual code review to Steffan) Very cool indeed! We already had some discussion on #openvpn-devel. Some minor things popped up, but I'll let that settle a bit before really getting into it on the list. -Steffan
