Hi, On Mon, Jul 25, 2016 at 10:04 PM, Gert Doering <g...@greenie.muc.de> wrote: > has anyone ever used "--cipher" without an argument? If yes, what is the > intended usage? It sort of "tells openvpn we want crypto!" but does not > go into detail about it... > > Normally, this would just be a random weird option, but I ran across > > --cipher none --cipher > > which first tells openvpn "nah, we do not want anything!" and sets > a pointer to NULL, and then tells openvpn "but please *do* use the > ciphers already setup!", which core dumps. > > This is not remotely exploitable, so not a *security* issue, but a bit > stupid nonetheless - so I propose we just throw out "--cipher" with > no arguments (--cipher none, or --cipher bf-cbc would, of course, > continue to work). > > Anyone having a good argument against it? JJK, do you happen to know > what this is about?
As the patch I just sent suggests, I don't believe this can be useful at all. Using just --cipher is a no-op if anything but '--cipher none' is used (o->ciphername_defined is already set to true), and crashes OpenVPN otherwise. Probably just a leftover 'from the old days'. -Steffan
