Hi, On 23-11-16 23:32, Gert Doering wrote: > On Wed, Nov 23, 2016 at 11:16:58PM +0100, Gert Doering wrote: >> ACK. We made it :-) > > I *did* find a way to break it, I think - haven't tested, need to sleep - > just copying what I wrote to IRC just now since everyone is asleep > already... > > 23:30 <@cron2> syzzer: I *do* have a potential way to use this to break things > 23:30 <@cron2> server with NCP enabled, --cipher foo > 23:30 <@cron2> client with NCP disabled, --cipher bar > 23:30 <@cron2> server will now use "cipher bar", while client will do "cipher > foo"... > 23:31 <@cron2> so I think we should do a "v6a amendment" which disables this > on > the client if --ncp-disable is set (so 2.4 to 2.4 will either > do > *real* NCP, or *no* NCP, but no half-assed two-way poorman) > 23:31 <@cron2> this makes testing more annoying because you can't talk to a > 2.4 > server to test the client side :-) - but it's *meant* to be a > 2.3<->2.4 migration feature
This will end up with the server and client using cipher bar (if the server has --ncp-ciphers <somehting>:bar). The client-side poor-man's NCP is already guarded by "if (c->options.ncp_enabled)" (in do_deferred_options()). -Steffan
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
