Am 08.07.20 um 13:15 schrieb Gert Doering: > Hi, > > On Tue, Jul 07, 2020 at 02:16:14PM +0200, Arne Schwabe wrote: >> Ever since the NCPv2 the ncp_get_best_cipher uses the global >> options->ncp_enabled option and ignore the tls_session->ncp_enabled >> option. > > For the record, this breaks "poor man's NCP" for big packets - tested > with 2.3 client and 2.4 with "--ncp-disable". Session is negotiated > fine, key material is generated perfectly fine, both sides agree on > ciphers, but if I do the "ping 3000 byte test" I get this on the > server: > > 13:00 <@cron2> Jul 8 12:59:19 gentoo tun-udp-p2mp[30281]: > cron2-freebsd-tc-amd64-23/2001:608:0:814::f000:21 TCP/UDP packet too large on > write to [AF_INET6]2001:608:0:814::f000:21:35389 (tried=1544,max=1542) > > so it seems to get confused about frame size values. > > No --mtu-disc involved, no --anything-mtu configured on the server (= all > on defaults). > > I do remember that this is scary stuff all intertwined...
Looks like our frame calculation for NCP is somewhat broken and this
change just exposed this bug better. This "fix" might work:
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1986,6 +1986,12 @@ tls_session_update_crypto_params(struct
tls_session *session,
options->keysize = 0;
}
}
+ else
+ {
+ /* Very hacky workaround and quick fix for our calculation
+ * not correct to avoid a regression */
+ return tls_session_generate_data_channel_keys(session);
+ }
init_key_type(&session->opt->key_type, options->ciphername,
options->authname, options->keysize, true, true);
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
