Acked-by: Gert Doering <g...@greenie.muc.de>

The patch is trivial enough (it just allows "cipher" in ccd/ files, with
no logic changes) - it's built on the changes in the previous patches, which
makes it "just work".

Without the patch, trying to set & push a cipher from ccd/:

Jul 11 18:27:53 gentoo tap-udp-p2mp[12620]: Options error: option 'cipher' 
cannot be used in this context (ccd/freebsd-74-amd64)
Jul 11 18:27:55 gentoo tap-udp-p2mp[12620]: ... SENT CONTROL 
[freebsd-74-amd64]: 'PUSH_REPLY,...,cipher CAMELLIA-128-CBC,...,cipher 
AES-256-GCM' (status=1)

With the patch *and* forcing NCP on the server side by only allowing 
CAMELLIA-128-CBC:

  $ cat ccd/freebsd-74-amd64
  ncp-ciphers CAMELLIA-128-CBC
  cipher CAMELLIA-128-CBC

it will actually do that:

Jul 11 18:42:37 gentoo tap-udp-p2mp[13661]: Outgoing Data Channel: Cipher 
'CAMELLIA-128-CBC' initialized with 128 bit key
Jul 11 18:42:37 gentoo tap-udp-p2mp[13661]: Incoming Data Channel: Cipher 
'CAMELLIA-128-CBC' initialized with 128 bit key
Jul 11 18:42:38 gentoo tap-udp-p2mp[13661]: SENT CONTROL [freebsd-74-amd64]: 
'PUSH_REPLY,...,peer-id 2,cipher CAMELLIA-128-CBC' (status=1)

(if I put "CAMELLIA and some of the AES-GCM variants" in there, I get the 
standard AES-256-GCM or AES-128-GCM variants - with no indication in the 
logs on why it doesn't want to take the cipher --> documenting this here,
so it can be found by googling: if you want "cipher" to work in CCD/ files,
you must also set "ncp-ciphers" accordingly).

Your patch has been applied to the master branch.

commit 6168f53d6b7274026d4f392a22e64524a9b264d6
Author: Arne Schwabe
Date:   Sat Jul 11 11:36:42 2020 +0200

     Allow changing fallback cipher from ccd files/client-connect

     Signed-off-by: Arne Schwabe <a...@rfc2549.org>
     Acked-by: Gert Doering <g...@greenie.muc.de>
     Message-Id: <20200711093655.23686-1-a...@rfc2549.org>
     URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20281.html
     Signed-off-by: Gert Doering <g...@greenie.muc.de>


--
kind regards,

Gert Doering



_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to