Am 11.07.2020 um 18:48 schrieb Gert Doering:
> Acked-by: Gert Doering <g...@greenie.muc.de>
>
> The patch is trivial enough (it just allows "cipher" in ccd/ files, with
> no logic changes) - it's built on the changes in the previous patches, which
> makes it "just work".
>
> Without the patch, trying to set & push a cipher from ccd/:
>
> Jul 11 18:27:53 gentoo tap-udp-p2mp[12620]: Options error: option 'cipher' 
> cannot be used in this context (ccd/freebsd-74-amd64)
> Jul 11 18:27:55 gentoo tap-udp-p2mp[12620]: ... SENT CONTROL 
> [freebsd-74-amd64]: 'PUSH_REPLY,...,cipher CAMELLIA-128-CBC,...,cipher 
> AES-256-GCM' (status=1)
>
> With the patch *and* forcing NCP on the server side by only allowing 
> CAMELLIA-128-CBC:
>
>   $ cat ccd/freebsd-74-amd64
>   ncp-ciphers CAMELLIA-128-CBC
>   cipher CAMELLIA-128-CBC
>
> it will actually do that:
>
> Jul 11 18:42:37 gentoo tap-udp-p2mp[13661]: Outgoing Data Channel: Cipher 
> 'CAMELLIA-128-CBC' initialized with 128 bit key
> Jul 11 18:42:37 gentoo tap-udp-p2mp[13661]: Incoming Data Channel: Cipher 
> 'CAMELLIA-128-CBC' initialized with 128 bit key
> Jul 11 18:42:38 gentoo tap-udp-p2mp[13661]: SENT CONTROL [freebsd-74-amd64]: 
> 'PUSH_REPLY,...,peer-id 2,cipher CAMELLIA-128-CBC' (status=1)
>
> (if I put "CAMELLIA and some of the AES-GCM variants" in there, I get the 
> standard AES-256-GCM or AES-128-GCM variants - with no indication in the 
> logs on why it doesn't want to take the cipher --> documenting this here,
> so it can be found by googling: if you want "cipher" to work in CCD/ files,

cipher only sets the fallback cipher if we find no common cipher. All
ciphers in ncp-ciphers are still preferred to cipher. So to have the
server pick the --cipher from the either general config or ccd config,
none of the cipher in ncp-ciphers may be supported by the peer (so not
in ncp-ciphers/ncp-ciphers and not as --cipher)

Arne



_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to