Hi, On Sun, Jul 12, 2020 at 01:28:56AM +0200, Arne Schwabe wrote: > > With the patch *and* forcing NCP on the server side by only allowing > > CAMELLIA-128-CBC: > > > > $ cat ccd/freebsd-74-amd64 > > ncp-ciphers CAMELLIA-128-CBC > > cipher CAMELLIA-128-CBC > > > > it will actually do that: [..] > > cipher only sets the fallback cipher if we find no common cipher. All > ciphers in ncp-ciphers are still preferred to cipher. So to have the > server pick the --cipher from the either general config or ccd config, > none of the cipher in ncp-ciphers may be supported by the peer (so not > in ncp-ciphers/ncp-ciphers and not as --cipher)
More details on the scenario: The client here is a stock 2.4 client, with "nothing" in the config - so it sends IV_NCP=1, but no cipher list, and OCC cipher is "bf-cbc". In ccd/, if I have *just* "ncp-ciphers CAMELLIA-128-CBC", it will actually fallback to "bf-cbc". Which matches your description: no common ciphers (IV_NCP=1 = AES-128-GCM:AES-256-GCM) -> fallback cipher (bf-cbc). So, shorter: you're right :-) - and if we want to force a cipher for a NCP-capable client, it needs "cipher" *and* "ncp-ciphers" in ccd/, because otherwise NCP will just override our config. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel