Hi,

On Sun, Jul 12, 2020 at 01:28:56AM +0200, Arne Schwabe wrote:
> > With the patch *and* forcing NCP on the server side by only allowing 
> > CAMELLIA-128-CBC:
> >
> >   $ cat ccd/freebsd-74-amd64
> >   ncp-ciphers CAMELLIA-128-CBC
> >   cipher CAMELLIA-128-CBC
> >
> > it will actually do that:
[..]
> 
> cipher only sets the fallback cipher if we find no common cipher. All
> ciphers in ncp-ciphers are still preferred to cipher. So to have the
> server pick the --cipher from the either general config or ccd config,
> none of the cipher in ncp-ciphers may be supported by the peer (so not
> in ncp-ciphers/ncp-ciphers and not as --cipher)

More details on the scenario:

The client here is a stock 2.4 client, with "nothing" in the config - 
so it sends IV_NCP=1, but no cipher list, and OCC cipher is "bf-cbc".

In ccd/, if I have *just* "ncp-ciphers CAMELLIA-128-CBC", it will actually
fallback to "bf-cbc".  Which matches your description: no common ciphers
(IV_NCP=1 = AES-128-GCM:AES-256-GCM) -> fallback cipher (bf-cbc).


So, shorter: you're right :-) - and if we want to force a cipher for a
NCP-capable client, it needs "cipher" *and* "ncp-ciphers" in ccd/, because
otherwise NCP will just override our config.

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             g...@greenie.muc.de

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to