> > > Not sure how to tackle the "ccd/ push cipher is broken now with 2.4-NCP > clients" part. I think this is useful functionality, but the current > patch does not allow this "unless the client is already using the to-be- > pushed cipher, or it's one of the two NCP=2 AEAD ciphers". Which makes > it slightly less than useful...
I am not sure we can fix this in a good way. The behaviour is bascially blindly push a cipher no matter what the client announces. What we would need to still support this behaviour is a --data-cipher-force-cipher-if-only-iv_ncp2-present cipher that picks that cipher if the client has only IV_NCP=2. That sounds like a very ugly and obscure option. Or an option that is --iv-ncp-2-is-data-ciphers "foo:AES-128-CBC:MySpecial-Cipher" and then the server would translate IV_NCP=2 to that list instead of "AES-256-GCM:AES-128-GCM" All other options that I can come up break proper negotiation support. The option names are of course silly and would need to be replaced by better sounding alternatives. *If* we want to support this corner case I would suggest the second alternative and implement it in a follow up patch. The question is if this corner case is important enough to support it. Arne
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
