Re: [Openvpn-devel] [PATCH] Fix client's poor man NCP fallback

Sat, 29 Aug 2020 12:20:38 -0700 

Hi Arne,

This thread has a could days but I'm testing the version 2.5-beta2 and I'm
getting the following error:

2020-08-29 16:02:53 us=643016 OPTIONS ERROR: failed to negotiate cipher
with server.  Add the server's cipher ('BF-CBC') to --data-ciphers
(currently 'BF-CBC') if you want to connect to this server.

I have added the data-ciphers and also the data-ciphers-fallback to the
client's config file and in all attempts I'm getting the same error message.

data-ciphers BF-CBC
data-ciphers-fallback BF-CBC

I know that you guys are trying to get rid of the BF-CBC but my question
is, should it still work if we set these parameters in the config file or
am I missing or doing something wrong? :-)

BR

Gava




On Fri, Aug 14, 2020 at 5:06 AM Arne Schwabe <a...@rfc2549.org> wrote:

> OpenVPN 2.5 clients do not correctly do a fallback to the server server.
> This commit fixes that logic and also fixes --data-ciphers-fallback to
> be used in situations other than no OCC cipher.
>
> To reproduce the error use a client with only --data-ciphers set against
> a server without NCP.
>
>         OPTIONS ERROR: failed to negotiate cipher with server.
>         Add the server's cipher  ('AES-256-CBC') to --data-ciphers
>         (currently 'AES-256-CBC') if you want to connect to this server.
>
> Reported by: Richard Bonhomme <tincantek...@gmail.com>
>
> Signed-off-by: Arne Schwabe <a...@rfc2549.org>
> ---
>  src/openvpn/ssl_ncp.c | 9 +++++----
>  1 file changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c
> index f522b8f0..c9ab85ce 100644
> --- a/src/openvpn/ssl_ncp.c
> +++ b/src/openvpn/ssl_ncp.c
> @@ -296,13 +296,14 @@ check_pull_client_ncp(struct context *c, const int
> found)
>      }
>      /* If the server did not push a --cipher, we will switch to the
>       * remote cipher if it is in our ncp-ciphers list */
> -    bool useremotecipher = tls_poor_mans_ncp(&c->options,
> -
>  c->c2.tls_multi->remote_ciphername);
> -
> +    if(tls_poor_mans_ncp(&c->options, c->c2.tls_multi->remote_ciphername))
> +    {
> +        return true;
> +    }
>
>      /* We could not figure out the peer's cipher but we have fallback
>       * enabled */
> -    if (!useremotecipher && c->options.enable_ncp_fallback)
> +    if (!c->c2.tls_multi->remote_ciphername &&
> c->options.enable_ncp_fallback)
>      {
>          return true;
>      }
> --
> 2.26.2
>
>
>
> _______________________________________________
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>

_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel






















					Reply via email to