Hi Arne,
This thread has a could days but I'm testing the version 2.5-beta2 and I'm
getting the following error:
2020-08-29 16:02:53 us=643016 OPTIONS ERROR: failed to negotiate cipher
with server. Add the server's cipher ('BF-CBC') to --data-ciphers
(currently 'BF-CBC') if you want to connect to this server.
I have added the data-ciphers and also the data-ciphers-fallback to the
client's config file and in all attempts I'm getting the same error message.
data-ciphers BF-CBC
data-ciphers-fallback BF-CBC
I know that you guys are trying to get rid of the BF-CBC but my question
is, should it still work if we set these parameters in the config file or
am I missing or doing something wrong? :-)
BR
Gava
On Fri, Aug 14, 2020 at 5:06 AM Arne Schwabe <[email protected]> wrote:
> OpenVPN 2.5 clients do not correctly do a fallback to the server server.
> This commit fixes that logic and also fixes --data-ciphers-fallback to
> be used in situations other than no OCC cipher.
>
> To reproduce the error use a client with only --data-ciphers set against
> a server without NCP.
>
> OPTIONS ERROR: failed to negotiate cipher with server.
> Add the server's cipher ('AES-256-CBC') to --data-ciphers
> (currently 'AES-256-CBC') if you want to connect to this server.
>
> Reported by: Richard Bonhomme <[email protected]>
>
> Signed-off-by: Arne Schwabe <[email protected]>
> ---
> src/openvpn/ssl_ncp.c | 9 +++++----
> 1 file changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c
> index f522b8f0..c9ab85ce 100644
> --- a/src/openvpn/ssl_ncp.c
> +++ b/src/openvpn/ssl_ncp.c
> @@ -296,13 +296,14 @@ check_pull_client_ncp(struct context *c, const int
> found)
> }
> /* If the server did not push a --cipher, we will switch to the
> * remote cipher if it is in our ncp-ciphers list */
> - bool useremotecipher = tls_poor_mans_ncp(&c->options,
> -
> c->c2.tls_multi->remote_ciphername);
> -
> + if(tls_poor_mans_ncp(&c->options, c->c2.tls_multi->remote_ciphername))
> + {
> + return true;
> + }
>
> /* We could not figure out the peer's cipher but we have fallback
> * enabled */
> - if (!useremotecipher && c->options.enable_ncp_fallback)
> + if (!c->c2.tls_multi->remote_ciphername &&
> c->options.enable_ncp_fallback)
> {
> return true;
> }
> --
> 2.26.2
>
>
>
> _______________________________________________
> Openvpn-devel mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
