Hello tincanteksup, Thanks for sharing. I didn't know that wiki. I'll double check and see if I'm missing something.
Actually, I haven't compiled the code, I was just trying the installer from the link below: https://build.openvpn.net/downloads/releases/OpenVPN-2.5-beta2-I601-amd64.msi Anyway, I'll pull the code, build it and see what happens. BR Gava On Sat, Aug 29, 2020 at 4:28 PM tincanteksup <tincantek...@gmail.com> wrote: > Hi, > > sorry to interrupt, Rafael could you please confirm if you find this > document to be correct/incorrect for your use case: > https://community.openvpn.net/openvpn/wiki/CipherNegotiation > > Also note, this patch has been merged so make sure your binary has been > compiled with it. > > > On 29/08/2020 20:19, Rafael Gava wrote: > > Hi Arne, > > > > This thread has a could days but I'm testing the version 2.5-beta2 and > I'm > > getting the following error: > > > > 2020-08-29 16:02:53 us=643016 OPTIONS ERROR: failed to negotiate cipher > > with server. Add the server's cipher ('BF-CBC') to --data-ciphers > > (currently 'BF-CBC') if you want to connect to this server. > > > > I have added the data-ciphers and also the data-ciphers-fallback to the > > client's config file and in all attempts I'm getting the same error > message. > > > > data-ciphers BF-CBC > > data-ciphers-fallback BF-CBC > > > > I know that you guys are trying to get rid of the BF-CBC but my question > > is, should it still work if we set these parameters in the config file or > > am I missing or doing something wrong? :-) > > > > BR > > > > Gava > > > > > > > > > > On Fri, Aug 14, 2020 at 5:06 AM Arne Schwabe <a...@rfc2549.org> wrote: > > > >> OpenVPN 2.5 clients do not correctly do a fallback to the server server. > >> This commit fixes that logic and also fixes --data-ciphers-fallback to > >> be used in situations other than no OCC cipher. > >> > >> To reproduce the error use a client with only --data-ciphers set against > >> a server without NCP. > >> > >> OPTIONS ERROR: failed to negotiate cipher with server. > >> Add the server's cipher ('AES-256-CBC') to --data-ciphers > >> (currently 'AES-256-CBC') if you want to connect to this > server. > >> > >> Reported by: Richard Bonhomme <tincantek...@gmail.com> > >> > >> Signed-off-by: Arne Schwabe <a...@rfc2549.org> > >> --- > >> src/openvpn/ssl_ncp.c | 9 +++++---- > >> 1 file changed, 5 insertions(+), 4 deletions(-) > >> > >> diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c > >> index f522b8f0..c9ab85ce 100644 > >> --- a/src/openvpn/ssl_ncp.c > >> +++ b/src/openvpn/ssl_ncp.c > >> @@ -296,13 +296,14 @@ check_pull_client_ncp(struct context *c, const int > >> found) > >> } > >> /* If the server did not push a --cipher, we will switch to the > >> * remote cipher if it is in our ncp-ciphers list */ > >> - bool useremotecipher = tls_poor_mans_ncp(&c->options, > >> - > >> c->c2.tls_multi->remote_ciphername); > >> - > >> + if(tls_poor_mans_ncp(&c->options, > c->c2.tls_multi->remote_ciphername)) > >> + { > >> + return true; > >> + } > >> > >> /* We could not figure out the peer's cipher but we have fallback > >> * enabled */ > >> - if (!useremotecipher && c->options.enable_ncp_fallback) > >> + if (!c->c2.tls_multi->remote_ciphername && > >> c->options.enable_ncp_fallback) > >> { > >> return true; > >> } > >> -- > >> 2.26.2 > >> > >> > >> > >> _______________________________________________ > >> Openvpn-devel mailing list > >> Openvpn-devel@lists.sourceforge.net > >> https://lists.sourceforge.net/lists/listinfo/openvpn-devel > >> > > > > > > > > _______________________________________________ > > Openvpn-devel mailing list > > Openvpn-devel@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/openvpn-devel > > > > > _______________________________________________ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel >
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
