Am 04.02.22 um 17:51 schrieb Antonio Quartulli:
Hi,
On 05/11/2021 16:07, Arne Schwabe wrote:
When we try to make a configuration compatible to a version earlier
than 2.4.0 we probably need to have a --cipher configured since NCP
is not available. In configuration where --cipher is not specified
we default to BF-CBC to support these old clients.
Note that with OpenSSL 3.0 you will also need to enable the legacy
provider otherwise we bail out since BF-CBC is no longer supported.
Also move the condition so BF-CBC gets included in the data-ciphers
list.
Patch v2: move the comment to a better place.
Signed-off-by: Arne Schwabe <a...@rfc2549.org>
Reviewed-by: Antonio Quartulli <a...@unstable.cc>
Unfortunately I cannot fully ACK this patch because I'd need to compile
2.3 to run a test, but this turned to be a mission impossible (due to
OpenSSL compatibility issues).
The change makes sense and it should do what we expect.
If anybody wants to test against an openvpn2.3 peer is most welcome.
A 2.4 client with ncp-disable should work nicely as well. We just do not
make ourselves compatible with 2.4.0 with ncp-disable if you select
2.4.0, you need 2.3.0 for that.
Arne
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
