Softether had the number of ACKs in ANY OpenVPN packet limited to 4 and
dropped packets with more than 4 ACKs. This leads to Softether dropping
P_ACK_V1 packets with more than 4 ACKs as invalid. As the recent change
of always acking as many packets as possible, this leads to Softether
server not being able to successfully establish a connection anymore as
it never registers the ACKs.
This behaviour has been fixed on the Softether side with commit 37aa1ba5
but in order to allow clients to connect to older Softether servers, this
commit implements a workaround for the case that the peer might be a
Softether server (no tls-auth/tls-crypt and no other advanced protocol
feature) and limits ACKs to 4 in this case.
Signed-off-by: Arne Schwabe <a...@rfc2549.org>
---
src/openvpn/ssl_pkt.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/src/openvpn/ssl_pkt.c b/src/openvpn/ssl_pkt.c
index e86fbc1b8..9b180cbf4 100644
--- a/src/openvpn/ssl_pkt.c
+++ b/src/openvpn/ssl_pkt.c
@@ -177,6 +177,15 @@ write_control_auth(struct tls_session *session,
{
uint8_t header = ks->key_id | (opcode << P_OPCODE_SHIFT);
+ /* Workaround for Softether servers. Softether has a bug that it only
+ * allows 4 ACks in packets and drops packets if more ACKs are contained
+ * in a packet (see commit a14d812dcbc in Softether) */
+ if (session->tls_wrap.mode == TLS_WRAP_NONE && !session->opt->server
+ && !(session->opt->crypto_flags & CO_USE_TLS_KEY_MATERIAL_EXPORT))
+ {
+ max_ack = min_int(max_ack, 4);
+ }
+
ASSERT(link_socket_actual_defined(&ks->remote_addr));
ASSERT(reliable_ack_write
(ks->rec_ack, ks->lru_acks, buf, &ks->session_id_remote,
--
2.32.1 (Apple Git-133)
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
