> +++ b/src/openvpn/ssl.c
> @@ -2311,7 +2311,18 @@ push_peer_info(struct buffer *buf, struct tls_session
> *session)
> if (session->opt->ncp_enabled
> && (session->opt->mode == MODE_SERVER || session->opt->pull))
> {
> +/* We keep announcing IV_NCP=2 in
This improves compatbility to a OpenVPN 2.5 server and
allows to negotiate a different cipher than AES-128/256-GCM
without abusing the poor man's NCP support with --cipher.
We keep the IV_NCP=2 flag logic as broken as it is since 2.5 server
ignore the flag if IV_CIPHERS is set and this might break
