Because of the way we re-use the options parser for both config files and
pushed options, we always update the local options state when we accept an
option. This resulted in a pushed cipher being rejected the first time it
was pushed, but being accepted the second time.
This patch is a minimal way to resolve this issue in the master and
release/2.4 branches. I'll send a more invasive patch for master, to
reset the entire options state on reconnects, later.
Trac: #906
Signed-off-by: Steffan Karger <stef...@karger.me>
---
src/openvpn/ssl.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index bbc1c965..f152218e 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1967,6 +1967,8 @@ tls_session_update_crypto_params(struct tls_session
*session,
msg(D_TLS_ERRORS, "Error: pushed cipher not allowed - %s not in %s or
%s",
options->ciphername, session->opt->config_ciphername,
options->ncp_ciphers);
+ /* undo cipher push, abort connection setup */
+ options->ciphername = session->opt->config_ciphername;
return false;
}
--
2.11.0
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
