Hi, On Tue, Jul 07, 2020 at 02:16:14PM +0200, Arne Schwabe wrote: > Ever since the NCPv2 the ncp_get_best_cipher uses the global > options->ncp_enabled option and ignore the tls_session->ncp_enabled > option.
For the record, this breaks "poor man's NCP" for big packets - tested
with 2.3 client and 2.4 with "--ncp-disable". Session is negotiated
fine, key material is generated perfectly fine, both sides agree on
ciphers, but if I do the "ping 3000 byte test" I get this on the
server:
13:00 <@cron2> Jul 8 12:59:19 gentoo tun-udp-p2mp[30281]:
cron2-freebsd-tc-amd64-23/2001:608:0:814::f000:21 TCP/UDP packet too large on
write to [AF_INET6]2001:608:0:814::f000:21:35389 (tried=1544,max=1542)
so it seems to get confused about frame size values.
No --mtu-disc involved, no --anything-mtu configured on the server (= all
on defaults).
I do remember that this is scary stuff all intertwined...
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany [email protected]
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
