Hi, On Sun, Jul 12, 2020 at 01:28:56AM +0200, Arne Schwabe wrote: > > With the patch *and* forcing NCP on the server side by only allowing > > CAMELLIA-128-CBC: > > > > $ cat ccd/freebsd-74-amd64 > > ncp-ciphers CAMELLIA-128-CBC > > cipher CAMELLIA-128-CBC > > > > it will actually do that: [..] > > cipher only sets the fallback cipher if we find no common cipher. All > ciphers in ncp-ciphers are still preferred to cipher. So to have the > server pick the --cipher from the either general config or ccd config, > none of the cipher in ncp-ciphers may be supported by the peer (so not > in ncp-ciphers/ncp-ciphers and not as --cipher)
More details on the scenario:
The client here is a stock 2.4 client, with "nothing" in the config -
so it sends IV_NCP=1, but no cipher list, and OCC cipher is "bf-cbc".
In ccd/, if I have *just* "ncp-ciphers CAMELLIA-128-CBC", it will actually
fallback to "bf-cbc". Which matches your description: no common ciphers
(IV_NCP=1 = AES-128-GCM:AES-256-GCM) -> fallback cipher (bf-cbc).
So, shorter: you're right :-) - and if we want to force a cipher for a
NCP-capable client, it needs "cipher" *and* "ncp-ciphers" in ccd/, because
otherwise NCP will just override our config.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany [email protected]
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
