Re: [Openvpn-devel] [PATCH] Fix client's poor man NCP fallback

Fri, 14 Aug 2020 11:51:13 -0700 

Hi,
I tested this patch and it does make --data-ciphers and --data-ciphers-fallback behave in their intended "fashion". 


Unfortunately, the commit message is grammatically incorrect and also 
logically misleading.



The intended fashion is for --data-ciphers to recognise that the correct 
cipher *has* been chosen and use it accordingly.


And for --data-ciphers-fallback to *not*

be used in situations other than no OCC cipher.



Reported-by: Richard Bonhomme <tincantek...@gmail.com>
Tested-by: Richard Bonhomme <tincantek...@gmail.com>


On 14/08/2020 09:06, Arne Schwabe wrote:

OpenVPN 2.5 clients do not correctly do a fallback to the server server.
This commit fixes that logic and also fixes --data-ciphers-fallback to
be used in situations other than no OCC cipher.

To reproduce the error use a client with only --data-ciphers set against
a server without NCP.

         OPTIONS ERROR: failed to negotiate cipher with server.
         Add the server's cipher  ('AES-256-CBC') to --data-ciphers
         (currently 'AES-256-CBC') if you want to connect to this server.

Reported by: Richard Bonhomme <tincantek...@gmail.com>

Signed-off-by: Arne Schwabe <a...@rfc2549.org>
---
  src/openvpn/ssl_ncp.c | 9 +++++----
  1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c
index f522b8f0..c9ab85ce 100644
--- a/src/openvpn/ssl_ncp.c
+++ b/src/openvpn/ssl_ncp.c
@@ -296,13 +296,14 @@ check_pull_client_ncp(struct context *c, const int found)
      }
      /* If the server did not push a --cipher, we will switch to the
       * remote cipher if it is in our ncp-ciphers list */
-    bool useremotecipher = tls_poor_mans_ncp(&c->options,
-                                             
c->c2.tls_multi->remote_ciphername);
-
+    if(tls_poor_mans_ncp(&c->options, c->c2.tls_multi->remote_ciphername))
+    {
+        return true;
+    }

  
      /* We could not figure out the peer's cipher but we have fallback

       * enabled */
-    if (!useremotecipher && c->options.enable_ncp_fallback)
+    if (!c->c2.tls_multi->remote_ciphername && c->options.enable_ncp_fallback)
      {
          return true;
      }




_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel






















					Reply via email to