Hi,
sorry to interrupt, Rafael could you please confirm if you find this
document to be correct/incorrect for your use case:
https://community.openvpn.net/openvpn/wiki/CipherNegotiation
Also note, this patch has been merged so make sure your binary has been
compiled with it.
On 29/08/2020 20:19, Rafael Gava wrote:
Hi Arne,
This thread has a could days but I'm testing the version 2.5-beta2 and I'm
getting the following error:
2020-08-29 16:02:53 us=643016 OPTIONS ERROR: failed to negotiate cipher
with server. Add the server's cipher ('BF-CBC') to --data-ciphers
(currently 'BF-CBC') if you want to connect to this server.
I have added the data-ciphers and also the data-ciphers-fallback to the
client's config file and in all attempts I'm getting the same error message.
data-ciphers BF-CBC
data-ciphers-fallback BF-CBC
I know that you guys are trying to get rid of the BF-CBC but my question
is, should it still work if we set these parameters in the config file or
am I missing or doing something wrong? :-)
BR
Gava
On Fri, Aug 14, 2020 at 5:06 AM Arne Schwabe <a...@rfc2549.org> wrote:
OpenVPN 2.5 clients do not correctly do a fallback to the server server.
This commit fixes that logic and also fixes --data-ciphers-fallback to
be used in situations other than no OCC cipher.
To reproduce the error use a client with only --data-ciphers set against
a server without NCP.
OPTIONS ERROR: failed to negotiate cipher with server.
Add the server's cipher ('AES-256-CBC') to --data-ciphers
(currently 'AES-256-CBC') if you want to connect to this server.
Reported by: Richard Bonhomme <tincantek...@gmail.com>
Signed-off-by: Arne Schwabe <a...@rfc2549.org>
---
src/openvpn/ssl_ncp.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c
index f522b8f0..c9ab85ce 100644
--- a/src/openvpn/ssl_ncp.c
+++ b/src/openvpn/ssl_ncp.c
@@ -296,13 +296,14 @@ check_pull_client_ncp(struct context *c, const int
found)
}
/* If the server did not push a --cipher, we will switch to the
* remote cipher if it is in our ncp-ciphers list */
- bool useremotecipher = tls_poor_mans_ncp(&c->options,
-
c->c2.tls_multi->remote_ciphername);
-
+ if(tls_poor_mans_ncp(&c->options, c->c2.tls_multi->remote_ciphername))
+ {
+ return true;
+ }
/* We could not figure out the peer's cipher but we have fallback
* enabled */
- if (!useremotecipher && c->options.enable_ncp_fallback)
+ if (!c->c2.tls_multi->remote_ciphername &&
c->options.enable_ncp_fallback)
{
return true;
}
--
2.26.2
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
