Hi, if I provoke an error by having one side of p2p tls OpenVPN "with default options" (= AES-GCM) and call the client side with
--data-ciphers BF-CBC --auth SHA256
then - as it is expected - the negotiation fails
2022-11-28 12:50:09 P2P mode NCP negotiation result: TLS_export=1, DATA_v2=1,
peer-id 8195149, cipher=(not negotiated, fallback-cipher: BF-CBC)
2022-11-28 12:50:09 Control Channel: TLSv1.3, cipher TLSv1.3
TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA1
2022-11-28 12:50:09 [server] Peer Connection Initiated with
[AF_INET6]2001:608:1:995a:250:56ff:febb:2084:51201
2022-11-28 12:50:10 ERROR: failed to negotiate cipher with peer and
--data-ciphers-fallback not enabled. No usable data channel cipher
2022-11-28 12:50:10 ERROR: Failed to apply P2P negotiated protocol options
... but the interesting thing is, OpenVPN still thinks "this has succeeded",
or so - it's sitting there, happily consuming packets on the tun interface,
and never sending anything out the socket interface...
(This is "master of a few weeks ago", without DCO involved)
--verb 7 shows...
2022-11-28 12:55:25 us=199080 ERROR: failed to negotiate cipher with peer and
--data-ciphers-fallback not enabled. No usable data channel cipher
2022-11-28 12:55:25 us=199092 ERROR: Failed to apply P2P negotiated protocol
options
2022-11-28 12:55:26 us=226535 TUN READ [84]
2022-11-28 12:55:26 us=851927 TUN READ [96]
2022-11-28 12:55:27 us=62746 TUN READ [96]
2022-11-28 12:55:27 us=299083 TUN READ [84]
2022-11-28 12:55:28 us=326477 TUN READ [84]
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany [email protected]
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
