Attention is currently required from: flichtenheld, plaisthos. mattock has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/847?usp=email )
Change subject: t_server_null_default.rc: Add some tests with --data-ciphers ...................................................................... Patch Set 2: (3 comments) Patchset: PS2: I believe this works as intended. I added a comment about the inconsistency in order of the ciphers (see below), but I think that does not cause any problems in practice File tests/t_server_null_default.rc: http://gerrit.openvpn.net/c/openvpn/+/847/comment/fd61574c_bf9c83bc : PS2, Line 109: CLIENT_CONF_4a="${CLIENT_CONF_BASE} --remote 127.0.0.1 1194 udp --proto udp --cipher AES-128-CBC --data-ciphers AES-192-CBC:DEFAULT" The inconsistency in --data-ciphers between server (DEFAULT:AES-192-CBC) and this client (AES-192-CBC:DEFAULT) looked off, so I checked the implications just in case. The --data-ciphers setting is expanded as AES-256-GCM:AES-128-GCM:AES-192-CBC (server) and AES-192-CBC:AES-256-GCM:AES-128-GCM (client). The man page tells this: "For servers, the first cipher from cipher-list that is also supported by the client will be pushed to clients that support cipher negotiation." Also, in OpenVPN 2.6.0 and later (as in here), the --cipher setting is ignored in TLS mode. As --cipher is different for the server and this client, this seems to test the "does --cipher get ignored" part. If I'm reading this right, the server tries to push AES-256-GCM first and as the client also has AES-256-GCM, that cipher is chosen. AES-192-CBC, despite being in both lists, is not chosen. http://gerrit.openvpn.net/c/openvpn/+/847/comment/346e5108_279f06cb : PS2, Line 123: CLIENT_CONF_4c="${CLIENT_CONF_BASE} --remote 127.0.0.1 1196 udp --proto udp --cipher AES-192-CBC --data-ciphers AES-128-CBC" This seems to fail correctly, as server does not have AES-128-CBC enabled. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/847?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I47d95eee8a00b9878331fd6cd6a7db12665f5537 Gerrit-Change-Number: 847 Gerrit-PatchSet: 2 Gerrit-Owner: flichtenheld <fr...@lichtenheld.com> Gerrit-Reviewer: mattock <sas...@proton.me> Gerrit-Reviewer: plaisthos <arne-open...@rfc2549.org> Gerrit-CC: cron2 <g...@greenie.muc.de> Gerrit-CC: openvpn-devel <openvpn-devel@lists.sourceforge.net> Gerrit-Attention: plaisthos <arne-open...@rfc2549.org> Gerrit-Attention: flichtenheld <fr...@lichtenheld.com> Gerrit-Comment-Date: Wed, 26 Mar 2025 12:24:10 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Gerrit-MessageType: comment
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
