If we do not get a cipher pushed we call tls_poor_mans_ncp to determine
if we can use the cipher that the server uses. Left over from OpenVPN
2.4's code we only did this check when the ciphers were different.
Since OpenVPN 2.5 does not assume that our cipher we report in OCC
(options->ciphername) is always a valid cipher we always need to the
check.
Reported-By: Rafael Gava <gava...@gmail.com>
Signed-off-by: Arne Schwabe <a...@rfc2549.org>
---
src/openvpn/ssl_ncp.c | 12 ++++--------
1 file changed, 4 insertions(+), 8 deletions(-)
diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c
index c9ab85ce..d82419fb 100644
--- a/src/openvpn/ssl_ncp.c
+++ b/src/openvpn/ssl_ncp.c
@@ -268,15 +268,11 @@ ncp_get_best_cipher(const char *server_list, const char
*peer_info,
static bool
tls_poor_mans_ncp(struct options *o, const char *remote_ciphername)
{
- if (remote_ciphername
- && 0 != strcmp(o->ciphername, remote_ciphername))
+ if (tls_item_in_cipher_list(remote_ciphername, o->ncp_ciphers))
{
- if (tls_item_in_cipher_list(remote_ciphername, o->ncp_ciphers))
- {
- o->ciphername = string_alloc(remote_ciphername, &o->gc);
- msg(D_TLS_DEBUG_LOW, "Using peer cipher '%s'", o->ciphername);
- return true;
- }
+ o->ciphername = string_alloc(remote_ciphername, &o->gc);
+ msg(D_TLS_DEBUG_LOW, "Using peer cipher '%s'", o->ciphername);
+ return true;
}
return false;
}
--
2.26.2
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
