As reported by debbie10t on the openvpn-devel list (Message-ID:
<326b8ff7-39a6-1974-c0b0-82fd2abdc7b7@gmail.com>), an NCP client will
attempt to reconnect with the previously pushed cipher, instead of the
cipher from the config file, after a sigusr1 restart. This can be a
problem when the server is reconfigured (as debbie10t explainted), or when
roaming to a differently-configured server. Fix this by restoring the
cipher options from the config file after a sigusr1 restart.
This makes the cipher options behaviour different from other pushable
options, because those are also cached until a sighup restart. We might
want to change this behaviour in general, but for now let's just fix the
issue at hand.
v2: also cache and restore keysize, as that parameter is relevant too.
v3: inherit cached cipher options from parent context.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1478027207-28651-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12869.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
... | ... |
@@ -2242,6 +2242,7 @@ do_init_crypto_tls_c1 (struct context *c) |
2242 | 2242 |
|
2243 | 2243 |
c->c1.ciphername = options->ciphername; |
2244 | 2244 |
c->c1.authname = options->authname; |
2245 |
+ c->c1.keysize = options->keysize; |
|
2245 | 2246 |
|
2246 | 2247 |
#if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */ |
2247 | 2248 |
if (options->priv_key_file_inline) |
... | ... |
@@ -2254,6 +2255,11 @@ do_init_crypto_tls_c1 (struct context *c) |
2254 | 2254 |
else |
2255 | 2255 |
{ |
2256 | 2256 |
msg (D_INIT_MEDIUM, "Re-using SSL/TLS context"); |
2257 |
+ |
|
2258 |
+ /* Restore pre-NCP cipher options */ |
|
2259 |
+ c->options.ciphername = c->c1.ciphername; |
|
2260 |
+ c->options.authname = c->c1.authname; |
|
2261 |
+ c->options.keysize = c->c1.keysize; |
|
2257 | 2262 |
} |
2258 | 2263 |
} |
2259 | 2264 |
|
... | ... |
@@ -3791,6 +3797,10 @@ inherit_context_child (struct context *dest, |
3791 | 3791 |
dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx; |
3792 | 3792 |
dest->c1.ks.tls_auth_key = src->c1.ks.tls_auth_key; |
3793 | 3793 |
dest->c1.ks.tls_auth_key_type = src->c1.ks.tls_auth_key_type; |
3794 |
+ /* inherit pre-NCP ciphers */ |
|
3795 |
+ dest->c1.ciphername = src->c1.ciphername; |
|
3796 |
+ dest->c1.authname = src->c1.authname; |
|
3797 |
+ dest->c1.keysize = src->c1.keysize; |
|
3794 | 3798 |
#endif |
3795 | 3799 |
|
3796 | 3800 |
/* options */ |
... | ... |
@@ -213,6 +213,7 @@ struct context_1 |
213 | 213 |
|
214 | 214 |
const char *ciphername; /**< Data channel cipher from config file */ |
215 | 215 |
const char *authname; /**< Data channel auth from config file */ |
216 |
+ int keysize; /**< Data channel keysize from config file */ |
|
216 | 217 |
#endif |
217 | 218 |
}; |
218 | 219 |
|