GitList

Browse code

Also announce IV_CIPHERS as client in OpenVPN 2.4

This improves compatbility to a OpenVPN 2.5 server and
allows to negotiate a different cipher than AES-128/256-GCM
without abusing the poor man's NCP support with --cipher.

We keep the IV_NCP=2 flag logic as broken as it is since 2.5 server
ignore the flag if IV_CIPHERS is set and this might break existing
2.4 setups.

Server support for IV_CIPHERS is not added since it would be quite
intrusive and users should rather upgrade to 2.5 on the server
if they want the full benefits.

This commit cherry picks a few parts of
868b200c3aef6ee5acfdf679770832018ebc7b70

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200830140736.16571-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20844.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

Arne Schwabe authored on 2020/08/30 23:07:36
Showing 3 changed files

src/openvpn/init.c index 9142ba5..f35bf9c 100644
src/openvpn/ssl.c index dd9c52f..c93beea 100644
src/openvpn/ssl_common.h index ac25ffa..378b81f 100644

src/openvpn/init.c

History View file @ f8c3e0a

@@ -2745,6 +2745,7 @@ do_init_crypto_tls(struct context *c, const unsigned int flags)
                          to.tcp_mode = link_socket_proto_connection_oriented(options->ce.proto);
                          to.config_ciphername = c->c1.ciphername;
                          to.config_authname = c->c1.authname;
                     +    to.config_ncp_ciphers = options->ncp_ciphers;
                          to.ncp_enabled = options->ncp_enabled;
                          to.transition_window = options->transition_window;
                          to.handshake_window = options->handshake_window;

src/openvpn/ssl.c

History View file @ f8c3e0a

@@ -2311,7 +2311,17 @@ push_peer_info(struct buffer *buf, struct tls_session *session)
                              if (session->opt->ncp_enabled
                                  && (session->opt->mode == MODE_SERVER || session->opt->pull))
+                             {
                     +            /* We keep announcing IV_NCP=2 in OpenVPN 2.4 even though it is
                     +             * technically wrong to ensure not to break 2.4 setups on a
                     +             * minor release */
                                  buf_printf(&out, "IV_NCP=2\n");
                     +            buf_printf(&out, "IV_CIPHERS=%s", session->opt->config_ncp_ciphers);
                     +            if (!tls_item_in_cipher_list(session->opt->config_ciphername,
                     +                                         session->opt->config_ncp_ciphers))
                     +            {
                     +                buf_printf(&out, ":%s", session->opt->config_ciphername);
                     +            }
                     +            buf_printf(&out, "\n");
+                             }
                              /* push compression status */

src/openvpn/ssl_common.h

History View file @ f8c3e0a

@@ -286,6 +286,7 @@ struct tls_options
                          const char *config_ciphername;
                          const char *config_authname;
                     +    const char *config_ncp_ciphers;
                          bool ncp_enabled;
                          /** TLS handshake wrapping state */