This improves compatbility to a OpenVPN 2.5 server and
allows to negotiate a different cipher than AES-128/256-GCM
without abusing the poor man's NCP support with --cipher.
We keep the IV_NCP=2 flag logic as broken as it is since 2.5 server
ignore the flag if IV_CIPHERS is set and this might break existing
2.4 setups.
Server support for IV_CIPHERS is not added since it would be quite
intrusive and users should rather upgrade to 2.5 on the server
if they want the full benefits.
This commit cherry picks a few parts of
868b200c3aef6ee5acfdf679770832018ebc7b70
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200830140736.16571-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20844.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -2745,6 +2745,7 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) |
2745 | 2745 |
to.tcp_mode = link_socket_proto_connection_oriented(options->ce.proto); |
2746 | 2746 |
to.config_ciphername = c->c1.ciphername; |
2747 | 2747 |
to.config_authname = c->c1.authname; |
2748 |
+ to.config_ncp_ciphers = options->ncp_ciphers; |
|
2748 | 2749 |
to.ncp_enabled = options->ncp_enabled; |
2749 | 2750 |
to.transition_window = options->transition_window; |
2750 | 2751 |
to.handshake_window = options->handshake_window; |
... | ... |
@@ -2311,7 +2311,17 @@ push_peer_info(struct buffer *buf, struct tls_session *session) |
2311 | 2311 |
if (session->opt->ncp_enabled |
2312 | 2312 |
&& (session->opt->mode == MODE_SERVER || session->opt->pull)) |
2313 | 2313 |
{ |
2314 |
+ /* We keep announcing IV_NCP=2 in OpenVPN 2.4 even though it is |
|
2315 |
+ * technically wrong to ensure not to break 2.4 setups on a |
|
2316 |
+ * minor release */ |
|
2314 | 2317 |
buf_printf(&out, "IV_NCP=2\n"); |
2318 |
+ buf_printf(&out, "IV_CIPHERS=%s", session->opt->config_ncp_ciphers); |
|
2319 |
+ if (!tls_item_in_cipher_list(session->opt->config_ciphername, |
|
2320 |
+ session->opt->config_ncp_ciphers)) |
|
2321 |
+ { |
|
2322 |
+ buf_printf(&out, ":%s", session->opt->config_ciphername); |
|
2323 |
+ } |
|
2324 |
+ buf_printf(&out, "\n"); |
|
2315 | 2325 |
} |
2316 | 2326 |
|
2317 | 2327 |
/* push compression status */ |