Message ID | 20210904095629.6273-6-a@unstable.cc |
---|---|
State | Accepted |
Headers | show |
Series | change defaults and introduce compat-mode | expand |
Am 04.09.21 um 11:56 schrieb Antonio Quartulli: > For compatibility with OpenVPN older than 2.4.0, the > '--data-cipher-fallback' argument is automatically added with the same > value as specified by '--cipher'. > > This happens only when the user specifies compat-mode with a version > older than 2.4.0. > > Signed-off-by: Arne Schwabe <arne@rfc2549.org> > Signed-off-by: Antonio Quartulli <a@unstable.cc> > --- > doc/man-sections/generic-options.rst | 2 ++ > src/openvpn/options.c | 7 +++++++ > Acked-By: Arne Schwabe <arne@rfc2549.org>
Code change looks reasonably simple :-) - not sure I understand all the intricacies, but at least it does not break anything in my test rigs. Which I wouldn't expect. Your patch has been applied to the master branch. commit cdef503b646087f9284b53e01c64988c98879c36 Author: Antonio Quartulli Date: Sat Sep 4 11:56:27 2021 +0200 compat-mode: add --data-cipher-fallback auomatically if requested Signed-off-by: Arne Schwabe <arne@rfc2549.org> Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <20210904095629.6273-6-a@unstable.cc> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22798.html Signed-off-by: Gert Doering <gert@greenie.muc.de> -- kind regards, Gert Doering
diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index 8b26cd1a..3e099e12 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -68,6 +68,8 @@ which mode OpenVPN is configured as. to the configuration if no other compression options are present. - 2.4.x or lower: The cipher in ``--cipher`` is appended to ``--data-ciphers`` + - 2.3.x or lower: ``--data-cipher-fallback`` is automatically added with + the same cipher as ``--cipher`` --config file Load additional config options from ``file`` where each line corresponds diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 88ac5bed..f2fb6d64 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -3152,6 +3152,13 @@ options_set_backwards_compatible_options(struct options *o) append_cipher_to_ncp_list(o, o->ciphername); } + /* Versions < 2.4.0 additionally might be compiled with --enable-small and + * not have OCC strings required for "poor man's NCP" */ + if (o->ciphername && need_compatibility_before(o, 20400)) + { + o->enable_ncp_fallback = true; + } + /* Compression is deprecated and we do not want to announce support for it * by default anymore, additionally DCO breaks with compression. *