@@ -71,6 +71,11 @@ Deprecated features
This option mainly served a role as debug option when NCP was first
introduced. It should now no longer be necessary.
+``--cipher`` argument is no longer included in ``--data-ciphers`` by default
+ Data cipher negotiation has been introduced in 2.4.0 and been significantly
+ improved in 2.5.0. The implicit fallback to the cipher specified in
+ ``--cipher`` has been removed.
+
Compression no longer enabled by default
Unless an explicit compression option is specified in the configuration,
``--allow-compression`` defaults to ``no`` in OpeNVPN 2.6.0.
@@ -66,6 +66,8 @@ which mode OpenVPN is configured as.
- 2.5.x or lower: ``--allow-compression asym`` is automatically added
to the configuration if no other compression options are present.
+ - 2.4.x or lower: The cipher in ``--cipher`` is appended to
+ ``--data-ciphers``
--config file
Load additional config options from ``file`` where each line corresponds
@@ -3102,26 +3102,20 @@ options_postprocess_cipher(struct options *o)
/* We still need to set the ciphername to BF-CBC since various other
* parts of OpenVPN assert that the ciphername is set */
o->ciphername = "BF-CBC";
+
+ msg(M_INFO, "Note: --cipher is not set. OpenVPN versions before 2.6 "
+ "defaulted to BF-CBC as fallback when cipher negotiation "
+ "failed in this case. If you need this fallback please add "
+ "'--data-ciphers-fallback 'BF-CBC' to your configuration "
+ "and/or add BF-CBC to --data-ciphers.");
}
else if (!o->enable_ncp_fallback
&& !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers))
{
- msg(M_WARN, "DEPRECATED OPTION: --cipher set to '%s' but missing in"
- " --data-ciphers (%s). Future OpenVPN version will "
- "ignore --cipher for cipher negotiations. "
- "Add '%s' to --data-ciphers or change --cipher '%s' to "
- "--data-ciphers-fallback '%s' to silence this warning.",
- o->ciphername, o->ncp_ciphers, o->ciphername,
- o->ciphername, o->ciphername);
- o->enable_ncp_fallback = true;
-
- /* Append the --cipher to ncp_ciphers to allow it in NCP */
- size_t newlen = strlen(o->ncp_ciphers) + 1 + strlen(o->ciphername) + 1;
- char *ncp_ciphers = gc_malloc(newlen, false, &o->gc);
-
- ASSERT(openvpn_snprintf(ncp_ciphers, newlen, "%s:%s", o->ncp_ciphers,
- o->ciphername));
- o->ncp_ciphers = ncp_ciphers;
+ msg(M_WARN, "DEPRECATED OPTION: --cipher set to '%s' but missing in "
+ "--data-ciphers (%s). OpenVPN ignores --cipher for cipher "
+ "negotiations. ",
+ o->ciphername, o->ncp_ciphers);
}
}
@@ -3146,6 +3140,18 @@ need_compatibility_before(const struct options *o, int version)
static void
options_set_backwards_compatible_options(struct options *o)
{
+ /* Versions < 2.5.0 do need --cipher in the list of accepted ciphers.
+ * Version 2.4 might probably does not need it but NCP was not so
+ * good with 2.4 and ncp-disable might be more common on 2.4 peers.
+ * Only do this iif --cipher is not explicitly (BF-CBC). This is not
+ * 100% correct backwards compatible behaviour but 2.5 already behaved like
+ * this */
+ if (o->ciphername && need_compatibility_before(o, 20500)
+ && !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers))
+ {
+ append_cipher_to_ncp_list(o, o->ciphername);
+ }
+
/* Compression is deprecated and we do not want to announce support for it
* by default anymore, additionally DCO breaks with compression.
*
@@ -172,6 +172,19 @@ mutate_ncp_cipher_list(const char *list, struct gc_arena *gc)
return ret;
}
+
+void
+append_cipher_to_ncp_list(struct options *o, const char *ciphername)
+{
+ /* Append the --cipher to ncp_ciphers to allow it in NCP */
+ size_t newlen = strlen(o->ncp_ciphers) + 1 + strlen(ciphername) + 1;
+ char *ncp_ciphers = gc_malloc(newlen, false, &o->gc);
+
+ ASSERT(openvpn_snprintf(ncp_ciphers, newlen, "%s:%s", o->ncp_ciphers,
+ ciphername));
+ o->ncp_ciphers = ncp_ciphers;
+}
+
bool
tls_item_in_cipher_list(const char *item, const char *list)
{
@@ -102,6 +102,14 @@ tls_peer_ncp_list(const char *peer_info, struct gc_arena *gc);
char *
mutate_ncp_cipher_list(const char *list, struct gc_arena *gc);
+/**
+ * Appends the cipher specified by the ciphernamer parameter to to
+ * the o->ncp_ciphers list.
+ * @param o options struct to modify. Its gc is also used
+ * @param ciphername the ciphername to add
+ */
+void append_cipher_to_ncp_list(struct options *o, const char *ciphername);
+
/**
* Return true iff item is present in the colon-separated zero-terminated
* cipher list.